Does systemd have any ALLOW/DENY option (like Apache) for directories? The "InaccessibleDirectories" option seems tedious and error prone, especially since *all* x.service files would have to be checked every time a new service, with perhaps new directories, is added.
On Sat, 27 Aug 2016 18:59:07 +0200 Reindl Harald <h.rei...@thelounge.net> wrote: > > > Am 27.08.2016 um 18:30 schrieb G.W. Haywood: > > Hi there, > > > > On Sat, 27 Aug 2016, Jeff Dyke wrote: > > > >> ... if i start clamd with > >> sudo -u clamav /usr/sbin/clamd --config-file=/etc/clamav/clamd.conf > >> it *will* bind to that address and port. > >> ... > >> When starting via /etc/init.d/clamav-daemon start or sudo service > >> clamav-daemon start it does not bind to the port. > >> > >> ... No ... socket received from systemd. > >> ... > > > > Are the other servers also Ubuntu 16.04? > > > > What are they all doing? > > > > Anything more from the clamd.conf debug options? > > > > I use ClamAV only on mail servers. I tend not to use distro > > packages for things mail, and anyway I have yet to use ClamAV on a > > systemd box (and with luck I never will) - but in your shoes I'd be > > inclined e.g. to chmod a-x the ClamAV scripts in /etc/init.d then > > put something to start clamd in /etc/rc.local to see if it works > > there after the network stack is all up and running > > to start with a proper environment don't contain anything > in /etc/init.d if we talk about systemd > > so what tells "systemctl list-units | grep clam" and what tells > "systemctl status" for each listed uint - to get a minimum overview > how the system is wired togehter (not that good when using compat > startscripts) > > in the best case you disable/mask all that distro-crap and create > your own clamd.service and adapt it to your needs (that one below > only needs unix-sockets and hence can start with a restirced use - it > could do the same in a high port in case of a tcp socket) > > [root@mail-gw:~]$ cat /etc/systemd/system/clamd.service > [Unit] > Description=ClamAV Scanner Daemon > > [Service] > Type=forking > Environment="TMPDIR=/tmp" > Environment="LANG=en_GB.UTF-8" > ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf > ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID > Restart=always > RestartSec=1 > Nice=5 > > User=clamscan > Group=clamilt > > PrivateTmp=yes > PrivateDevices=yes > PrivateNetwork=no > NoNewPrivileges=yes > CapabilityBoundingSet=CAP_KILL > RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 > SystemCallArchitectures=x86-64 > SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime > delete_module fanotify_init finit_module get_mempolicy init_module > io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp > kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pages > open_by_handle_at perf_event_open pivot_root process_vm_readv > process_vm_writev ptrace remap_file_pages request_key set_mempolicy > swapoff swapon umount2 uselib vmsplice > > ReadOnlyDirectories=/ > ReadWriteDirectories=/run/clamd.scan > ReadWriteDirectories=/run/clamd > ReadWriteDirectories=/var/log > ReadWriteDirectories=/tmp > > InaccessibleDirectories=-/boot > InaccessibleDirectories=-/etc/dbus-1 > InaccessibleDirectories=-/etc/modprobe.d > InaccessibleDirectories=-/etc/modules-load.d > InaccessibleDirectories=-/etc/postfix > InaccessibleDirectories=-/etc/ssh > InaccessibleDirectories=-/etc/sysctl.d > InaccessibleDirectories=-/home > InaccessibleDirectories=-/media > InaccessibleDirectories=-/root > InaccessibleDirectories=-/run/blkid > InaccessibleDirectories=-/run/console > InaccessibleDirectories=-/run/dbus > InaccessibleDirectories=-/run/lock > InaccessibleDirectories=-/run/log > InaccessibleDirectories=-/run/mount > InaccessibleDirectories=-/run/screen > InaccessibleDirectories=-/run/sepermit > InaccessibleDirectories=-/run/setrans > InaccessibleDirectories=-/run/spamassassin > InaccessibleDirectories=-/run/spamassassin-submission > InaccessibleDirectories=-/run/spamass-milter > InaccessibleDirectories=-/run/spamd-debug > InaccessibleDirectories=-/run/systemd/generator > InaccessibleDirectories=-/run/systemd/system > InaccessibleDirectories=-/run/systemd/users > InaccessibleDirectories=-/run/udev > InaccessibleDirectories=-/run/user > InaccessibleDirectories=-/run/vnstat > InaccessibleDirectories=-/usr/lib64/dbus-1 > InaccessibleDirectories=-/usr/lib64/xtables > InaccessibleDirectories=-/usr/lib/dracut > InaccessibleDirectories=-/usr/libexec/iptables > InaccessibleDirectories=-/usr/libexec/openssh > InaccessibleDirectories=-/usr/libexec/postfix > InaccessibleDirectories=-/usr/lib/grub > InaccessibleDirectories=-/usr/lib/kernel > InaccessibleDirectories=-/usr/lib/modprobe.d > InaccessibleDirectories=-/usr/lib/modules > InaccessibleDirectories=-/usr/lib/modules-load.d > InaccessibleDirectories=-/usr/lib/rpm > InaccessibleDirectories=-/usr/lib/sysctl.d > InaccessibleDirectories=-/usr/lib/udev > InaccessibleDirectories=-/usr/local > InaccessibleDirectories=-/var/db > InaccessibleDirectories=-/var/lib/alternatives > InaccessibleDirectories=-/var/lib/bayes-persistent > InaccessibleDirectories=-/var/lib/dbus > InaccessibleDirectories=-/var/lib/dnf > InaccessibleDirectories=-/var/lib/initramfs > InaccessibleDirectories=-/var/lib/logrotate > InaccessibleDirectories=-/var/lib/mailgraph > InaccessibleDirectories=-/var/lib/misc > InaccessibleDirectories=-/var/lib/mlocate > InaccessibleDirectories=-/var/lib/ntp > InaccessibleDirectories=-/var/lib/os-prober > InaccessibleDirectories=-/var/lib/postfix > InaccessibleDirectories=-/var/lib/rbldnsd > InaccessibleDirectories=-/var/lib/rkhunter > InaccessibleDirectories=-/var/lib/rpm > InaccessibleDirectories=-/var/lib/rsyslog > InaccessibleDirectories=-/var/lib/smokeping > InaccessibleDirectories=-/var/lib/spamassassin > InaccessibleDirectories=-/var/lib/spamass-milter > InaccessibleDirectories=-/var/lib/spamfilter > InaccessibleDirectories=-/var/lib/systemd > InaccessibleDirectories=-/var/lib/unbound > InaccessibleDirectories=-/var/lib/vnstat > InaccessibleDirectories=-/var/lib/yum > InaccessibleDirectories=-/var/log/rkhunter > InaccessibleDirectories=-/var/spool > > [Install] > WantedBy=multi-user.target > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
