On 2020-08-21 04:45, Arjen de Korte via clamav-users wrote: > > It is not clear to me what problem this patch intends to solve (for a > systemd service it is absolute not required from a security point of > view). The PIDFile should be writable by vscan user only anyway. >
With a Type=forking service, systemd will send SIGTERM to the contents of the PID file as root. If the "vscan" user can put whatever he wants in the PID file, then he can kill root processes. Are you using the upstream systemd service? It defaults to Type=simple, and runs clamd in the foreground. In that case, your clamd daemon shouldn't be creating a PID file at all -- systemd should take care of it when it shoves the process into the background. PidFile should be left unset in clamd.conf. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
