Hello again,
On Mon, 12 Jul 2021, Robert Kudyba wrote:
... I'm not comfortable with hacking the shell script.
Fair enough. In any case now it looks to me less likely that it's the
shell script that's causing the issue (because you said in your last
mail that just three files showed incorrect ownership).
On Fri, 9 Oct 2020, G.W. Haywood wrote:
[...] start with some simple logging [...]
OK just set this in cron but I suppose it isn't useful until the
problem happens again.
Quite so. You set it up and wait. If you'd set it up in October your
wait would now be over. :) Talk to you again around Christmas time?
If you made the permissions
drwxrwxr-x
instead, you could probably forget about it - but again it might be to
paper over a crack.
OK so some variation of setfattr -h -x security.selinux
No, I'd just have typed (at a root shell prompt)
chmod g+w /var/lib/clamav
Another thought, do you have the 'setgid' bit set on one of the parent
directories?
Running find /var/lib/ -perm /6000 -type f results in only some Docker
containers
I asked about the permissions on the directories, not on files. In
your 'find' command there you specifically limit the search to files
and not directories with "-type f". See 'man find' for more (but IMO
'find' is a bit like a cornered rat and I'm starting to think it might
not be the best tool in the box for you to be playing with). Just use
ls -l / | grep var
to see the permissions on /var and
ls -l /var | grep lib
to see the permissions on /var/lib.
But I'd still want to see that log.
The log from the cronjob, freshclam or eXtremeSHOK.com ClamAV Unofficial
Signature Updater?
The cron job which I suggested. From a root shell prompt, to edit the
crontab give the command
crontab -e
which will fire up the default editor or the one you've configured.
Just paste these two lines (I tweaked it a bit from last October's
version) right at at the bottom:
FILE=/var/log/clam_perms.log
* * * * * /bin/date >> $FILE ; /bin/ls -l /var/lib/clamav >> $FILE
That will write a time/date stamp and a directory listing to the file
every minute until further notice. Yes, there will be quite a lot of
output, but (by the standards of the 21st century) it won't be a huge
file, and you'll get what I'm looking for which is when (to about the
nearest minute) the permissions were changed. If you know to within
the same sort of precision when things are run, that should give you
some clue to what changed the permissions.
grep 981 /etc/group
clamav:x:981:clamscan,clamilt,clamupdate
Hmmm. So group ID 981 is 'clamav'. What's the numeric ID for the
'clamupdate' group (and 'clamilt' for completeness)? To me it seems
just a little excessive to have separate users (and maybe groups) for
clamd, clamav-milter and freshclam. I think somebody (probably this
was somebody at Red Hat) lost the plot there, but I suppose you're
stuck with that unless you junk the ClamAV packages and build it all
from source. IMO there's a lot to recommend that.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
