Hello again, On Tue, 13 Jul 2021, Robert Kudyba wrote:
After an upgrade of Fedora and subsequent reboot the permission problem returned. Same the files: -rw-r--r-- 1 clamupdate clamupdate 293670 Apr 8 06:32 bytecode.cvd -rw-r--r-- 1 clamupdate clamupdate 107169718 Jun 22 18:06 daily.cvd -rw-r--r-- 1 clamupdate clamupdate 117859675 Nov 25 2019 main.cvd as well as the directory: ls -dl /var/lib/clamav drwxr-xr-x 4 clamupdate clamupdate 8192 Jul 13 11:39 /var/lib/clamav Also in the clamav-unofficial-sigs.log file Jul 13 12:14:01 ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav Permission log file is available at https://storm.cis.fordham.edu/~rkudyba/clam_perms.log
Now we're gettting somewhere. :) The log starts with Mon Jul 12 09:59:01 AM EDT 2021 and the first timestamp for daily.cld is -rw-r--r-- 1 clamav clamav 327757824 Jul 12 09:59 daily.cld It is perhaps a little unfortunate that the log starts at the exact time of the last modification of daily.cld - we might need to come back to that but I hope not. Also there are three timestamps where I'd expect only one so I suspect something is a little bit squiffy in the crontab, but that probably doesn't matter. In the database directory at 09:59 you have the four files -rw-r--r-- 1 clamav clamav 1438720 Mar 17 10:47 bytecode.cld -rw-r--r-- 1 clamav clamav 293670 Apr 8 06:32 bytecode.cvd -rw-r--r-- 1 clamav clamav 327757824 Jul 12 09:59 daily.cld -rw-r--r-- 1 clamav clamav 117859675 Nov 25 2019 main.cvd and a bunch of others which we're not concerned with. Firstly, you really don't want both a bytecode.cld *and* a bytecode.cvd, so you should probably just delete the older one. To cut down on the amount of text I used this shell command to view the log: $ grep '\(bytecode\|main\.\|daily\|clamupdate\|\(Mon\|Tue\) Jul 1\)' clam_perms.log | less Then I just searched for interesting things (I've had a lot of practice at trawling through logs...) Here's what happens just after 10AM on the 13th: Tue Jul 13 10:01:01 AM EDT 2021 -rw-r--r-- 1 clamav clamav 1438720 Mar 17 10:47 bytecode.cld -rw-r--r-- 1 clamav clamav 293670 Apr 8 06:32 bytecode.cvd -rw-r--r-- 1 clamav clamav 327757824 Jul 12 09:59 daily.cld -rw-r--r-- 1 clamav clamav 117859675 Nov 25 2019 main.cvd Tue Jul 13 10:02:01 AM EDT 2021 -rw-r--r-- 1 clamav clamav 1438720 Mar 17 10:47 bytecode.cld -rw-r--r-- 1 clamav clamav 293670 Apr 8 06:32 bytecode.cvd -rw-r--r-- 1 clamav clamav 327797248 Jul 13 10:00 daily.cld -rw-r--r-- 1 clamav clamav 117859675 Nov 25 2019 main.cvd So daily.cld was updated, presumably by freshclam. That's good, as nothing seems to have broken. Can you confirm that happened from the freshclam log? Is freshclam running from cron or as a daemon? ---------------------------------------------------------------------- The next thing that I see of interest is Tue Jul 13 11:10:02 AM EDT 2021 -rw-r--r-- 1 clamav clamav 1438720 Mar 17 10:47 bytecode.cld -rw-r--r-- 1 clamav clamav 293670 Apr 8 06:32 bytecode.cvd -rw-r--r-- 1 clamav clamav 327797248 Jul 13 10:00 daily.cld -rw-r--r-- 1 clamav clamav 117859675 Nov 25 2019 main.cvd Tue Jul 13 12:02:01 PM EDT 2021 -rw-r--r-- 1 clamav clamav 1438720 Mar 17 10:47 bytecode.cld -rw-r--r-- 1 clamupdate clamupdate 293670 Apr 8 06:32 bytecode.cvd -rw-r--r-- 1 clamav clamav 327797248 Jul 13 10:00 daily.cld -rw-r--r-- 1 clamupdate clamupdate 107169718 Jun 22 18:06 daily.cvd -rw-r--r-- 1 clamupdate clamupdate 117859675 Nov 25 2019 main.cvd There's a fifty minute gap in the log. Why is that? Presumably this is about the time you updated and rebooted the system. Are you sure that the system time gets set correctly at boot? We need to know that we can rely on the timestamps in the logs. All the logs. Anyway, suddenly the owner/group IDs have changed and you have both a daily.cld and a daily.cvd - which isn't good news, especially as one of them is over three weeks old. Where did it come from?
From the cron log file: Jul 13 12:14:01 ourserver CROND[22349]: (clamav) CMD ([ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh) Jul 13 12:14:03 ourserver CROND[22318]: (clamav) CMDEND ([ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh)
Assuming that we can believe the timestamps, then any problems that arose from ownership by the clamupdate user/group had already happened at 12:02 so it was *not* the run of clamav-unofficial-sigs.sh at 12:14 which caused them. Is this the first time that clamav-unofficial-sigs.sh ran? What's in the freshclam log about these times? -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
