Paul Wise schrieb: > On Thu, 2009-05-14 at 14:18 +0200, Micha Lenk wrote: > >> Did you try to run the script clamav-unofficial-sigs with a different >> user than root? I believe this would be a benefit regarding security. As >> far as I have found out the script should run just fine as a >> non-privileged user if the files it needs to write in /var/lib/clamav/ >> are owned by the same user running the script. > > I haven't tried yet, but I agree it is a good idea. I guess I'd have to > run it as the clamav user since that is the owner of /var/lib/clamav/. > I've modified the permissions and cron job on my laptop to test it out > and will upload a fixed version to NEW & people.d.o if it works OK.
Even better would it be to run the script as a different user than clamav. On my system I created a system user sanesigs (because SaneSecurity is the origin of the signatures) with primary group clamav. In order to grant sufficient file permissions in /var/lib/clamav/ I've set the sticky bit and group-write-permission bit on this directory: "chmod 1770 /var/lib/clamav". This allows the script (as a member of the group clamav) to create and write to files in /var/lib/clamav, but not to modify the official ClamAV signatures (what is what I wanted to achieve). I don't know how the sticky bit on /var/lib/clamav/ can be packaged in a sane fashion. I doubt that using dpkg-divert would be an acceptable solution, so maybe the clamav maintainers can ship this directory with modified file permissions? Just an idea... Regards Micha -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
