'Re: [Qmail-scanner-general]clamdscan]'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qmail-scanner-general
Subject:    Re: [Qmail-scanner-general]clamdscan]
From:       Jim Maul <jmaul () elih ! org>
Date:       2006-05-16 13:48:45
Message-ID: 4469D83D.3070901 () elih ! org
[Download RAW message or body]

Cristina Tanzi Tolenti wrote:
>>
>> Yeah, the solution is to have it correctly run as the clamav user.  Did you 
>> add clamav to the qscand group?  Are the permissions of ALL directories clamav 
>> uses owned by the clamav user (log files, database directory, etc..)?
>>
>> -Jim
>>
>>
>>
> Yes, I add clamav to qscand group (usermod -Gqscand clamav) and yes the 
> permission of all directories of clamav are owned by clamav
> 
> [root@mail root]# ls -alt /var/log/clamav/
> total 144
> -rw-r-----    1 clamav   clamav       7268 May 16 15:15 freshclam.log
> -rw-r-----    1 clamav   clamav     124490 May 16 15:12 clamd.log
> drwxr-xr-x    2 clamav   clamav       4096 May 15 15:55 .
> drwxr-xr-x    6 root     root         4096 May 15 15:50 ..
> 
> [root@mail root]# ls -alt /usr/local/share/clamav/
> total 4500
> drwxrwxr-x    2 clamav   clamav       4096 May 16 12:15 .
> -rw-r--r--    1 clamav   clamav     638838 May 16 12:15 daily.cvd
> -rw-rw-r--    1 clamav   clamav    3950054 Apr 21 22:15 main.cvd
> drwxr-xr-x    5 root     root         4096 Jun 28  2004 ..
> [root@mail root]#
> 
> [root@mail root]# ls -alt /var/run/clamav/
> total 12
> drwxr-xr-x    2 clamav   clamav       4096 May 16 15:20 .
> -rw-rw----    1 clamav   clamav          5 May 16 15:20 clamd.pid
> drwxr-xr-x    8 root     root         4096 May 16 07:04 ..
> 
> If I run clamd as qscand, clamdscan works perfectly so I think qmail-scanner 
> 2.01_ST_  didn't Change setuid to 6755
> 
> 

http://qmail-scanner.sourceforge.net/CHANGES

says:

Changed setuid to 6755 - ie it's now setuid and setgid. Forcing all
files to be group qscand will allow those who wish to do so to keep
their AV daemons running as other accounts. They just need to ensure
those daemons are members of the qscand group - and as such should be
able to read the necessary files.
e.g. clamd could run as "clamav", but as long as account "clamav" is a
member of group "qscand", clamd is able to read the mail enough to scan it.


But that is without the ST patch.  I dont see why this ability would
have been removed with the patch so i really dont think thats the problem.

What are the permissions of /var/spool/qscan/ ?

-Jim



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Qmail-scanner-general mailing list
Qmail-scanner-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic