Brian Morrison wrote: > Dennis Peterson wrote: > >>> Yes, I realise that. I run clamd under user clamav, hence it's probably >>> easier to access /var/lib/clamav/* than it would be if owned by root. >> Why would that be? It is no more work to crack the root account than any >> other account. Nor any less. Hopefully too your clamav account has no >> shell defined. > > Indeed not. > > A local exploit is one thing, a local root exploit quite another. Now of > course it's more dangerous to run clamav as root, but for limiting write > access to the databases it would be better to have ownership as root. > Might not be worth it on balance, but I'm merely asking to see what the > developers' thought processes were rather than saying for sure what > would be better path to follow. >
There is no reason you can't set the working db file permissions as root:clamav 755. If you don't have freshclam drop the signatures into the same directory that clamd/clamscan expect to find them you can do anything you like with them after they're downloded. It just requires a simple external process to put the properly permissioned working copies where they need to be. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
