Am 31.08.18 um 14:37 schrieb Michael Orlitzky:
> To fix it: if you're going to use a file under /tmp, then use a secure
> function like mktemp() to obtain it. But if you're running this job as a
> specific user, you might as well give him a special place to work like
> /var/tmp/clamav-updates that is accessible only to that user. The
> problem is unique to /tmp because of it's world-writable permissions
smart users wrap freshclam into a systemd-oneshot-service and the first
option below makes the /tmp issue a no-brainer to begin with
PrivateTmp=yes
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_LOCAL AF_UNIX
RestrictRealtime=yes
SystemCallArchitectures=x86-64
SystemCallFilter=~acct adjtimex clock_adjtime delete_module
fanotify_init finit_module init_module io_destroy io_getevents iopl
ioperm io_setup io_submit io_cancel kcmp kexec_load mbind migrate_pages
mount move_pages open_by_handle_at perf_event_open pivot_root
process_vm_readv process_vm_writev ptrace remap_file_pages swapoff
swapon umount2 uselib vmsplice
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
