Re: [clamav-users] clamav incremental scan?

Tue, 04 May 2021 13:22:46 -0700 

On 5/4/21 1:41 PM, Benny Pedersen via clamav-users wrote:

fun part is that clamdscan needs root access, stupid


clamdscan does *NOT* /need/ root access.

clamdscan can scan files without root access perfectly fine.


What clamdscan /does/ /need/ is the ability to /access/ files to be 
scanned.  This ability can be provided by running as root -- which can 
override almost all permission checks -- or by running it as different 
users on different files.



So you can run clamdscan on your files and I can run clamdscan on my 
files.  Or root can run clamdscan on both of our files.  But /root/ is 
/optional/ here and not /needed/.



virus scanning must not be done as root user, else one knows why its 
unsecure on unpacking



I don't see anything that /needs/ /root/ here.  I run clamd as it's own 
user.  Then clamdscan (or any other clamd client) can request that clamd 
running as $ClamAVUser (nominally not-root) scan the file(s) that are 
handed to it.


clamdscan will ask clamd (running as the $ClamAVUser) to scan the file.


By default, clamd will try to read the file directly, thus dependent on 
permissions.  But you can use --stream or --fdpass to have clamdscan 
stream the file or pass the file descriptor to clamd for scanning 
without clamd having permissions to the file itself.  Thus you can cross 
the standard unix user permissions barrier.


   #[$USER@$HOST:~]% clamdscan myFile
   /home/$USER/myFile: lstat() failed: Permission denied. ERROR

   ----------- SCAN SUMMARY -----------
   Infected files: 0
   Total errors: 1
   Time: 0.001 sec (0 m 0 s)
   #[$USER@$HOST:~]% clamdscan --stream myFile
   /home/$USER/myFile: OK

   ----------- SCAN SUMMARY -----------
   Infected files: 0
   Time: 0.072 sec (0 m 0 s)
   #[$USER@$HOST:~]% clamdscan --fdpass myFile
   /home/$USER/myFile: OK

   ----------- SCAN SUMMARY -----------
   Infected files: 0
   Time: 0.035 sec (0 m 0 s)


hope clamav team redo this insecure in clamdscan


Please re-evaluate your position based on the above information.



--
Grant. . . .
unix || die




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml






















					Reply via email to