Dear ladies and gentleman, I have a question about the linux clamscan permissions.
By starting the clamscan from the linux desktop user - for example [user1] - it seems that clamscan gets the permissions as it was [user1], because it can remove infected files. Therefore, if this was right, it would also have the privileges to write files. By, for example, using third party virus signatures provided by Fangfrisch there could be the risk for a maliciously crafted signature file that is then downloaded by Fangfrisch or freshclam-service. Because of the write/delete permissions clamscan seems to have, maliciously crafted code could be executed within the [user1] by clamscan. Is there by any means a chance to give clamscan only read, but not write permissions, so that data could be crawled by clamscan but no arbitrary code executed could be written to the file system? I acutally built a work around with a completely restricted user I have called [clamscan], who then is executed in the [user1] shell by su clamscan -s /bin/bash. Folders/files to be scanned are set to user1:clamscan by chown and 0750 by chmod, so clamscan executed by [clamscan] can only read but not write and [clamscan] itself has no write privileges in his own home folders. Works fine, but it's not just scanning some files by "hit and done". When scanning external drives I have found a way, too, but it is very time consuming and only works with ext (FAT has no rights, NTFS can't be mounted by non-administrators and the users option in fstab doesn't seem to work with NTFS). Therefore restricting clamav-clamscan's abilities would be the easiest solution. Any help is appreciated very much. Sincerely, Michael _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
