Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On Mon, 2014-10-13 at 17:00 -0500, Cliff Hayes wrote: > Did what you said and I can't touch a new temp file in > /var/spool/MIMEDefang ... permission denied ... but clamd appears to be > running as clamav Your tests below should be expected to fail. mimedefang.pid is not group-readable. And the directory is not group-writable. Try reading mimedefang-multiplexor.pid which is group-readable: su -s /bin/bash clamav cd /var/spool/MIMEDefang cat mimedefang-multiplexor.pid > su -s /bin/bash clamav > bash-4.1$ cd /var/spool/MIMEDefang > bash-4.1$ ls -l > total 8 > -rw-r- 1 defang defang 5 Oct 13 16:50 mimedefang-multiplexor.pid > srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang-multiplexor.sock > -rw--- 1 defang defang 5 Oct 13 16:50 mimedefang.pid > srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang.sock > bash-4.1$ vi mimedefang.pid > bash-4.1$ touch temp > touch: cannot touch `temp': Permission denied -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
"touch" should never work in the spool directory - clamd is reading files and deciding whether they are infected, so it should never try to create a file. You have set the permissions to make the directory group readable, not group writable, and this is correct. You need to ensure that the spool directories are also created group readable, so turn on "-d" to keep the temporary directories for a short time so you can see that the permissions are correct. Once you have a few to test with, su to your clamav user, cd to the spool directory, and run clamdscan on the INPUTMSG to ensure that the daemon can read it. The odds are that your MD_ALLOW_GROUP_ACCESS is not taking effect, so the working directories are not accessible by clamdscan. Paul. -Original Message- From: mimedefang-boun...@lists.roaringpenguin.com [mailto:mimedefang-boun...@lists.roaringpenguin.com] On Behalf Of Cliff Hayes Sent: 13 October 2014 23:01 To: mimedefang@lists.roaringpenguin.com Subject: Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan Did what you said and I can't touch a new temp file in /var/spool/MIMEDefang ... permission denied ... but clamd appears to be running as clamav su -s /bin/bash clamav bash-4.1$ cd /var/spool/MIMEDefang bash-4.1$ ls -l total 8 -rw-r- 1 defang defang 5 Oct 13 16:50 mimedefang-multiplexor.pid srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang-multiplexor.sock -rw--- 1 defang defang 5 Oct 13 16:50 mimedefang.pid srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang.sock bash-4.1$ vi mimedefang.pid bash-4.1$ touch temp touch: cannot touch `temp': Permission denied bash-4.1$ su root Password: [root@sendmail MIMEDefang]# ps aux | grep clamd clamav1652 0.0 3.5 518068 288956 ? Ssl 16:50 0:00 /usr/local/sbin/clamd root 1838 0.0 0.0 103256 848 pts/2S+ 16:59 0:00 grep clamd On 10/13/2014 4:54 PM, Les Mikesell wrote: > su -s /bin/bash clamav ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang Scanned by MIMEDefang - s9DM4mDX006711 Report as SPAM: http://www.ousekjarr.org/learn.php?msg=s9DM4mDX006711 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
Did what you said and I can't touch a new temp file in /var/spool/MIMEDefang ... permission denied ... but clamd appears to be running as clamav su -s /bin/bash clamav bash-4.1$ cd /var/spool/MIMEDefang bash-4.1$ ls -l total 8 -rw-r- 1 defang defang 5 Oct 13 16:50 mimedefang-multiplexor.pid srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang-multiplexor.sock -rw--- 1 defang defang 5 Oct 13 16:50 mimedefang.pid srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang.sock bash-4.1$ vi mimedefang.pid bash-4.1$ touch temp touch: cannot touch `temp': Permission denied bash-4.1$ su root Password: [root@sendmail MIMEDefang]# ps aux | grep clamd clamav1652 0.0 3.5 518068 288956 ? Ssl 16:50 0:00 /usr/local/sbin/clamd root 1838 0.0 0.0 103256 848 pts/2S+ 16:59 0:00 grep clamd On 10/13/2014 4:54 PM, Les Mikesell wrote: su -s /bin/bash clamav ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On Mon, Oct 13, 2014 at 4:46 PM, Cliff Hayes wrote: > Two problems: > > a) the shell for clamav is set to /sbin/nologin so I can't su to it ... > should I change the shell? You can do: "su -s /bin/bash clamav'. > b) the email files clamd is trying to look at never stay on the server for > more than a second or two. At least see if you can access anything that needs the defang group. If it doesn't work manually, then there group is set up wrong. If it does, something must be wrong with the clamd startup that it isn't picking up the group membership. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
Two problems: a) the shell for clamav is set to /sbin/nologin so I can't su to it ... should I change the shell? b) the email files clamd is trying to look at never stay on the server for more than a second or two. On 10/13/2014 4:42 PM, Les Mikesell wrote: On Mon, Oct 13, 2014 at 4:30 PM, Cliff Hayes wrote: restarted clamd; same error permissions for each directory up to and including /var/spool/MIMEDefang: drwxr-xr-x. 22 root root4096 Oct 7 14:55 var drwxr-xr-x. 14 root root 4096 Oct 7 12:49 spool drwxr-x--- 3 defang defang 4096 Oct 13 16:23 MIMEDefang I tried 755 on MIMEDefang and still got same error: drwxr-xr-x 3 defang defang 4096 Oct 13 16:23 MIMEDefang selinux is not running at this time and I have the following option set: MD_ALLOW_GROUP_ACCESS=yes If you su to the clamav user, can you read the file in question? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
And clamd is running as clamav? And the clamav user has been added to the defang group? And you've tried rebooting? -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On Mon, Oct 13, 2014 at 4:30 PM, Cliff Hayes wrote: > restarted clamd; same error > > permissions for each directory up to and including /var/spool/MIMEDefang: > > drwxr-xr-x. 22 root root4096 Oct 7 14:55 var > drwxr-xr-x. 14 root root 4096 Oct 7 12:49 spool > drwxr-x--- 3 defang defang 4096 Oct 13 16:23 MIMEDefang > > I tried 755 on MIMEDefang and still got same error: > > drwxr-xr-x 3 defang defang 4096 Oct 13 16:23 MIMEDefang > > selinux is not running at this time > and I have the following option set: > > MD_ALLOW_GROUP_ACCESS=yes If you su to the clamav user, can you read the file in question? -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
restarted clamd; same error permissions for each directory up to and including /var/spool/MIMEDefang: drwxr-xr-x. 22 root root4096 Oct 7 14:55 var drwxr-xr-x. 14 root root 4096 Oct 7 12:49 spool drwxr-x--- 3 defang defang 4096 Oct 13 16:23 MIMEDefang I tried 755 on MIMEDefang and still got same error: drwxr-xr-x 3 defang defang 4096 Oct 13 16:23 MIMEDefang selinux is not running at this time and I have the following option set: MD_ALLOW_GROUP_ACCESS=yes On 10/13/2014 4:17 PM, Les Mikesell wrote: On Mon, Oct 13, 2014 at 4:01 PM, Cliff Hayes wrote: Per other comments I removed all traces of previous clam installs and started over with binaries. Got clamd running as root and mimedefang running as defang - no problem. But I'd like to run clamd as clamav so I did your idea and added defang to clamav as such: usermod -G defang clamav So now clamd is a member of two groups: clamav and defang but I still get the following error: Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Clamd returned error: lstat() failed: Permission denied. Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Problem running virus scanner: code=999, category=swerr, action=tempfail Mon Oct 13 15:53:47 2014 -> WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-s9DKrlSJ027472/Work Did you restart clamd after the change? Also , check that the directories above /var/spool/MIMEDefang/mdefang-s9DKrlSJ027472/Work have rx permissions for group or other and the new files mimedefang is creating have group access. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On Mon, Oct 13, 2014 at 4:01 PM, Cliff Hayes wrote: > Per other comments I removed all traces of previous clam installs and > started over with binaries. > Got clamd running as root and mimedefang running as defang - no problem. > But I'd like to run clamd as clamav so I did your idea and added defang to > clamav as such: usermod -G defang clamav > So now clamd is a member of two groups: clamav and defang but I still get > the following error: > > Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Clamd > returned error: lstat() failed: Permission denied. > > Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Problem > running virus scanner: code=999, category=swerr, action=tempfail > > Mon Oct 13 15:53:47 2014 -> WARNING: lstat() failed on: > /var/spool/MIMEDefang/mdefang-s9DKrlSJ027472/Work Did you restart clamd after the change? Also , check that the directories above /var/spool/MIMEDefang/mdefang-s9DKrlSJ027472/Work have rx permissions for group or other and the new files mimedefang is creating have group access. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
Per other comments I removed all traces of previous clam installs and started over with binaries. Got clamd running as root and mimedefang running as defang - no problem. But I'd like to run clamd as clamav so I did your idea and added defang to clamav as such: usermod -G defang clamav So now clamd is a member of two groups: clamav and defang but I still get the following error: Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Clamd returned error: lstat() failed: Permission denied. Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Problem running virus scanner: code=999, category=swerr, action=tempfail Mon Oct 13 15:53:47 2014 -> WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-s9DKrlSJ027472/Work On 10/9/2014 1:36 PM, Kees Theunissen wrote: On Thu, 9 Oct 2014, Kevin A. McGrail wrote: On 10/9/2014 10:28 AM, Cliff Hayes wrote: Thanks to this list I am making progress :) Now clamd is failing due to this... Wed Oct 8 16:32:20 2014 -> WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-s98LWK78002037/Work ...I'm assuming this is because the mimedefang working directory is owned by defang and clamd runs as clamav. I fixed by running clamd as root ... is this the preferred solution or is there a better way? In general, you don't want daemons running as privileged users. I run clamd as the same user as I run MD and that would be my recommendation as well. On my systems (debian) I run mimedefang as user "defang" and group "defang" while clamd is runing as user "clamav" and group "clamav". I made the "clamav" user a menber of the "defang" group so clamd can read the contents of subdirs below /var/spool/MIMEDefang with group rights. ~# id defang uid=108(defang) gid=110(defang) groups=110(defang) ~# id clamav uid=107(clamav) gid=109(clamav) groups=110(defang),109(clamav) Regards, Kees Theunissen. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On Sun, Oct 12, 2014 at 4:54 PM, Richard Laager wrote: > On Sun, 2014-10-12 at 14:18 -0500, Cliff Hayes wrote: >> I tried your idea. >> I updated the following in clamd.conf: >> LocalSocket /var/run/clamav/clamd.socket >> PidFile /var/run/clamav/clamd.pid >> User clamav >> >> Now I get this error when starting clamd: >> ERROR: Can't open/parse the config file /usr/local/etc/clamd.conf >> I am starting as root as instructed in clamd.conf >> I have gotten that error before ... it usually means there is a user >> issue. When I go back to running as root it knows to look in /etc/ for >> clamd.conf > > I have no idea why your clamd is looking in /usr/local/etc instead > of /etc. There are probably 2 or more different version of clamd on this system, built with different default options. If packages have been installed from different 3rd party repositories or installed from source plus a packaged install, that is a likely scenario. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav vs clamd vs clamscan
Hi there, On Mon, 13 Oct 2014, Cliff Hayes wrote: Now I get this error when starting clamd: ERROR: Can't open/parse the config file /usr/local/etc/clamd.conf I am starting as root as instructed in clamd.conf I have gotten that error before ... it usually means there is a user issue. That sounds like mystic nonsense. What's "a user issue" supposed to mean? When I go back to running as root it knows to look in /etc/ for clamd.conf This just means that you are starting the process in two different ways, possibly from two different scripts, or you might even have two different binaries installed. Note that the search paths in the shell environment which are used by a root shell and by a non-root shell will be different. A root shell will usually have /sbin/ and /usr/sbin/ in the path, but a non-root shell won't. When you run an executable, always type the full path so that you know which one you're running or you'll confuse yourself. Before the binaries are compiled the sources must be configured. Part of that configuration tells them to look for their configurations by default in certain places. These can be whatever locations you choose. So for example if you have /sbin/clamd compiled to look in /etc/ and /usr/local/sbin/clamd compiled to look in /usr/local/etc/ by default then you will see something like what you're describing if you start one and then the other *without* explicitly stating in the command which starts the process where it is to look for its configuration. If you look at the manpage for clamd by typing man clamd at a shell prompt it will explain this. The clamd executable can be instructed to look for its configuration file by means of a command-line option. So you could for example say /usr/local/sbin/clamd -c /home/configfile or /sbin/clamd -c /usr/local/etc/clamdconfigurationfile.2014.10.13 or whatever takes your fancy. If you're really desperate you could for example just make a symlink in /usr/local/ which points to /etc/clamd.conf but you'd be far better off finding out what's really going on. -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang