Re: [Mimedefang] Error with mimedefang + clamd

[Paul Murphy]

Also, you probably need to set AllowSupplementaryGroups in your clamd.conf file:

   AllowSupplementaryGroups BOOL
  Initialize a supplementary group access (the  process  must  be  
started  by root).
  Default: no

Paul. 

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Error with mimedefang + clamd

[Dianne Skoll]

Hi,

> Actually, user is clamscan..

Did you restart ClamAV after adding clamscan to the defang group?

And did you ensure that AllowSupplementaryGroups in clamd.conf is set
to "yes" ?

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Error with mimedefang + clamd

[Paul Murphy]

Also, please post the output from:  ps -eo pid,group,user,args 
|grep clam

Paul.

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Error with mimedefang + clamd

[Info @ brainwash]

Actually, user is clamscan..

Output of the commands you asked for:

uid=996(clamscan) gid=992(clamscan) 
groups=992(clamscan),993(virusgroup),984(defang),983(clamilt)

&

dr-xr-xr-x. 18 root   root   4096 Nov 20 20:02 /
drwxr-xr-x. 28 root   root   4096 Nov 17 14:39 /var
drwxr-xr-x. 14 root   root   4096 Nov 21 14:27 /var/spool
drwxr-s---   4 defang defang 4096 Nov 23 20:50 /var/spool/MIMEDefang/

-Original Message-
From: MIMEDefang [mailto:mimedefang-boun...@lists.roaringpenguin.com] On Behalf 
Of Dianne Skoll
Sent: Thursday, November 23, 2017 8:45 PM
To: mimedefang@lists.roaringpenguin.com
Subject: Re: [Mimedefang] Error with mimedefang + clamd

On Thu, 23 Nov 2017 20:36:50 +0200
"Info @ brainwash"  wrote:

> Tried the commands you mention.. to no effect however.. :(

Please post the output of these commands:

id clamav
ls -ld / /var /var/spool /var/spool/MIMEDefang/

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above message, 
it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang 
mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Error with mimedefang + clamd

[Dianne Skoll]

On Thu, 23 Nov 2017 20:36:50 +0200
"Info @ brainwash"  wrote:

> Tried the commands you mention.. to no effect however.. :(

Please post the output of these commands:

id clamav
ls -ld / /var /var/spool /var/spool/MIMEDefang/

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Error with mimedefang + clamd

[Info @ brainwash]

Hi Dianne,

Thank you for the swift reply.

Tried the commands you mention.. to no effect however.. :(

Still @ maillog:

mimedefang.pl[25993]: B8D39D49: Clamd returned error: lstat() failed: 
Permission denied.
mimedefang.pl[25993]: B8D39D49: Problem running virus scanner: code=999, 
category=swerr, action=tempfail
mimedefang.pl[25993]: B8D39D49: filter:  tempfail=1
mimedefang[26008]: B8D39D49: Tempfailing because filter instructed us to

... and @ clamav log:

-> WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-UBuyV00/Work

As a reminder, clamav user is a member of the defang group and vice versa..


-Original Message-
From: MIMEDefang [mailto:mimedefang-boun...@lists.roaringpenguin.com] On Behalf 
Of Dianne Skoll
Sent: Thursday, November 23, 2017 5:23 PM
To: mimedefang@lists.roaringpenguin.com
Subject: Re: [Mimedefang] Error with mimedefang + clamd

On Thu, 23 Nov 2017 14:25:28 +0200
"Info @ brainwash"  wrote:

> mimedefang with the -G option and have the clamav user as member of 
> the defang group. In particular, the startup parameters of both
[...]

> .. and I get the issues with the Work files creation as initially 
> mentioned, even though clamav user is a member of the defang group.
> Unfortunately, I cannot run clamav under defang due to admin 
> restricions/policies.

Try stopping MIMEDefang and running:

chgrp -R defang /var/spool/MIMEDefang
chmod 750 /var/spool/MIMEDefang
chmod g+s /var/spool/MIMEDefang

That will make /var/spool/MIMEDefang have group "defang" and set the SGID bit 
on the directory, meaning any directories or files created under 
/var/spool/MIMEDefang will also have group "defang"
(and recursively down the whole tree.)

Rgeards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above message, 
it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang 
mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Error with mimedefang + clamd

[Dianne Skoll]

On Thu, 23 Nov 2017 14:25:28 +0200
"Info @ brainwash"  wrote:

> mimedefang with the -G option and have the clamav user as member of
> the defang group. In particular, the startup parameters of both
[...]

> .. and I get the issues with the Work files creation as initially
> mentioned, even though clamav user is a member of the defang group.
> Unfortunately, I cannot run clamav under defang due to admin
> restricions/policies.

Try stopping MIMEDefang and running:

chgrp -R defang /var/spool/MIMEDefang
chmod 750 /var/spool/MIMEDefang
chmod g+s /var/spool/MIMEDefang

That will make /var/spool/MIMEDefang have group "defang" and set
the SGID bit on the directory, meaning any directories or files
created under /var/spool/MIMEDefang will also have group "defang"
(and recursively down the whole tree.)

Rgeards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Error with mimedefang + clamd

[Info @ brainwash]

Hello Dianne & Bill,

Thank you both for your replies.. 

@Dianne: I have already tested your recommendation, i.e. run mimedefang with 
the -G option and have the clamav user as member of the defang group. In 
particular, the startup parameters of both services are:

/usr/bin/mimedefang -P /run/mimedefang.pid -o 
/var/spool/MIMEDefang/mimedefang.lock -m 
/var/spool/MIMEDefang/mimedefang-multiplexor.sock -y -R -1 -U defang -r -s -t 
-G -q -p inet:14865

/usr/bin/mimedefang-multiplexor -p /run/mimedefang-multiplexor.pid -o 
/var/spool/MIMEDefang/mimedefang-multiplexor.lock -m 2 -x 10 -y 0 -U defang -b 
600 -r 200 -l -t /var/log/mimedefang/stats -Z -G -s 
/var/spool/MIMEDefang/mimedefang-multiplexor.sock

.. and I get the issues with the Work files creation as initially mentioned, 
even though clamav user is a member of the defang group. Unfortunately, I 
cannot run clamav under defang due to admin restricions/policies.

@Bill, as per the 0766 setting, I changed it as a troubleshooting method. The 
directory does not have 0766 permissions under normal operation. You are right 
in your statements and thank you for describing them in detail. I had checked 
the manual pages and found Dianne's recommendation, however as it was not 
working on our system I started searching even deeper.

Anything else I can check regarding this error, should it provide more insight 
towards solving the issue?

Thank you,

Socrates


-Original Message-
From: MIMEDefang [mailto:mimedefang-boun...@lists.roaringpenguin.com] On Behalf 
Of Bill Cole
Sent: Wednesday, November 22, 2017 8:52 PM
To: mimedefang@lists.roaringpenguin.com
Subject: Re: [Mimedefang] Error with mimedefang + clamd

On 22 Nov 2017, at 10:11 (-0500), Info @ brainwash wrote:

> /var/spool/MIMEDefang/ directory has rights 0766 and belongs to user 
> defang:defang (it is been reset to these values every time the 
> mimedefang service restarts or the server reboots).

Dianne has already given the proper solution but this begs for a general 
warning...

Setting the world-writable bit on any file or on a directory without also 
setting the sticky bit is a risky action. You should NEVER leave a file or 
directory world-writable. Also on directories, it is generally not useful to 
set read bits without also setting the execute (i.e. 
search, for directories) bits.

> From what I found when Googling this error, the issue is that 
> MIMEDefang cannot create the work directory thus Clam cannot find the 
> file to scan.

It's usually best to read the man pages that are written by the author of a 
program before searching for random answers on the web who may not understand 
their problem, may not be getting an error message for the same reason you are, 
and may be using a version (or platform variant) that is unlike yours. This 
looks to me like a wrong answer but it really does not matter because the fix 
is simple and clearly documented in the mimedefang man page.

> I tried to make the directory 0777 and even change the users using 
> chown, to no effect.

Reiterating the above: don't set the world-writable bit anywhere except on 
shared directories with the sticky bit set (e.g. /tmp and /var/tmp use mode 
1777) and (sometimes) sockets and devices. It's not a safe solution to any 
problem and usually isn't even helpful as a troubleshooting tool.

MIMEDefang by design creates and destroys many files and directories for short 
lives, so for safety it needs to manage permissions itself very carefully and 
tightly. It cannot rely on sysadmins creating safe working ownership and 
permission constructs because it is a known fact that many sysadmins never 
actually read documentation. It is conceivable that MD could have been written 
to be entirely ignorant of security issues and rely on sysadmins to use 
whatever mix of standard ownership & permissions, BSD setgid semantics, and 
ACLs is available and necessary to allow everything MD does to work safely. I 
believe that if that were the case, MD would have a reputation of being hard to 
make work and grossly insecure. It's better this way.

--
Bill Cole
b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many 
*@billmail.scconsult.com addresses) Currently Seeking Steady Work: 
https://linkedin.com/in/billcole ___
NOTE: If there is a disclaimer or other legal boilerplate in the above message, 
it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang 
mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang