search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.22k stars 687 forks source link

clamscan resets atime, because O_NOATIME is not used #1261

Open staskysel opened 4 months ago

staskysel commented 4 months ago

Describe the bug

clamscan opens scanned files without using O_NOATIME, and thus resets access time. Since typically all files are scanned on filesystem, this basically defeats using atime for anything. atime is used for example by tmpfiles.d to determine file age, so clamscan breaks tmpfiles.d.

How to reproduce the problem

  1. check atime on a file: ls -lau filename
  2. scan the file with clamscan

  3. check atime again and see that it has changed Here is transcript:

    [test10@test001 ~]$ mkdir test [test10@test001 ~]$ perl -e 'print "A" x 1024' >test/file [test10@test001 ~]$ ls -lau --full-time test/file -rw-r--r--. 1 test10 test10 1024 2024-04-29 10:34:25.865646505 -0400 test/file [test10@test001 ~]$ clamscan -r test Loading: 24s, ETA: 0s [========================>] 8.69M/8.69M sigs
    Compiling: 8s, ETA: 0s [========================>] 41/41 tasks

/home/test10/test/file: OK

----------- SCAN SUMMARY ----------- Known viruses: 8692057 Engine version: 1.3.1 Scanned directories: 1 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 35.174 sec (0 m 35 s) Start Date: 2024:04:29 10:42:12 End Date: 2024:04:29 10:42:47 [test10@test001 ~]$ ls -lau --full-time test/file -rw-r--r--. 1 test10 test10 1024 2024-04-29 10:42:45.412563874 -0400 test/file [test10@test001 ~]$ rpm -q clamav clamav-1.3.1-1.x86_64

Checking configuration files in /usr/local/etc

clamd.conf not found

Config file: freshclam.conf

DatabaseMirror = "database.clamav.net"

clamav-milter.conf not found

Software settings

Version: 1.3.1 Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information

Database directory: /usr/local/share/clamav WARNING: freshclam.conf and clamd.conf point to different database directories daily.cvd: version 27260, sigs: 2060227, built on Mon Apr 29 04:23:47 2024 bytecode.cvd: version 335, sigs: 86, built on Tue Feb 27 10:37:24 2024 main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021 Total number of signatures: 8707740

Platform information

uname: Linux 4.18.0-513.18.1.el8_9.x86_64 #1 SMP Thu Feb 1 03:51:05 EST 2024 x86_64 OS: Linux, ARCH: x86_64, CPU: x86_64 zlib version: 1.3.1 (1.3.1), compile flags: a9 platform id: 0x0a21c9c90800000002040805

Build information

GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5) sizeof(void*) = 8 Engine flevel: 201, dconf: 201

Attachments

ragusaa commented 4 months ago

Hi,

Thank you for your submission.

We don't use O_NOATIME because it is required that the UID of the process match the owner UID of the file, and clam is not guaranteed to be run by the owner of all the files it scans.

Thanks, Andy