clamd: ERROR: Parse error at line 6: Unknown option AllowSupplementaryGroups

edestecd / puppet-clamav

Puppet Module for managing ClamAV

GNU General Public License v3.0

6 stars 59 forks source link

clamd: ERROR: Parse error at line 6: Unknown option AllowSupplementaryGroups #47

Closed hostingnuggets closed 4 years ago

hostingnuggets commented 7 years ago

On Debian 9 (stretch) clamd can not start because the AllowSupplementaryGroups option in clamd.conf does not exist anymore as you can see here from the clamd log file:

clamd[8822]: ERROR: Parse error at line 6: Unknown option AllowSupplementaryGroups

edestecd commented 7 years ago

Duplicate of #25 Please look there for a workaround.

hostingnuggets commented 7 years ago

I should have specified, I am using hiera and this workaround does not work with hiera as the clamd/freshclam config files end up with the following:

AllowSupplementaryGroups undef

My hiera config file looks like this:

clamav::manage_clamd: true
clamav::manage_freshclam: true
clamav::freshclam_options:
  AllowSupplementaryGroups: undef
clamav::clamd_options:
  AllowSupplementaryGroups: undef

edestecd commented 7 years ago

Try this

clamav::manage_clamd: true
clamav::manage_freshclam: true
clamav::freshclam_options:
  AllowSupplementaryGroups:
clamav::clamd_options:
  AllowSupplementaryGroups:

edestecd commented 7 years ago

I'll see if I can get those options removed soon. I'm still trying to figure out if I should just yank them for all or have some condition like only on Debian 8 or above... Any thoughts on this?

hostingnuggets commented 7 years ago

Nice your hiera suggestion above did the trick! Now regarding a condition based on the Debian version that will unfortunately not work afaik as if you use the latest package/security update on Debian 8 it also includes version 0.99.2 of ClamAV (0.99.2+dfsg-0+deb7u2 to be precise). On Debian 9 the exact package version is 0.99.2+dfsg-6+b1. So your condition should be based on the installed package version rather than on the OS version if you want my opinion.

edestecd commented 7 years ago

hmm, basing it on the package version is kinda hard since you can do ensure present or latest on the package and we would have no idea what version is actually installed.

edestecd commented 7 years ago

I think its probably OK to just pull the option on all Debian since it seems like all supported versions have the newer package available. It would be considered a breaking change and need to be a minor version bump with explicit warning. I need to check the package versions on CentOS, but I think even CentOS 7 does not complain about AllowSupplementaryGroups.

hostingnuggets commented 7 years ago

Yeah I thought it would not be optimal having to check on a package version. So yes starting from Debian 8 would be the condition for not including the AllowSupplementaryGroups option anymore. Bad luck for those who use a outdated ClamAV package but on the bright side it would force them to upgrade which is a good thing in terms of security...

edestecd commented 4 years ago

Solved: https://github.com/edestecd/puppet-clamav/pull/60