Closed hostingnuggets closed 4 years ago
Duplicate of #25 Please look there for a workaround.
I should have specified, I am using hiera and this workaround does not work with hiera as the clamd/freshclam config files end up with the following:
AllowSupplementaryGroups undef
My hiera config file looks like this:
clamav::manage_clamd: true
clamav::manage_freshclam: true
clamav::freshclam_options:
AllowSupplementaryGroups: undef
clamav::clamd_options:
AllowSupplementaryGroups: undef
Try this
clamav::manage_clamd: true
clamav::manage_freshclam: true
clamav::freshclam_options:
AllowSupplementaryGroups:
clamav::clamd_options:
AllowSupplementaryGroups:
I'll see if I can get those options removed soon. I'm still trying to figure out if I should just yank them for all or have some condition like only on Debian 8 or above... Any thoughts on this?
Nice your hiera suggestion above did the trick! Now regarding a condition based on the Debian version that will unfortunately not work afaik as if you use the latest package/security update on Debian 8 it also includes version 0.99.2 of ClamAV (0.99.2+dfsg-0+deb7u2 to be precise). On Debian 9 the exact package version is 0.99.2+dfsg-6+b1. So your condition should be based on the installed package version rather than on the OS version if you want my opinion.
hmm, basing it on the package version is kinda hard since you can do ensure present or latest on the package and we would have no idea what version is actually installed.
I think its probably OK to just pull the option on all Debian since it seems like all supported versions have the newer package available. It would be considered a breaking change and need to be a minor version bump with explicit warning. I need to check the package versions on CentOS, but I think even CentOS 7 does not complain about AllowSupplementaryGroups
.
Yeah I thought it would not be optimal having to check on a package version. So yes starting from Debian 8 would be the condition for not including the AllowSupplementaryGroups
option anymore. Bad luck for those who use a outdated ClamAV package but on the bright side it would force them to upgrade which is a good thing in terms of security...
On Debian 9 (stretch) clamd can not start because the
AllowSupplementaryGroups
option inclamd.conf
does not exist anymore as you can see here from the clamd log file: