search

jonjomckay / quahog

A PHP client library for the ClamAV clamd daemon
MIT License
80 stars 23 forks source link

scanFile returns Permission Denied error #19

Closed TechKat closed 7 years ago

TechKat commented 7 years ago

So I am using this library in my Laravel Application.

When I pass through the temp path of an uploaded file through to ->scanFile(), it throws a permissions denied error.

The tmpdir in my php.ini is /tmp, though the permissions for this folder is:

drwxrwxrwt

Is this anything to do with the library, or the setup on my server?

SenseException commented 7 years ago

@TechKat What's the permission of the uploaded file?

This sounds more like a ClamAV permissions issue. When you do a

chmod("uploadedFile", 0777);

before your scan, do you still get that error?

TechKat commented 7 years ago

I haven't tried, but having decided to use scanStream instead, this appears to work just fine.

zschuessler commented 5 years ago

To anyone coming here from Google that requires file scanning, I battled this for 4 hours straight and solved it with steps below.

The daemon should register the default /tmp directory in its configuration, or permissions errors will result when using the daemon with a web server. Find it in /etc/clamav/clamd.conf and add this line:

TemporaryDirectory /tmp

Next, we should force the daemon to always run as root. Otherwise the web user causes permissions issues when using the daemon through the Unix socket as a web service.

Edit file: /etc/systemd/system/multi-user.target.wants/clamav-daemon.service

Add the User and Group definition for the root user, here's an example of the whole file:

[Unit]
Description=Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/
# Check for database existence
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}

[Service]
User=root
Group=root
ExecStart=/usr/sbin/clamd --foreground=true
# Reload the database
ExecReload=/bin/kill -USR2 $MAINPID
StandardOutput=syslog

[Install]
WantedBy=multi-user.target
AlexanderWright commented 3 years ago

Running the scanner service as root does not seem to be a smart move, to me.

If the scanner is passed a file that compromises ClamAV, it would then have root permissions. Not something you would want.

It would be better, though still not ideal to run the scanner with the web server's group permissions. I've not tested this, however.