Closed vmario89 closed 1 month ago
I think the problem is that /var/piler/tmp has 700 permissions, so clamd can't access the files. Those zero length files worry me.
Hi, i tested a lot with this yesterday and i was not able to fix it. i tried the following things:
set ACLs for clamav user (setfacl --recursive --modify u:clamav:rwX,d:u:clamav:rwX /var/piler/tmp/)
nothing worked for this
then i checked out that a lof of users have the same problem with clamd. they tried to run clamd as root then but this should not be done.
i found out that the command "clamdscan" successfully works when passing with parameter "--fdpass" or "--stream". So the following works: 01:37:58 ✘ root@piler:/var/run/clamav# clamdscan -fdpass /var/piler/tmp/
is there any chance to compile src/clamd.c with this --fdpass parameter? the piler.conf has only settings for the socket but not for any further flags to modify the antivirus check routine
Piler doesn't use the clamdscan command. Instead it connects to clamd unix socket and passes the full path after the SCAN command.
I can see that you use a non-standard path for the piler files. Verify the permissions on the dirs so that clamav user can list the contents of /mnt/storagespace/piler/tmp/2. I think that the problem is that 0,1,2 dirs in tmp are created with 700 permissions. Try setting them to 711, and no need to put clamav user to piler's group.
i tried different places for tmp like /var/piler/tmp or /tmp/ or that external /mnt/storage/var/piler/tmp/ - nothing works
the permissions are fine and they also mus be fine, because piler itself re-created all the dirs like 0/ 1/ 2/ with its own permissions. i did not change. Thats, what they look like:
drwx--x--x 5 piler piler 4096 Aug 6 16:18 tmp/
16:19:05 ✔ root@piler:/mnt/storagespace/piler/tmp# ll
total 20
drwx--x--x 5 piler piler 4096 Aug 6 16:19 ./
drwxr-xr-x 10 piler piler 4096 Aug 1 01:48 ../
drwx--x--x 2 piler piler 4096 Aug 6 16:19 0/
drwx--x--x 2 piler piler 4096 Aug 6 16:19 1/
drwx--x--x 2 piler piler 4096 Aug 6 16:13 2/
16:19:16 ✔ root@piler:/mnt/storagespace/piler/tmp/0# ll
total 8
drwx--x--x 2 piler piler 4096 Aug 6 16:19 ./
drwx--x--x 5 piler piler 4096 Aug 6 16:19 ../
16:19:16 ✔ root@piler:/mnt/storagespace/piler/tmp/0#
i know that piler connects to clamd socket but i thought the command it would process over socket still would be clamdscan
what command will piler build up exactly with clamd to scan a file?
[ClamDScan](https://docs.clamav.net/manual/Usage/Scanning.html#clamdscan)
clamdscan is a clamd client, which greatly simplifies the task of scanning files with clamd. It sends commands to the clamd daemon across the socket specified in clamd.conf and generates a scan report after all requested scanning has been completed by the daemon.
Thus, to run clamdscan, you must have an instance of clamd already running as well.
Please keep in mind, that as a simple scanning client, clamdscan cannot change scanning and engine configurations. These are tied to the clamd instance and the configuration you set up in clamd.conf. Therefore, while clamdscan will accept many of the same commands as its sister tool clamscan, it will simply ignore most of them as (by design) no mechanism exists to make ClamAV engine configuration changes over the clamd socket.
Again, running clamdscan, once you have a working clamd instance, is simple:
clamdscan [*options*] [*file/directory/-*]
interestingly clamdscan fails, clamscan is okay - but clamdscan is the one listening on the socket:
16:25:54 ✔ root@piler:/mnt/storagespace/piler/tmp/0# clamscan --verbose /var/piler/tmp/
----------- SCAN SUMMARY -----------
Known viruses: 8696769
Engine version: 0.103.11
Scanned directories: 1
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 39.426 sec (0 m 39 s)
Start Date: 2024:08:06 16:26:12
End Date: 2024:08:06 16:26:52
16:26:52 ✔ root@piler:/mnt/storagespace/piler/tmp/0# clamdscan --verbose /var/piler/tmp/
/mnt/storagespace/piler/tmp: File path check failure: Permission denied. ERROR
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.001 sec (0 m 0 s)
Start Date: 2024:08:06 16:27:04
End Date: 2024:08:06 16:27:04
clamconf | grep -iE 'User|Socket'
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
User = "clamav"
HTTPProxyUsername disabled
HTTPUserAgent disabled
No, it doesn't use clamdscan, so it's no use when you try it from the command line.
Piler sends the 'SCAN /path/to/file' command. It even syslogs it at debug verbosity. If 0/ 1/ and 2/ dirs have 711 permissions, then it should work.
okay found some other documentation, which mentions that SCAN command with is used in pilers source code: https://linux.die.net/man/8/clamd
i still tried that manually to check what happens:
fails, when clamav daemon is running:
clamd SCAN /mnt/storagespace/piler/www/<SOMEFILE>
ERROR: /var/log/clamav/clamav.log is locked by another process
ERROR: Can't initialize the internal logger
when stopping clamav and trying again ...
systemctl stop clamav-daemon.service
systemctl disable clamav-daemon.service
.... it works:
clamd SCAN /mnt/storagespace/piler/tmp/<SOMEFILE>
less /var/log/clamav/clamav.log
Aug 6 16:44:40 piler piler[202127]: CLAMD ERR: connect to /var/run/clamav/clamd.ctl
Aug 6 16:44:40 piler piler[202127]: 1/LE0QORJBNWOJA3HH: done virus scanning
but when i disable the service, piler says it cannot connect to socket. if i leave clamav enabled, the error occures.
so the thing is: performing a scan manually with disabled service, it works; why piler cannot do?
Give me some time until I setup a VM, and deploy piler with clamav. I'll keep you posted.
I've deployed piler with clamd support, and run into the same problem. I tweaked the directory and file permissions, but no matter what I applied, clamd produced an access error problem. Yet unsure why.
I compiled a test program to pass a file's path to the clamd_scan() function, and it seems that it's not the permissions or the ownership of the file that matters, rather the path. I think the clamd.conf settings prohibit to anything not in $HOME or in /tmp. I'll open an issue in the clamav project to confirm this, and hopefully provide a fix.
The reported issue: https://github.com/Cisco-Talos/clamav/issues/1328 Update: no response from the clamav developers after a week. I suggest to not use clamav with piler, instead do the malware scanning on your MX servers.
you closed the issue and commited https://github.com/jsuto/piler/commit/8cf96dce08e6eee6157142804a7879a3aece9eb9 - so i guess you are going to completely remove clamav Support? If yes, we need to also remove statements in https://github.com/jsuto/piler/blob/master/configure.in
Well, I'm somewhat hesitant to do that, but it might be the best course of action. Give me some time to think about it.
Hi, i installed piler from recent master branch and compiled it with clamd support and enabled verbosity to 5 in config
./configure --prefix=/ --localstatedir=/var --enable-memcached --enable-clamd --with-database=mysql
However, in /var/log/mail.log piler-smtp says that clamd cannot open the files
piler-smtp is running fine without warnings or errors in journalctl.
piler service is configured to use the following setting in piler.conf:
clamd_socket=/var/run/clamav/clamd.ctl
this socket is existing with following permissions:
looks good so far, except the mentioned issue
Anyone with ideas what cause the issue? The permissions of tmp dir are