[Pkg-clamav-devel] Bug#636881: Milter socket permissions not set properly
daradib at OCF.Berkeley.EDU
Thu Oct 27 14:16:54 UTC 2011
See my reply to #636877, but basically one either has to make clamav a
member of group postfix or set SOCKET_RWGROUP
in /etc/default/clamav-milter but not in clamav-milter.conf.
> root at domine:/var/spool/postfix/clamav# grep Milter /etc/clamav/clamav-milter.conf
> MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl
> MilterSocketGroup postfix
> MilterSocketMode 660
clamav needs to be a member of group postfix so that it can set postfix
group ownership for the milter socket.
> s--------- 1 clamav clamav 0 Aug 6 19:20 clamav-milter.ctl
Reproducing this problem, it seems that this is the behavior when
clamav-milter cannot change the socket group ownership. There should be
an error message "Failed to change socket ownership to group postfix"
> This is because the init.d script now does chgrp and chmod g+w, but
> not more.
And it does that as root. It seems the MilterSocket settings in
clamav-milter.conf are applied by default after privileges are dropped,
as clamav by default which can't change group ownership unless it is a
member of the group.
What works for me (besides adding clamav to group postfix, which might
be an extra security risk?):
$ grep Milter /etc/clamav/clamav-milter.conf
#MilterSocketGroup postfix # handled by /etc/default/clamav-milter
$ ls -l
srw-rw---- 1 clamav postfix 0 Oct 27 07:13 clamav-milter.ctl
$ grep -v ^\# /etc/default/clamav-milter
Since clamav-milter is started as root anyways and then drops privileges
to user clamav in the default configuration, I would assume that the
socket group ownership as specified in clamav-milter.conf could be
changed earlier on as root, and that this would be the preferred fix
(depending on upstream), obsoleting /etc/default/clamav-milter.
OCF: all-volunteer, student-run service group providing
free printing, web hosting, disk space, email, and Unix shell accounts
More information about the Pkg-clamav-devel