[Pkg-clamav-devel] Bug#822444: Solved

Xavier Quost xquost2000 at yahoo.fr
Sun May 1 15:33:02 UTC 2016 

Hello Sebastian

>> remarks : 
>> (1) I have made no editing of clamd.conf file (but still not an excuse for not checking this file). It's a file resulting (not provided by) from installation of clamav-daemon package.
>> (2) It seems that starting clamd by sysinit does not enforce right permissions (<joke>  shall I open a bug report for that ?  </joke>).
> 
> can you describe the problem a little?

Just saying what you wrote below
(1) default for clamd is AllowSupplementaryGroups false
(2) when starting with sysinit this option is not taken into account 


>> (3) are not AllowSupplementaryGroups and LocalSocketMode somehow contradictory ?
> 
> No I don't think so. AllowSupplementaryGroups is basically what enables
> the user of all groups which are part of the clamav user. The second is
> just the socket mode.
> The problem here, as far as I understand it, is that clamsmtp keeps the
> folder + files owned by the clamsmtp group and without the option clamd
> is not part of the group and can't access them.

Ok thanks for explaining 

> Now going forward on fixing this. On one hand the problem is not setting
> AllowSupplementaryGroups to yes. Since clamsmtp adds the clamsmtp group
> to the clamav group it would be their job let the user know to do so.
> On the other we have different behaviour between systemd and systemv
> which is not good.
> Anyone an idea what we should do here? I am kind of leaning towards
> removing the AllowSupplementaryGroups option and makeing it on by default
> since I see currently no reason why one would not want that.

Basically I was cloning configuration for mail server from wheezy to Jessie  and could not understand my mistake. Confronting configuration files between wheezy and Jessie seeing nothing relevant lead me to look at init process.

A simple comment in clamd configuration files like "clamd started with systemd is enforcing strongly this options whereas started with sysinit it might not" would have been enough for not bothering you.


Best regards and thanks for your kind explanations.

XQ

More information about the Pkg-clamav-devel mailing list