Comment 4 for bug 1930393
Revision history for this message
| Stephane Chazelas (stephane-chazelas+lp) wrote | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Also note that amavisd-new, often used in conjunction with postfix and clamav-daemon for spam+malware email filtering like in amavisd-new-postfix (Description: part of Ubuntu mail stack provided by Ubuntu server team) in its default configuration runs as the "amavis" user and "amavis" group.
If, to mitigate this vulnerability we reconfigure clamav-daemon for the socket to have
rw-rw---- clamav clamav
permissions.
Then amavisd-new can no longer connect to clamd via the socket. Adding amavis to the clamav group doesn't work as amavisd-new doesn't set supplementation gids. So, you're left with either reconfiguring amavis so it runs with clamav primary gid instead of amavis or change the group of the clamav socket to amavis (which means that if you need other services to be able to use clamd services, you need to add them to that group and by consequence give them access to some amavis data which they don't need otherwise).