Ubuntu
clamav package

clamav-milter socket permissions wrong

Bug #430418 reported by Stephen Warren on 2009-09-16

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ClamAV	Unknown	Unknown	clamav-bugzilla #1726
	clamav (Ubuntu)	Triaged	Medium	Unassigned

Bug Description

Binary package hint: clamav

According to /etc/default/clamav-milter on Jaunty:

## SOCKET_RWGROUP
# by default, the socket created by the milter has permissions
# clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the
# permissions to 775 to give read-write access to that group.

This doesn't make sense:

* A socket shouldn't ever have execute permissions.
* If the idea is that only a particular user/group should have access to the socket, no group/world permissions should be set at all.

So, I think the modes should be 600 or 660 respectively.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2009-09-17:

#1

This is the upstream default. I'd suggest file a bug with upstream and see how open they are to changing it:

https://wwws.clamav.net/bugzilla/

Revision history for this message

Stephen Warren (srwarren) wrote on 2009-09-18:

#2

Is /etc/init.d/clamav-milter provided by upstream or Debian/Ubuntu? That contains an explicit SOCKET_RWGROUP setting for modifying the socket permissions. It seems that would be an appropriate place for a fix...

Revision history for this message

Scott Kitterman (kitterman) wrote on 2009-09-18: Re: [Bug 430418] Re: clamav-milter socket permissions wrong

#3

It's provided by Debian, but uses the same permissions as upstream. When I
discussed it with the Debian maintainer, he suggest discussing it with
upstream.

Revision history for this message

Stephen Warren (srwarren) wrote on 2009-10-24:

#4

Finally got around to filing an upstream bug: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1726

I'm not sure how to get launchpad to monitor remote bugs, unless they're
for a distro rather than a project...

Revision history for this message

Scott Kitterman (kitterman) wrote on 2009-10-24:

#5

No, you wanted the project option. Linked now.

Revision history for this message

Stephen Warren (srwarren) wrote on 2009-12-31:

#7

FYI, the clamav folks said this is just what the sendmail-supplied libmilter(?) library does. Hence, they pointed me at sendmail support. sendmail doesn't seem to have publicly accountable support, just a black-hole email address. I did report the issue to them, but they didn't respond.

Chuck Short (zulcss) on 2010-01-09

Changed in clamav (Ubuntu):
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Imre Gergely (cemc) wrote on 2011-08-16:

#8

I've checked in 0.97.2 in Oneiric, and the socket mode is now 0666, as specified in /etc/clamav/clamav-milter.conf. So the execute permission is gone. The world read/write mode is still present.

root@utest-oos32:~# cat /etc/clamav/clamav-milter.conf |grep Mode
MilterSocketMode 666

root@utest-oos32:~# cat /etc/clamav/clamav-milter.conf |grep MilterSocket
MilterSocket /var/run/clamav/clamav-milter.ctl

root@utest-oos32:~# stat /var/run/clamav/clamav-milter.ctl
File: `/var/run/clamav/clamav-milter.ctl'
Size: 0 Blocks: 0 IO Block: 4096 socket
Device: fh/15d Inode: 8078 Links: 1
Access: (0666/srw-rw-rw-) Uid: ( 104/ clamav) Gid: ( 112/ clamav)

The same is true in clamav 0.96.5 which is in Hardy, Lucid and Maverick.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

clamav-bugzilla #1726 Edit

Bug watches keep track of this bug in other bug trackers.