[clamav-users] clamd does not bind to port when starting through init.d/service ubuntu 16.04

Reindl Harald h.reindl at thelounge.net
Sat Aug 27 12:59:07 EDT 2016



Am 27.08.2016 um 18:30 schrieb G.W. Haywood:
> Hi there,
>
> On Sat, 27 Aug 2016, Jeff Dyke wrote:
>
>> ... if i start clamd with
>> sudo -u clamav /usr/sbin/clamd --config-file=/etc/clamav/clamd.conf
>> it *will* bind to that address and port.
>> ...
>> When starting via /etc/init.d/clamav-daemon start or sudo service
>> clamav-daemon start it does not bind to the port.
>>
>> ... No ... socket received from systemd.
>> ...
>
> Are the other servers also Ubuntu 16.04?
>
> What are they all doing?
>
> Anything more from the clamd.conf debug options?
>
> I use ClamAV only on mail servers.  I tend not to use distro packages
> for things mail, and anyway I have yet to use ClamAV on a systemd box
> (and with luck I never will) - but in your shoes I'd be inclined e.g.
> to chmod a-x the ClamAV scripts in /etc/init.d then put something to
> start clamd in /etc/rc.local to see if it works there after the
> network stack is all up and running

to start with a proper environment don't contain anything in /etc/init.d 
if we talk about systemd

so what tells "systemctl list-units | grep clam" and what tells 
"systemctl status" for each listed uint - to get a minimum overview how 
the system is wired togehter (not that good when using compat startscripts)

in the best case you disable/mask all that distro-crap and create your 
own clamd.service and adapt it to your needs (that one below only needs 
unix-sockets and hence can start with a restirced use - it could do the 
same in a high port in case of a tcp socket)

[root at mail-gw:~]$ cat /etc/systemd/system/clamd.service
[Unit]
Description=ClamAV Scanner Daemon

[Service]
Type=forking
Environment="TMPDIR=/tmp"
Environment="LANG=en_GB.UTF-8"
ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID
Restart=always
RestartSec=1
Nice=5

User=clamscan
Group=clamilt

PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=no
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=x86-64
SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime 
delete_module fanotify_init finit_module get_mempolicy init_module 
io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp 
kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pages 
open_by_handle_at perf_event_open pivot_root process_vm_readv 
process_vm_writev ptrace remap_file_pages request_key set_mempolicy 
swapoff swapon umount2 uselib vmsplice

ReadOnlyDirectories=/
ReadWriteDirectories=/run/clamd.scan
ReadWriteDirectories=/run/clamd
ReadWriteDirectories=/var/log
ReadWriteDirectories=/tmp

InaccessibleDirectories=-/boot
InaccessibleDirectories=-/etc/dbus-1
InaccessibleDirectories=-/etc/modprobe.d
InaccessibleDirectories=-/etc/modules-load.d
InaccessibleDirectories=-/etc/postfix
InaccessibleDirectories=-/etc/ssh
InaccessibleDirectories=-/etc/sysctl.d
InaccessibleDirectories=-/home
InaccessibleDirectories=-/media
InaccessibleDirectories=-/root
InaccessibleDirectories=-/run/blkid
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/log
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/screen
InaccessibleDirectories=-/run/sepermit
InaccessibleDirectories=-/run/setrans
InaccessibleDirectories=-/run/spamassassin
InaccessibleDirectories=-/run/spamassassin-submission
InaccessibleDirectories=-/run/spamass-milter
InaccessibleDirectories=-/run/spamd-debug
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user
InaccessibleDirectories=-/run/vnstat
InaccessibleDirectories=-/usr/lib64/dbus-1
InaccessibleDirectories=-/usr/lib64/xtables
InaccessibleDirectories=-/usr/lib/dracut
InaccessibleDirectories=-/usr/libexec/iptables
InaccessibleDirectories=-/usr/libexec/openssh
InaccessibleDirectories=-/usr/libexec/postfix
InaccessibleDirectories=-/usr/lib/grub
InaccessibleDirectories=-/usr/lib/kernel
InaccessibleDirectories=-/usr/lib/modprobe.d
InaccessibleDirectories=-/usr/lib/modules
InaccessibleDirectories=-/usr/lib/modules-load.d
InaccessibleDirectories=-/usr/lib/rpm
InaccessibleDirectories=-/usr/lib/sysctl.d
InaccessibleDirectories=-/usr/lib/udev
InaccessibleDirectories=-/usr/local
InaccessibleDirectories=-/var/db
InaccessibleDirectories=-/var/lib/alternatives
InaccessibleDirectories=-/var/lib/bayes-persistent
InaccessibleDirectories=-/var/lib/dbus
InaccessibleDirectories=-/var/lib/dnf
InaccessibleDirectories=-/var/lib/initramfs
InaccessibleDirectories=-/var/lib/logrotate
InaccessibleDirectories=-/var/lib/mailgraph
InaccessibleDirectories=-/var/lib/misc
InaccessibleDirectories=-/var/lib/mlocate
InaccessibleDirectories=-/var/lib/ntp
InaccessibleDirectories=-/var/lib/os-prober
InaccessibleDirectories=-/var/lib/postfix
InaccessibleDirectories=-/var/lib/rbldnsd
InaccessibleDirectories=-/var/lib/rkhunter
InaccessibleDirectories=-/var/lib/rpm
InaccessibleDirectories=-/var/lib/rsyslog
InaccessibleDirectories=-/var/lib/smokeping
InaccessibleDirectories=-/var/lib/spamassassin
InaccessibleDirectories=-/var/lib/spamass-milter
InaccessibleDirectories=-/var/lib/spamfilter
InaccessibleDirectories=-/var/lib/systemd
InaccessibleDirectories=-/var/lib/unbound
InaccessibleDirectories=-/var/lib/vnstat
InaccessibleDirectories=-/var/lib/yum
InaccessibleDirectories=-/var/log/rkhunter
InaccessibleDirectories=-/var/spool

[Install]
WantedBy=multi-user.target

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160827/ff66bdca/attachment.sig>


More information about the clamav-users mailing list