[clamav-users] clamd does not bind to port when starting through init.d/service ubuntu 16.04

Reindl Harald h.reindl at thelounge.net
Sat Aug 27 14:52:58 EDT 2016



Am 27.08.2016 um 20:45 schrieb Paul Kosinski:
> Does systemd have any ALLOW/DENY option (like Apache) for directories?

the "InaccessibleDirectories" stuff *is* DENY
google for "linux kernel namespaces"

> The "InaccessibleDirectories" option seems tedious and error prone,
> especially since *all* x.service files would have to be checked every
> time a new service, with perhaps new directories, is added.

say who?

you just need to understand where you service needs access and start 
with a complete read-only filesystem-namespace (ReadOnlyDirectories=/), 
open specific directories nad some where i *know for sure* the service 
has no business are completly closed

nobody forces you to use all that security options - but saying "i don't 
use them at all because i may miss to forbid whatever new directory" is 
nonsense

it's just a matter of how tight you want your security beyond SELinux 
and similar tech, how well you know the stuff you are running and how 
much time will you spend for that

clamd in case of mailserver needs zero to no capabilities because it has 
to deal only with temp files and since by definition clamd deals with 
ratware i prefer to chain it as much as possible

> On Sat, 27 Aug 2016 18:59:07 +0200
> Reindl Harald <h.reindl at thelounge.net> wrote:
>>
>>
>> Am 27.08.2016 um 18:30 schrieb G.W. Haywood:
>>> Hi there,
>>>
>>> On Sat, 27 Aug 2016, Jeff Dyke wrote:
>>>
>>>> ... if i start clamd with
>>>> sudo -u clamav /usr/sbin/clamd --config-file=/etc/clamav/clamd.conf
>>>> it *will* bind to that address and port.
>>>> ...
>>>> When starting via /etc/init.d/clamav-daemon start or sudo service
>>>> clamav-daemon start it does not bind to the port.
>>>>
>>>> ... No ... socket received from systemd.
>>>> ...
>>>
>>> Are the other servers also Ubuntu 16.04?
>>>
>>> What are they all doing?
>>>
>>> Anything more from the clamd.conf debug options?
>>>
>>> I use ClamAV only on mail servers.  I tend not to use distro
>>> packages for things mail, and anyway I have yet to use ClamAV on a
>>> systemd box (and with luck I never will) - but in your shoes I'd be
>>> inclined e.g. to chmod a-x the ClamAV scripts in /etc/init.d then
>>> put something to start clamd in /etc/rc.local to see if it works
>>> there after the network stack is all up and running
>>
>> to start with a proper environment don't contain anything
>> in /etc/init.d if we talk about systemd
>>
>> so what tells "systemctl list-units | grep clam" and what tells
>> "systemctl status" for each listed uint - to get a minimum overview
>> how the system is wired togehter (not that good when using compat
>> startscripts)
>>
>> in the best case you disable/mask all that distro-crap and create
>> your own clamd.service and adapt it to your needs (that one below
>> only needs unix-sockets and hence can start with a restirced use - it
>> could do the same in a high port in case of a tcp socket)
>>
>> [root at mail-gw:~]$ cat /etc/systemd/system/clamd.service
>> [Unit]
>> Description=ClamAV Scanner Daemon
>>
>> [Service]
>> Type=forking
>> Environment="TMPDIR=/tmp"
>> Environment="LANG=en_GB.UTF-8"
>> ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
>> ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID
>> Restart=always
>> RestartSec=1
>> Nice=5
>>
>> User=clamscan
>> Group=clamilt
>>
>> PrivateTmp=yes
>> PrivateDevices=yes
>> PrivateNetwork=no
>> NoNewPrivileges=yes
>> CapabilityBoundingSet=CAP_KILL
>> RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
>> SystemCallArchitectures=x86-64
>> SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime
>> delete_module fanotify_init finit_module get_mempolicy init_module
>> io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp
>> kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pages
>> open_by_handle_at perf_event_open pivot_root process_vm_readv
>> process_vm_writev ptrace remap_file_pages request_key set_mempolicy
>> swapoff swapon umount2 uselib vmsplice
>>
>> ReadOnlyDirectories=/
>> ReadWriteDirectories=/run/clamd.scan
>> ReadWriteDirectories=/run/clamd
>> ReadWriteDirectories=/var/log
>> ReadWriteDirectories=/tmp
>>
>> InaccessibleDirectories=-/boot
>> InaccessibleDirectories=-/etc/dbus-1
>> InaccessibleDirectories=-/etc/modprobe.d
>> InaccessibleDirectories=-/etc/modules-load.d
>> InaccessibleDirectories=-/etc/postfix
>> InaccessibleDirectories=-/etc/ssh
>> InaccessibleDirectories=-/etc/sysctl.d
>> InaccessibleDirectories=-/home
>> InaccessibleDirectories=-/media
>> InaccessibleDirectories=-/root
>> InaccessibleDirectories=-/run/blkid
>> InaccessibleDirectories=-/run/console
>> InaccessibleDirectories=-/run/dbus
>> InaccessibleDirectories=-/run/lock
>> InaccessibleDirectories=-/run/log
>> InaccessibleDirectories=-/run/mount
>> InaccessibleDirectories=-/run/screen
>> InaccessibleDirectories=-/run/sepermit
>> InaccessibleDirectories=-/run/setrans
>> InaccessibleDirectories=-/run/spamassassin
>> InaccessibleDirectories=-/run/spamassassin-submission
>> InaccessibleDirectories=-/run/spamass-milter
>> InaccessibleDirectories=-/run/spamd-debug
>> InaccessibleDirectories=-/run/systemd/generator
>> InaccessibleDirectories=-/run/systemd/system
>> InaccessibleDirectories=-/run/systemd/users
>> InaccessibleDirectories=-/run/udev
>> InaccessibleDirectories=-/run/user
>> InaccessibleDirectories=-/run/vnstat
>> InaccessibleDirectories=-/usr/lib64/dbus-1
>> InaccessibleDirectories=-/usr/lib64/xtables
>> InaccessibleDirectories=-/usr/lib/dracut
>> InaccessibleDirectories=-/usr/libexec/iptables
>> InaccessibleDirectories=-/usr/libexec/openssh
>> InaccessibleDirectories=-/usr/libexec/postfix
>> InaccessibleDirectories=-/usr/lib/grub
>> InaccessibleDirectories=-/usr/lib/kernel
>> InaccessibleDirectories=-/usr/lib/modprobe.d
>> InaccessibleDirectories=-/usr/lib/modules
>> InaccessibleDirectories=-/usr/lib/modules-load.d
>> InaccessibleDirectories=-/usr/lib/rpm
>> InaccessibleDirectories=-/usr/lib/sysctl.d
>> InaccessibleDirectories=-/usr/lib/udev
>> InaccessibleDirectories=-/usr/local
>> InaccessibleDirectories=-/var/db
>> InaccessibleDirectories=-/var/lib/alternatives
>> InaccessibleDirectories=-/var/lib/bayes-persistent
>> InaccessibleDirectories=-/var/lib/dbus
>> InaccessibleDirectories=-/var/lib/dnf
>> InaccessibleDirectories=-/var/lib/initramfs
>> InaccessibleDirectories=-/var/lib/logrotate
>> InaccessibleDirectories=-/var/lib/mailgraph
>> InaccessibleDirectories=-/var/lib/misc
>> InaccessibleDirectories=-/var/lib/mlocate
>> InaccessibleDirectories=-/var/lib/ntp
>> InaccessibleDirectories=-/var/lib/os-prober
>> InaccessibleDirectories=-/var/lib/postfix
>> InaccessibleDirectories=-/var/lib/rbldnsd
>> InaccessibleDirectories=-/var/lib/rkhunter
>> InaccessibleDirectories=-/var/lib/rpm
>> InaccessibleDirectories=-/var/lib/rsyslog
>> InaccessibleDirectories=-/var/lib/smokeping
>> InaccessibleDirectories=-/var/lib/spamassassin
>> InaccessibleDirectories=-/var/lib/spamass-milter
>> InaccessibleDirectories=-/var/lib/spamfilter
>> InaccessibleDirectories=-/var/lib/systemd
>> InaccessibleDirectories=-/var/lib/unbound
>> InaccessibleDirectories=-/var/lib/vnstat
>> InaccessibleDirectories=-/var/lib/yum
>> InaccessibleDirectories=-/var/log/rkhunter
>> InaccessibleDirectories=-/var/spool
>>
>> [Install]
>> WantedBy=multi-user.target

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160827/67739e63/attachment.sig>


More information about the clamav-users mailing list