[clamav-users] clamd does not bind to port when starting through init.d/service ubuntu 16.04

Reindl Harald h.reindl at thelounge.net
Mon Aug 29 04:01:04 EDT 2016



Am 29.08.2016 um 04:52 schrieb Paul Kosinski:
> "the "InaccessibleDirectories" stuff *is* DENY"
>
> Not quite. If you read the entire description of Allow/Deny/Order at
> https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html, you will
> see that Apache (httpd) provides a somewhat more powerful scheme of
> access control than systemd's three "xxxDirectories=" directives, in
> that the "Order" directive provides for prioritization of blocking vs
> admitting.

besides that you refer to a compat module *nobody* should use with httpd 
 >= 2.4.0 and when you test the behavior in case of config merging

different config files define different permissions and how they are 
inherited - i been there years ago due the transition to apache 2.4 and 
careful testing showed that your config does oftern *not* what you think 
especially if mod_access_compat and the new directives are mixed because 
.htaccess, distro-snippets and admin config files - in other words: you 
may have no clue how your permissions are acting at all in real life

KERNEL NAMESPACSE are a completly different thing by nature

> P.S. Linux kernel namespaces in general are quite good -- a worthy
> successor to the capability-based systems some of us worked on at NCR
> 1969-1970 (contemporaneous with Unix, but totally independent), and IBM
> Research 1970-1971 ("Future Systems", leading to System 38 and AS/400).
>
>
> On Sat, 27 Aug 2016 20:52:58 +0200
> Reindl Harald <h.reindl at thelounge.net> wrote:
>>
>>
>> Am 27.08.2016 um 20:45 schrieb Paul Kosinski:
>>> Does systemd have any ALLOW/DENY option (like Apache) for
>>> directories?
>>
>> the "InaccessibleDirectories" stuff *is* DENY
>> google for "linux kernel namespaces"
>>
>>> The "InaccessibleDirectories" option seems tedious and error prone,
>>> especially since *all* x.service files would have to be checked
>>> every time a new service, with perhaps new directories, is added.
>>
>> say who?
>>
>> you just need to understand where you service needs access and start
>> with a complete read-only filesystem-namespace
>> (ReadOnlyDirectories=/), open specific directories nad some where i
>> *know for sure* the service has no business are completly closed
>>
>> nobody forces you to use all that security options - but saying "i
>> don't use them at all because i may miss to forbid whatever new
>> directory" is nonsense
>>
>> it's just a matter of how tight you want your security beyond SELinux
>> and similar tech, how well you know the stuff you are running and how
>> much time will you spend for that
>>
>> clamd in case of mailserver needs zero to no capabilities because it
>> has to deal only with temp files and since by definition clamd deals
>> with ratware i prefer to chain it as much as possible
>>
>>> On Sat, 27 Aug 2016 18:59:07 +0200
>>> Reindl Harald <h.reindl at thelounge.net> wrote:
>>>>
>>>>
>>>> Am 27.08.2016 um 18:30 schrieb G.W. Haywood:
>>>>> Hi there,
>>>>>
>>>>> On Sat, 27 Aug 2016, Jeff Dyke wrote:
>>>>>
>>>>>> ... if i start clamd with
>>>>>> sudo -u clamav /usr/sbin/clamd
>>>>>> --config-file=/etc/clamav/clamd.conf it *will* bind to that
>>>>>> address and port. ...
>>>>>> When starting via /etc/init.d/clamav-daemon start or sudo service
>>>>>> clamav-daemon start it does not bind to the port.
>>>>>>
>>>>>> ... No ... socket received from systemd.
>>>>>> ...
>>>>>
>>>>> Are the other servers also Ubuntu 16.04?
>>>>>
>>>>> What are they all doing?
>>>>>
>>>>> Anything more from the clamd.conf debug options?
>>>>>
>>>>> I use ClamAV only on mail servers.  I tend not to use distro
>>>>> packages for things mail, and anyway I have yet to use ClamAV on a
>>>>> systemd box (and with luck I never will) - but in your shoes I'd
>>>>> be inclined e.g. to chmod a-x the ClamAV scripts in /etc/init.d
>>>>> then put something to start clamd in /etc/rc.local to see if it
>>>>> works there after the network stack is all up and running
>>>>
>>>> to start with a proper environment don't contain anything
>>>> in /etc/init.d if we talk about systemd
>>>>
>>>> so what tells "systemctl list-units | grep clam" and what tells
>>>> "systemctl status" for each listed uint - to get a minimum overview
>>>> how the system is wired togehter (not that good when using compat
>>>> startscripts)
>>>>
>>>> in the best case you disable/mask all that distro-crap and create
>>>> your own clamd.service and adapt it to your needs (that one below
>>>> only needs unix-sockets and hence can start with a restirced use -
>>>> it could do the same in a high port in case of a tcp socket)
>>>>
>>>> [root at mail-gw:~]$ cat /etc/systemd/system/clamd.service
>>>> [Unit]
>>>> Description=ClamAV Scanner Daemon
>>>>
>>>> [Service]
>>>> Type=forking
>>>> Environment="TMPDIR=/tmp"
>>>> Environment="LANG=en_GB.UTF-8"
>>>> ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
>>>> ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID
>>>> Restart=always
>>>> RestartSec=1
>>>> Nice=5
>>>>
>>>> User=clamscan
>>>> Group=clamilt
>>>>
>>>> PrivateTmp=yes
>>>> PrivateDevices=yes
>>>> PrivateNetwork=no
>>>> NoNewPrivileges=yes
>>>> CapabilityBoundingSet=CAP_KILL
>>>> RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
>>>> SystemCallArchitectures=x86-64
>>>> SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime
>>>> delete_module fanotify_init finit_module get_mempolicy init_module
>>>> io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel
>>>> kcmp kexec_load keyctl lookup_dcookie mbind migrate_pages mount
>>>> move_pages open_by_handle_at perf_event_open pivot_root
>>>> process_vm_readv process_vm_writev ptrace remap_file_pages
>>>> request_key set_mempolicy swapoff swapon umount2 uselib vmsplice
>>>>
>>>> ReadOnlyDirectories=/
>>>> ReadWriteDirectories=/run/clamd.scan
>>>> ReadWriteDirectories=/run/clamd
>>>> ReadWriteDirectories=/var/log
>>>> ReadWriteDirectories=/tmp
>>>>
>>>> InaccessibleDirectories=-/boot
>>>> InaccessibleDirectories=-/etc/dbus-1
>>>> InaccessibleDirectories=-/etc/modprobe.d
>>>> InaccessibleDirectories=-/etc/modules-load.d
>>>> InaccessibleDirectories=-/etc/postfix
>>>> InaccessibleDirectories=-/etc/ssh
>>>> InaccessibleDirectories=-/etc/sysctl.d
>>>> InaccessibleDirectories=-/home
>>>> InaccessibleDirectories=-/media
>>>> InaccessibleDirectories=-/root
>>>> InaccessibleDirectories=-/run/blkid
>>>> InaccessibleDirectories=-/run/console
>>>> InaccessibleDirectories=-/run/dbus
>>>> InaccessibleDirectories=-/run/lock
>>>> InaccessibleDirectories=-/run/log
>>>> InaccessibleDirectories=-/run/mount
>>>> InaccessibleDirectories=-/run/screen
>>>> InaccessibleDirectories=-/run/sepermit
>>>> InaccessibleDirectories=-/run/setrans
>>>> InaccessibleDirectories=-/run/spamassassin
>>>> InaccessibleDirectories=-/run/spamassassin-submission
>>>> InaccessibleDirectories=-/run/spamass-milter
>>>> InaccessibleDirectories=-/run/spamd-debug
>>>> InaccessibleDirectories=-/run/systemd/generator
>>>> InaccessibleDirectories=-/run/systemd/system
>>>> InaccessibleDirectories=-/run/systemd/users
>>>> InaccessibleDirectories=-/run/udev
>>>> InaccessibleDirectories=-/run/user
>>>> InaccessibleDirectories=-/run/vnstat
>>>> InaccessibleDirectories=-/usr/lib64/dbus-1
>>>> InaccessibleDirectories=-/usr/lib64/xtables
>>>> InaccessibleDirectories=-/usr/lib/dracut
>>>> InaccessibleDirectories=-/usr/libexec/iptables
>>>> InaccessibleDirectories=-/usr/libexec/openssh
>>>> InaccessibleDirectories=-/usr/libexec/postfix
>>>> InaccessibleDirectories=-/usr/lib/grub
>>>> InaccessibleDirectories=-/usr/lib/kernel
>>>> InaccessibleDirectories=-/usr/lib/modprobe.d
>>>> InaccessibleDirectories=-/usr/lib/modules
>>>> InaccessibleDirectories=-/usr/lib/modules-load.d
>>>> InaccessibleDirectories=-/usr/lib/rpm
>>>> InaccessibleDirectories=-/usr/lib/sysctl.d
>>>> InaccessibleDirectories=-/usr/lib/udev
>>>> InaccessibleDirectories=-/usr/local
>>>> InaccessibleDirectories=-/var/db
>>>> InaccessibleDirectories=-/var/lib/alternatives
>>>> InaccessibleDirectories=-/var/lib/bayes-persistent
>>>> InaccessibleDirectories=-/var/lib/dbus
>>>> InaccessibleDirectories=-/var/lib/dnf
>>>> InaccessibleDirectories=-/var/lib/initramfs
>>>> InaccessibleDirectories=-/var/lib/logrotate
>>>> InaccessibleDirectories=-/var/lib/mailgraph
>>>> InaccessibleDirectories=-/var/lib/misc
>>>> InaccessibleDirectories=-/var/lib/mlocate
>>>> InaccessibleDirectories=-/var/lib/ntp
>>>> InaccessibleDirectories=-/var/lib/os-prober
>>>> InaccessibleDirectories=-/var/lib/postfix
>>>> InaccessibleDirectories=-/var/lib/rbldnsd
>>>> InaccessibleDirectories=-/var/lib/rkhunter
>>>> InaccessibleDirectories=-/var/lib/rpm
>>>> InaccessibleDirectories=-/var/lib/rsyslog
>>>> InaccessibleDirectories=-/var/lib/smokeping
>>>> InaccessibleDirectories=-/var/lib/spamassassin
>>>> InaccessibleDirectories=-/var/lib/spamass-milter
>>>> InaccessibleDirectories=-/var/lib/spamfilter
>>>> InaccessibleDirectories=-/var/lib/systemd
>>>> InaccessibleDirectories=-/var/lib/unbound
>>>> InaccessibleDirectories=-/var/lib/vnstat
>>>> InaccessibleDirectories=-/var/lib/yum
>>>> InaccessibleDirectories=-/var/log/rkhunter
>>>> InaccessibleDirectories=-/var/spool
>>>>
>>>> [Install]
>>>> WantedBy=multi-user.target

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160829/49c37d39/attachment.sig>


More information about the clamav-users mailing list