[clamav-users] clamd and not user root
Frans de Boer
frans at fransdb.nl
Sat Nov 9 09:40:09 UTC 2019
LS,
The idea is noble, allowing clamd to drop privileges and thus being less
vulnerable to manipulations. Running Clamonacc as root and feeding clamd
with only the fd of a file. Alas, this still requires clamd to have read
permission to read a file outside it's own user and group settings.
Of course, one can make all files and directories world readable, but
that is exactly want you want to avoid on a public server. I want file
access to be controlled and only root can access them all. So, to be
able to let clamd do it's work, I had to reverse the privilege setting
to keep clamd running as root.
Actually, this was expected from the start that this feature would not
work without streaming support by clamonacc.
--- Frans
More information about the clamav-users
mailing list