[clamav-users] ClamAV 0.103.0 release candidate - systemd service start fails
Michael Orlitzky
michael at orlitzky.com
Fri Aug 21 11:39:35 UTC 2020
On 2020-08-21 04:45, Arjen de Korte via clamav-users wrote:
>
> It is not clear to me what problem this patch intends to solve (for a
> systemd service it is absolute not required from a security point of
> view). The PIDFile should be writable by vscan user only anyway.
>
With a Type=forking service, systemd will send SIGTERM to the contents
of the PID file as root. If the "vscan" user can put whatever he wants
in the PID file, then he can kill root processes.
Are you using the upstream systemd service? It defaults to Type=simple,
and runs clamd in the foreground. In that case, your clamd daemon
shouldn't be creating a PID file at all -- systemd should take care of
it when it shoves the process into the background. PidFile should be
left unset in clamd.conf.
More information about the clamav-users
mailing list