[clamav-users] ClamAV 0.103.0 release candidate - systemd service start fails

Arjen de Korte build+clamav at de-korte.org
Fri Aug 21 12:11:25 UTC 2020 

Citeren Michael Orlitzky via clamav-users <clamav-users at lists.clamav.net>:

> On 2020-08-21 04:45, Arjen de Korte via clamav-users wrote:
>>
>> It is not clear to me what problem this patch intends to solve (for a
>> systemd service it is absolute not required from a security point of
>> view). The PIDFile should be writable by vscan user only anyway.
>>
>
> With a Type=forking service, systemd will send SIGTERM to the contents
> of the PID file as root.

Not unconditionally. See the following from 'man 5 systemd.service':

    "The PID file does not need to be owned by a privileged user, but if it
     is owned by an unprivileged user additional safety restrictions are
     enforced: the file may not be a symlink to a file owned by a different
     user (neither directly nor indirectly), and the PID file must refer to
     a process already belonging to the service."

> If the "vscan" user can put whatever he wants
> in the PID file, then he can kill root processes.

See above: you're trying to fix a problem that doesn't exist.

> Are you using the upstream systemd service?

No, we're using "Type=forking" since the clamd.service can take  
several minutes to start and we don't want to start services that  
depend on it before it actually finished starting up. Creating the  
socket beforehand is not a solution, as clamd won't start serving any  
requests until it has actually finished starting up.

> It defaults to Type=simple, and runs clamd in the foreground.

See above. Actually, with this patch clamd wil always run in the  
foreground, as daemonizing is now completely broken. Up to and  
including 0.102.4, starting clamd on the commandline without any  
further options would just start the daemon and return. Now, it never  
returns.

> In that case, your clamd daemon
> shouldn't be creating a PID file at all -- systemd should take care of
> it when it shoves the process into the background. PidFile should be
> left unset in clamd.conf.

There is no PIDFile in the clamd.service file as systemd doesn't need  
that here (even when running as Type=forking). The same goes for  
freshclam.service. Systemd has other ways to keep track of which  
processes it has started and will not use the PIDFile unless you tell  
it to do so (with the above mentioned restrictions).

More information about the clamav-users mailing list