[clamav-users] clamav-unofficial-sigs download script updated
Vladislav Kurz
vladislav.kurz at webstep.net
Fri Jan 31 14:54:58 UTC 2020
On 31/01/2020 15:06, Michael Orlitzky via clamav-users wrote:
> On 1/31/20 2:47 AM, Steve Basford wrote:
>> Hi All,
>>
>> eXtremeSHOK.com's clamav-unofficial-sigs download script has been
>> updated:
>>
>> https://github.com/extremeshok/clamav-unofficial-sigs
>>
>> Change Log
>>
>> Version 7.0.1 (Updated 25 January 2020)
>>
>
> Beware, as of a few versions ago this script is filled with a million
> unsafe uses of chown and chmod, running as root. The script should never
> be using chown/chmod in the first place, so all of these are wrong,
>
> $ grep 'chown\|chmod' clamav-unofficial-sigs.sh | wc -l
> 40
>
> and many of them are exploitable if the clamav user swaps out one of the
> targets for a symlink pointing to e.g. /etc/passwd. And since the script
> runs on a predictable schedule, you have all the time in the world to do
> that.
True. This script should never be run as root, but as clamav user. Thus
chown would not be needed at all. Just as freshclam is run as clamav
user too.
--
S pozdravem
Vladislav Kurz
Centrála: Celní 17/5, 63900 Brno, CZ
Web: http://www.webstep.net
E-Mail: podpora at webstep.net
Tel: 840 840 700, +420 548 214 711
Obchodní podmínky: https://zkrat.to/op
More information about the clamav-users
mailing list