[clamav-users] clamav-unofficial-sigs download script updated
Reio Remma
reio at mrstuudio.ee
Fri Jan 31 15:01:22 UTC 2020
On 31/01/2020 16:54, Vladislav Kurz via clamav-users wrote:
> On 31/01/2020 15:06, Michael Orlitzky via clamav-users wrote:
>> On 1/31/20 2:47 AM, Steve Basford wrote:
>>> Hi All,
>>>
>>> eXtremeSHOK.com's clamav-unofficial-sigs download script has been
>>> updated:
>>>
>>> https://github.com/extremeshok/clamav-unofficial-sigs
>>>
>>> Change Log
>>>
>>> Version 7.0.1 (Updated 25 January 2020)
>>>
>> Beware, as of a few versions ago this script is filled with a million
>> unsafe uses of chown and chmod, running as root. The script should never
>> be using chown/chmod in the first place, so all of these are wrong,
>>
>> $ grep 'chown\|chmod' clamav-unofficial-sigs.sh | wc -l
>> 40
>>
>> and many of them are exploitable if the clamav user swaps out one of the
>> targets for a symlink pointing to e.g. /etc/passwd. And since the script
>> runs on a predictable schedule, you have all the time in the world to do
>> that.
> True. This script should never be run as root, but as clamav user. Thus
> chown would not be needed at all. Just as freshclam is run as clamav
> user too.
The way it's set up is that it needs to be ran as root once to have it
set itself up. From cron it runs as clamav user.
Good luck,
Reio
More information about the clamav-users
mailing list