[clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

Fri Oct 9 15:41:30 UTC 2020

>
> > Every few weeks I'll start seeing this error:
> >
> > ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav
> >
> > Running this fixes it:
> > su clamav -s '/usr/local/sbin/clamav-unofficial-sigs.sh'
> >
> > Here are the files not owned by clamav:
> > -rw-r--r--  1 clamupdate clamupdate    296388 Sep 19  2019 bytecode.cvd
> > -rw-r--r--  1 clamupdate clamupdate 112832258 Sep 17 09:53 daily.cvd
> > -rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd
> >
> At first glance it appears someone is running "freshclam" manually as
> clamupdate/clamupdate.
>
> Is there only one "freshclam" binary on the system?
>

Yes:
ls -l /usr/bin/freshclam*
-rwxr-xr-x 1 root root 45816 Oct  5 14:05 /usr/bin/freshclam

Is it running as a daemon or being invoked by some other method(s)?
>
Via systemctl:
clamav    937912  0.0  0.0 102816 15860 ?        Ss   04:46   0:04
/usr/bin/freshclam -d --foreground=true

systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service;
enabled; vendor preset: disabled)
     Active: active (running) since Fri 2020-10-09 04:46:04 EDT; 6h ago
       Docs: man:freshclam(1)
             man:freshclam.conf(5)
             https://www.clamav.net/documents
   Main PID: 937912 (freshclam)
      Tasks: 1 (limit: 154197)
     Memory: 337.2M
     CGroup: /system.slice/clamav-freshclam.service
             └─937912 /usr/bin/freshclam -d --foreground=true

And the other one is disabled:
systemctl status clam-freshclam.service
● clam-freshclam.service - freshclam scanner
     Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service;
disabled; vendor preset: disabled)
     Active: inactive (dead)

> Is there another that is set{g,u}id clamupdate?
>
> Oh, what binaries *are* set{g,u}id clamupdate?
>
> And who/what regularly uses the "clamupdate" id?
>

Note that I know of. The only reference to clamupdate I see are in the
various config files, e.g., clamav.conf and the 3rd party conf files in
/etc/clamav-unofficial-sigs/

I can track down that this started early this morning:
Oct 09 05:14:02 ERROR: clam database directory (clam_dbs) not writable
/var/lib/clamav

But the only thing in the cron log file at that time is this 3rd
party update:

Oct  9 05:01:01 ourserver CROND[948241]: (root) CMD (run-parts
/etc/cron.hourly)
Oct  9 05:01:01 ourserver run-parts[948241]: (/etc/cron.hourly) starting
0anacron
Oct  9 05:01:01 ourserver run-parts[948241]: (/etc/cron.hourly) finished
0anacron
Oct  9 05:14:01 ourserver CROND[956493]: (clamav) CMD ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)

I also see this:
cat /etc/cron.d/clamav-unofficial-sigs
14 * * * *  clamav [ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] &&
/usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh

and I added a while back clamav to the clamupdate group to try to work
around this:

grep clamupdate /etc/passwd
clamupdate:x:983:979:Clamav database update
user:/var/lib/clamav:/sbin/nologin

grep 979  /etc/group
clamupdate:x:979:clamav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20201009/92e86cd9/attachment.htm>