[clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

Mon Jul 12 16:03:55 UTC 2021

>
> I asked about the permissions on the directories, not on files.  In
> your 'find' command there you specifically limit the search to files
> and not directories with "-type f".  See 'man find' for more (but IMO
> 'find' is a bit like a cornered rat and I'm starting to think it might
> not be the best tool in the box for you to be playing with).  Just use
>
> ls -l / | grep var
>

> to see the permissions on /var and
>

ls -l / | grep var
lrwxrwxrwx    1 root root      19 Aug 31  2020 snap -> /var/lib/snapd/snap
drwxr-xr-x.  23 root root    4096 Jan 11 14:49 var


> ls -l /var | grep lib
>
> to see the permissions on /var/lib.
>

ls -l /var | grep lib
drwxr-xr-x. 95 root root 4096 Mar 20 08:00 lib

>> But I'd still want to see that log.
> >
> > The log from the cronjob, freshclam or eXtremeSHOK.com ClamAV Unofficial
> > Signature Updater?
>
> The cron job which I suggested.  From a root shell prompt, to edit the
> crontab give the command
>
> crontab -e
>
> which will fire up the default editor or the one you've configured.
> Just paste these two lines (I tweaked it a bit from last October's
> version) right at at the bottom:
>
> FILE=/var/log/clam_perms.log
> * * * * * /bin/date >> $FILE ; /bin/ls -l /var/lib/clamav >> $FILE
>
> That will write a time/date stamp and a directory listing to the file
> every minute until further notice.  Yes, there will be quite a lot of
> output, but (by the standards of the 21st century) it won't be a huge
> file, and you'll get what I'm looking for which is when (to about the
> nearest minute) the permissions were changed.  If you know to within
> the same sort of precision when things are run, that should give you
> some clue to what changed the permissions.
>

I had * * * * *  /bin/echo -n "$(/bin/date) " >> /var/log/clam_perms.log &&
/bin/ls -l /var/lib/clamav >> /var/log/clam_perms.log so it's been
populating for a couple of hours.

> grep 981 /etc/group
> > clamav:x:981:clamscan,clamilt,clamupdate
>
> Hmmm.  So group ID 981 is 'clamav'.  What's the numeric ID for the
> 'clamupdate' group (and 'clamilt' for completeness)?  To me it seems
> just a little excessive to have separate users (and maybe groups) for
> clamd, clamav-milter and freshclam.  I think somebody (probably this
> was somebody at Red Hat) lost the plot there, but I suppose you're
> stuck with that unless you junk the ClamAV packages and build it all
> from source.  IMO there's a lot to recommend that.
>

grep clam /etc/passwd
clamilt:x:989:985:Clamav Milter User:/var/run/clamav-milter:/sbin/nologin
clamav:x:985:981::/var/run/clamav:/sbin/nologin
clamupdate:x:983:979:Clamav database update
user:/var/lib/clamav:/sbin/nologin
clamscan:x:982:978:Clamav scanner user:/:/sbin/nologin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210712/df291aed/attachment.htm>