[clamav-users] New installation 103.3; failing freshclam
Mark Fortescue
mark.lists at thurning-instruments.co.uk
Mon Jul 19 20:02:26 UTC 2021
Hi Paul,
Check out what SSL groups are set in /etc/groups.
On my uBuntu, the SSL directories are (edited out dates/size):
drwxr-xr-x 3 root root /etc/ssl/certs/
drwx--x--- 2 root ssl-cert /etc/ssl/private/
SSL/Curl will complain about these if not set correctly so 'private' and
'certs' will need to be set up properly:
chgrp ssl-cert /etc/ssl/private
chmod 710 /etc/ssl/private
chmod 755 /etc/ssl/certs
You should have an ssl-cert or something similar in your /etc/groups file.
The only private key I have is ssl-cert-snakeoil so what freshclam will
need will be something in 'certs'.
Ged/others may know which specific pem/crt files are needed to get
freshclam to play ball. I don't.
I am sorry that I can't help much further as my x86 LFS dist is not
available at the moment so I can't replicate the issues.
I hope this helps a bit.
Regards
Mark.
On 19/07/2021 18:07, Paul Rogers via clamav-users wrote:
>> ClamAV is relying on curl, and if you intend to carry on digging then
>> like Micah I think that's where you need to be looking. So the extra
>> logging that I suggested should be in curl, not in ClamAV. See e.g.
>>
>> https://curl.se/libcurl/c/CURLOPT_VERBOSE.html
>
> I'm afraid this is no help to me. My programming experience long predates C, FORTRAN II was my native tongue. I'm now so old my short-term memory is shot; I CAN'T learn it now. A somewhat competent sysadmin is all I can manage. I did a little grepping, but found no place I was confident to set it. But it configure says it was built in (note march=i686!):
>
> configure: Configured to build curl/libcurl:
>
> Host setup: i686-pc-linux-gnu
> Install prefix: /usr/local
> Compiler: gcc
> CFLAGS: -march=i686 -Werror-implicit-function-declaration -O2 -Wno-system-headers -pthreadsystem /usr/local/include
> LDFLAGS: -L/usr/lib -L/usr/local/lib
> LIBS: -lnettle -lgnutls -lssl -lcrypto -lssl -lcrypto -lz
>
> curl version: 7.77.0
> SSL: enabled (OpenSSL, GnuTLS)
> SSH: no (--with-{libssh,libssh2})
> zlib: enabled
> brotli: no (--with-brotli)
> zstd: no (--with-zstd)
> GSS-API: no (--with-gssapi)
> GSASL: no (libgsasl not found)
> TLS-SRP: enabled
> resolver: POSIX threaded
> IPv6: no (--enable-ipv6)
> Unix sockets: enabled
> IDN: no (--with-{libidn2,winidn})
> Build libcurl: Shared=yes, Static=no
> Built-in manual: enabled
> --libcurl option: enabled (--disable-libcurl-option)
> Verbose errors: enabled (--disable-verbose)
> Code coverage: disabled
> SSPI: no (--enable-sspi)
> ca cert bundle: /etc/ssl/ca-bundle.crt
> ca cert path: /etc/ssl/certs
> ca fallback: no
> LDAP: no (--enable-ldap / --with-ldap-lib / --with-lber-lib)
> LDAPS: no (--enable-ldaps)
> RTSP: enabled
> RTMP: no (--with-librtmp)
> Metalink: no (--with-libmetalink)
> PSL: no (libpsl not found)
> Alt-svc: enabled (--disable-alt-svc)
> HSTS: enabled (--disable-hsts)
> HTTP1: enabled (internal)
> HTTP2: no (--with-nghttp2, --with-hyper)
> HTTP3: no (--with-ngtcp2, --with-quiche)
> ECH: no (--enable-ech)
> Protocols: DICT FILE FTP FTPS GOPHER GOPHERS HTTP HTTPS IMAP IMAPS MQTT POP3 POP3S RTSP SMB SMBS SMTP SMTPS TELNET TFTP
> Features: AsynchDNS HSTS HTTPS-proxy Largefile MultiSSL NTLM NTLM_WB SSL TLS-SRP UnixSockets alt-svc libz
>
>> But why didn't you just spin up a VM like I suggested? With a little
>> bit of effort you'd have had it up and running nearly three weeks ago.
>
> Because this old system built to run on legacy 32-bit hardware only has llvm installed and that because it's a Mesa dependency, nothing higher. This is not a kitchen-sink distro.
>
>>> drwxr-xr-x 2 root root 4096 Jul 7 22:42 private
>
>> Those permissions look wrong to me.
>
> It's empty anyhow. What should it be? (I was running freshclam as root.)
>
More information about the clamav-users
mailing list