[clamav-users] Why does clamonacc says /var/www does not exist (among other things)?

Maarten Broekman maarten.broekman at gmail.com
Thu Sep 9 18:45:05 UTC 2021 

It depends on the OS, but if you have something like AppArmor or
GrSecurity, you may need to grant the appropriate permissions there to
allow access even for root.

--Maarten

On Thu, Sep 9, 2021 at 2:34 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hi!
>
> No worries about sounding complainy.  I'm glad you're reaching out for
> help.
>
> I recommend always running clamonacc using the --fdpass command line
> argument, provided it is available on your system Some older systems (RHEL
> 7, etc) may not be able to use it.  With fd-passing enabled, ClamOnAcc will
> pass its open file descriptor to ClamD so it can scan files that it
> wouldn't otherwise have read access to.  I think this should resolve the
> concern about scanning files like /home/user/eicar-test.txt.
>
> I'm unsure why you're getting:
>     133863 ERROR: ClamInotif: could not watch path '/var/www', No such
> file or directory
>
> Perhaps it is a mount point or something? Anyone else have any insights?
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> ------------------------------
> *From:* clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of
> dee heffemm via clamav-users <clamav-users at lists.clamav.net>
> *Sent:* Thursday, September 9, 2021 7:53 AM
> *To:* clamav-users at lists.clamav.net <clamav-users at lists.clamav.net>
> *Cc:* dee heffemm <dheffem at gmail.com>
> *Subject:* [clamav-users] Why does clamonacc says /var/www does not exist
> (among other things)?
>
> I'm trying to configure (ClamAV 0.103.2/26289 on Ubuntu 18.04)
> `clamonacc` using the instructions here[1]. I got through the steps and
> tried starting with `User clamav` but got a lot of permission errors in the
> logs when a file was chmod'd 0600:
>
>    "/home/user/eicar-test.txt: Can't open file or directory ERROR"
>
> Ok, this makes sense because `clamav` is not UID 0. How is clamonacc
> supposed to scan files with restricted permissions? Many users can set a
> umask in their ~/.bashrc to create files with 0600. In multi-user
> environments, it's typical to have /home/$USER set 0700 as well.
>
> I changed to `User root` to see what happened, but then when using #vi on
> a file in /tmp/, it would take a good minute to open and I would get errors
> like: ERROR: ClamCom: TIMEOUT while waiting on socket (recv).  The clamav
> docs[2] seem to state running as 'root' is uneccesary:
>
>    "a system admin need only ensure clamd has the read and access
> permissions necessary to deal with any file descriptors clamonacc may pass
> along. "
>
> So, I changed back to `User clamav`.
>
> I'd still like to monitor /tmp as it's a favorite place when any kind of
> process needs to write a file so changed `TemporaryDirectory
> /var/lib/clamav/` since it's not monitored by clamaonacc and maybe won't
> create a race condition with it's own temp files.
>
> These are the other edits I've made to /etc/clamav/clamd.conf. I'd like to
> monitor /var/www since it's a writable place for the apache server (yeah, I
> know, but web apps and webmasters write files and use plugins and this is
> where they manage them, usually from a web console).
>
> ExcludePath ^/proc
> ExcludePath ^/sys
> ExcludePath ^/run
> ExcludePath ^/dev
> ExcludePath ^/var/lib/lxcfs/cgroup
> OnAccessPrevention yes
> OnAccessExcludeUname clamav
> OnAccessIncludePath /var/www
> OnAccessIncludePath /home
> OnAccessIncludePath /tmp
>
> When I reboot however and clamd/clamonacc/freshclam come up, They can't
> seem to find "/var/www" (permissions 0755). Why is this?
>
>  133857 ClamScanQueue: waiting to consume events ...
>  133858 ClamInotif: watching '/var/www' (and all sub-directories)
>  133859 ClamInotif: watching '/home' (and all sub-directories)
>  133860 ClamInotif: watching '/tmp' (and all sub-directories)
>  133861 Excluding temp directory: /var/lib/clamav/
>  133862 ClamInotif: NVM, didn't actually need to exclude '/var/lib/clamav/'
>  133863 ERROR: ClamInotif: could not watch path '/var/www', No such file
> or directory
>  133864 ClamFanotif: attempting to feed consumer queue
>
> Thanks for all your work on clamav! I'm trying not to sound complainy.
>
> [1] https://docs.clamav.net/manual/OnAccess.html
> [2]
> https://blog.clamav.net/2019/09/understanding-and-transitioning-to.html
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210909/5aba4c64/attachment.htm>

More information about the clamav-users mailing list