Hello again!
TL;DR for this: I came to the conclusion just now that the clamav package's apparmor profile is preventing freshclam from following symlinks to other locations. My initial testing on docker worked fine because there was no apparmor to block it.
I did my initial testing with an `ubuntu:latest` docker container and did the same basic steps you did, but without using systemctl:
root@73282cc0fdd0:/# mv /etc/clamav/ /etc/clamav-sav/
root@73282cc0fdd0:/# ln -s /etc/clamav-sav/ /etc/clamav
root@73282cc0fdd0:/# ls -la /etc/clamav
lrwxrwxrwx 1 root root 16 Mar 28 16:56 /etc/clamav -> /etc/clamav-sav/
root@73282cc0fdd0:/# freshclam
Sun Mar 28 16:56:30 2021 -> ClamAV update process started at Sun Mar 28 16:56:30 2021
Sun Mar 28 16:56:30 2021 -> daily database available for download (remote version: 26123)
Time: 5.2s, ETA: 0.0s [=============================>] 100.63MiB/100.63MiB
Sun Mar 28 16:56:37 2021 -> Testing database: '/var/lib/clamav/tmp.0300c/clamav-a52b68eeaedacca470206a9e64d75b61.tmp-daily.cvd' ...
Sun Mar 28 16:56:44 2021 -> Database test passed.
Sun Mar 28 16:56:44 2021 -> daily.cvd updated (version: 26123, sigs: 3966434, f-level: 63, builder: raynman)
Sun Mar 28 16:56:44 2021 -> main database available for download (remote version: 59)
Time: 6.5s, ETA: 0.0s [=============================>] 112.40MiB/112.40MiB
Sun Mar 28 16:56:53 2021 -> Testing database: '/var/lib/clamav/tmp.0300c/clamav-9650f62b7145d02d11deba097e796ab7.tmp-main.cvd' ...
Sun Mar 28 16:56:56 2021 -> Database test passed.
Sun Mar 28 16:56:56 2021 -> main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Sun Mar 28 16:56:56 2021 -> bytecode database available for download (remote version: 333)
Time: 0.3s, ETA: 0.0s [=============================>] 286.79KiB/286.79KiB
Sun Mar 28 16:56:57 2021 -> Testing database: '/var/lib/clamav/tmp.0300c/clamav-f01c8381097dc0fec61ba95a42a3cf49.tmp-bytecode.cvd' ...
Sun Mar 28 16:56:57 2021 -> Database test passed.
Sun Mar 28 16:56:57 2021 -> bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Sun Mar 28 16:56:57 2021 -> !NotifyClamd: Can't find or parse configuration file /etc/clamav/clamd.conf
As you can see, this worked fine which is why I sent my previous email. But after speaking with Utkarsh Gupta, I decided to re-read your instructions and follow them more closely. I set up an ubuntu 20.04 VM and ran the following:
micah@ubuntu20:~$ sudo mv -f /etc/clamav/ /etc/clamav.sav
micah@ubuntu20:~$ sudo ln -fsv /etc/clamav.sav /etc/clamav
'/etc/clamav' -> '/etc/clamav.sav'
micah@ubuntu20:~$ sudo systemctl restart clamav-freshclam
micah@ubuntu20:~$ sudo systemctl status clamav-freshclam
● clamav-freshclam.service - ClamAV virus database updater
Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-03-29 01:33:29 UTC; 9s ago
Docs: man:freshclam(1)
man:freshclam.conf(5)
https://www.clamav.net/documents Process: 3593 ExecStart=/usr/bin/freshclam -d --foreground=true (code=exited, status=2)
Main PID: 3593 (code=exited, status=2)
Mar 29 01:33:29 ubuntu20 systemd[1]: Started ClamAV virus database updater.
Mar 29 01:33:29 ubuntu20 freshclam[3593]: ERROR: Can't open/parse the config file /etc/clamav/freshclam.conf
Mar 29 01:33:29 ubuntu20 systemd[1]: clamav-freshclam.service: Main process exited, code=exited, status=2/IN>
Mar 29 01:33:29 ubuntu20 systemd[1]: clamav-freshclam.service: Failed with result 'exit-code'.
This resulted in the same issue you reported. I also tried just running it without systemctl:
micah@ubuntu20:~$ sudo freshclam
ERROR: Can't open/parse the config file /etc/clamav/freshclam.conf
So, same problem you described. It seems strange to me that it followed the symlink okay in the docker container but not on the VM.
Still on the VM, I tried uninstalling clamav (sudo apt uninstall clamav) and then installing with cmake from source:
git clone
https://github.com/Cisco-Talos/clamav-devel.git cd clamav-devel/
mkdir build && cd build
sudo apt install -y ninja-build gcc python3 python3-pip check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev
python3 -m pip install --user cmake
echo "export PATH=/home/micah/.local/bin:$PATH" > ~/.bashrc
source ~/.bashrc
cmake .. -G Ninja && ninja && sudo ninja install
sudo cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf
sudo vim /usr/local/etc/freshclam.conf # <-- removed the "Example" line
sudo freshclam # worked
sudo mv /usr/local/etc/ /usr/local/etc.sav
sudo ln -s /usr/local/etc.sav/ /usr/local/etc
sudo freshclam # also worked
Here's a copy-paste from those last few commands:
micah@ubuntu20:~/clamav-devel/build$ ls /usr/local/etc/
clamav-milter.conf.sample clamd.conf.sample freshclam.conf freshclam.conf.sample
micah@ubuntu20:~/clamav-devel/build$ sudo mv /usr/local/etc/ /usr/local/etc.sav
micah@ubuntu20:~/clamav-devel/build$ sudo ln -s /usr/local/etc.sav/ /usr/local/etc
micah@ubuntu20:~/clamav-devel/build$ sudo freshclam
ClamAV update process started at Mon Mar 29 01:56:19 2021
daily database available for download (remote version: 26123)
Time: 3.6s, ETA: 0.0s [========================>] 100.63MiB/100.63MiB
Testing database: '/usr/local/share/clamav/tmp.dc65adbc0c/clamav-6f3994d5fd9cd918e7c07311c03f4da7.tmp-daily.cvd' ...
^CUpdate process terminated
So I'm not sure what's going on here. It did seem to follow the symlink for the freshclam.conf file when installed from source on the Ubuntu VM.
I imagine we could get around the problem by using this "cli_realpath()" function before trying to access these files:
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.104/libclamav/others.h#L982 You said you also saw the issue with:
- /etc/ssl
- /etc/ssl/certs
I was also able to reproduce this issue when using the clamav package on the ubuntu VM:
micah@ubuntu20:~$ sudo mv /etc/ssl /etc/ssl.sav
micah@ubuntu20:~$ sudo ln -s /etc/ssl.sav /etc/ssl
micah@ubuntu20:~$ sudo freshclam
Mon Mar 29 02:21:07 2021 -> ClamAV update process started at Mon Mar 29 02:21:07 2021
Mon Mar 29 02:21:07 2021 -> daily database available for download (remote version: 26123)
Mon Mar 29 02:21:07 2021 -> ^Download failed (77) Mon Mar 29 02:21:07 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)
Mon Mar 29 02:21:07 2021 -> ^getcvd: Can't download daily.cvd from
https://database.clamav.net/daily.cvd Mon Mar 29 02:21:07 2021 -> Trying again in 5 secs...
Without removing the ssl -> /etc/ssl.sav Symlink, I removed the "clamav" package again and reinstalled clamav from source and configured freshclam.conf again. I ran freshclam again and it worked okay:
micah@ubuntu20:~/clamav-devel/build$ sudo freshclam
ClamAV update process started at Mon Mar 29 02:24:51 2021
daily.cvd database is up to date (version: 26123, sigs: 3966434, f-level: 63, builder: raynman)
main database available for download (remote version: 59)
Time: 4.0s, ETA: 0.0s [========================>] 112.40MiB/112.40MiB
Testing database: '/usr/local/share/clamav/tmp.6595bb7d72/clamav-d96b8da019a765975d9b6d25cdba11a7.tmp-main.cvd' ...
So in the end, I was only able to reproduce the issue with the Ubuntu clamav package on the VM (vs docker).
This got me to thinking that it's probably the apparmor profile preventing freshclam from opening these files: /etc/apparmor.d/usr.bin.freshclam
The apparmor profile lists which directories freshclam is allowed to access and with what permissions. I'm not skilled with apparmor and wouldn't know how to change it to be more permissive with symlinks to other locations.
I'll pass my findings on to Utkarsh Gupta as well.
Regards,
Micah
> -----Original Message-----
> From: clamav-devel <clamav-devel-bounces@lists.clamav.net> On Behalf Of
> Micah Snyder (micasnyd)
> Sent: Saturday, March 27, 2021 4:54 PM
> To: ClamAV Development <clamav-devel@lists.clamav.net>
> Subject: Re: [Clamav-devel] [SUSPECTED SPAM] [Feature request] Support
> Linux symlinks for all configuration and database folders
>
> Hello!
>
> Apologies for the delay getting back to you. I also saw this report:
> https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/
>
> I tried to reproduce the issue you described but was unable. I tried moving the
> ssl directory and moving the clamav directory and then created symlinks to
> each. Eg:
>
> root@117df8bca60f:/# ls -la /var/lib/
> total 64
> ...
> lrwxrwxrwx 1 root root 22 Mar 27 23:38 clamav -> /var/lib/clamav_moved/
>
> and
>
> root@117df8bca60f:/# ls -la /etc/
> ...
> lrwxrwxrwx 1 root root 15 Mar 27 23:37 ssl -> /etc/ssl_moved/
>
> I had no problems running freshclam with these symlinks set up. I don't think
> there is a bug here. I suspect that perhaps the permissions or ownership of your
> replacement directories or symlinks are causing the issue. When freshclam is
> run by sudo, it switches users to run as the "clamav" user. The database
> directory must be owned by the "clamav" user. The config files, ssl files must
> be accessible to the clamav user.
>
> If you want to share your exact layout, ownership and permissions of these files
> and directories I can try to help more.
>
> -Micah
>
>
> > -----Original Message-----
> > From: clamav-devel <clamav-devel-bounces@lists.clamav.net> On Behalf
> > Of jean-christophe manciot
> > Sent: Monday, March 22, 2021 6:30 AM
> > To: clamav-devel@lists.clamav.net
> > Subject: [SUSPECTED SPAM] [Clamav-devel] [Feature request] Support
> > Linux symlinks for all configuration and database folders
> >
> > On Ubuntu, freshclam 0.103.0+dfsg-3.1 does not support symlinks for
> > any of the following:
> > - /etc/clamav
> > - /etc/ssl
> > - /etc/ssl/certs
> > - /var/lib/clamav
> >
> > If any of the aforementioned folders is a symlink, no database update
> > by freshclam is possible.
> > Cf. bug report
> > https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615.
> > _______________________________________________
> >
> > clamav-devel mailing list
> > clamav-devel@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-devel
> >
> > Please submit your patches to our Github: https://github.com/Cisco-
> > Talos/clamav-devel/pulls
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github: https://github.com/Cisco-
> Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github:
https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml