Mailing List Archive

Hi!

No worries about sounding complainy. I'm glad you're reaching out for help.

I recommend always running clamonacc using the --fdpass command line argument, provided it is available on your system Some older systems (RHEL 7, etc) may not be able to use it. With fd-passing enabled, ClamOnAcc will pass its open file descriptor to ClamD so it can scan files that it wouldn't otherwise have read access to. I think this should resolve the concern about scanning files like /home/user/eicar-test.txt.

I'm unsure why you're getting:
133863 ERROR: ClamInotif: could not watch path '/var/www', No such file or directory

Perhaps it is a mount point or something? Anyone else have any insights?


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of dee heffemm via clamav-users <clamav-users@lists.clamav.net>
Sent: Thursday, September 9, 2021 7:53 AM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: dee heffemm <dheffem@gmail.com>
Subject: [clamav-users] Why does clamonacc says /var/www does not exist (among other things)?

I'm trying to configure (ClamAV 0.103.2/26289 on Ubuntu 18.04) `clamonacc` using the instructions here[1]. I got through the steps and tried starting with `User clamav` but got a lot of permission errors in the logs when a file was chmod'd 0600:

"/home/user/eicar-test.txt: Can't open file or directory ERROR"

Ok, this makes sense because `clamav` is not UID 0. How is clamonacc supposed to scan files with restricted permissions? Many users can set a umask in their ~/.bashrc to create files with 0600. In multi-user environments, it's typical to have /home/$USER set 0700 as well.

I changed to `User root` to see what happened, but then when using #vi on a file in /tmp/, it would take a good minute to open and I would get errors like: ERROR: ClamCom: TIMEOUT while waiting on socket (recv). The clamav docs[2] seem to state running as 'root' is uneccesary:

"a system admin need only ensure clamd has the read and access permissions necessary to deal with any file descriptors clamonacc may pass along. "

So, I changed back to `User clamav`.

I'd still like to monitor /tmp as it's a favorite place when any kind of process needs to write a file so changed `TemporaryDirectory /var/lib/clamav/` since it's not monitored by clamaonacc and maybe won't create a race condition with it's own temp files.

These are the other edits I've made to /etc/clamav/clamd.conf. I'd like to monitor /var/www since it's a writable place for the apache server (yeah, I know, but web apps and webmasters write files and use plugins and this is where they manage them, usually from a web console).

ExcludePath ^/proc
ExcludePath ^/sys
ExcludePath ^/run
ExcludePath ^/dev
ExcludePath ^/var/lib/lxcfs/cgroup
OnAccessPrevention yes
OnAccessExcludeUname clamav
OnAccessIncludePath /var/www
OnAccessIncludePath /home
OnAccessIncludePath /tmp

When I reboot however and clamd/clamonacc/freshclam come up, They can't seem to find "/var/www" (permissions 0755). Why is this?

133857 ClamScanQueue: waiting to consume events ...
133858 ClamInotif: watching '/var/www' (and all sub-directories)
133859 ClamInotif: watching '/home' (and all sub-directories)
133860 ClamInotif: watching '/tmp' (and all sub-directories)
133861 Excluding temp directory: /var/lib/clamav/
133862 ClamInotif: NVM, didn't actually need to exclude '/var/lib/clamav/'
133863 ERROR: ClamInotif: could not watch path '/var/www', No such file or directory
133864 ClamFanotif: attempting to feed consumer queue

Thanks for all your work on clamav! I'm trying not to sound complainy.

[1] https://docs.clamav.net/manual/OnAccess.html
[2] https://blog.clamav.net/2019/09/understanding-and-transitioning-to.html

It depends on the OS, but if you have something like AppArmor or
GrSecurity, you may need to grant the appropriate permissions there to
allow access even for root.

--Maarten

On Thu, Sep 9, 2021 at 2:34 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi!
>
> No worries about sounding complainy. I'm glad you're reaching out for
> help.
>
> I recommend always running clamonacc using the --fdpass command line
> argument, provided it is available on your system Some older systems (RHEL
> 7, etc) may not be able to use it. With fd-passing enabled, ClamOnAcc will
> pass its open file descriptor to ClamD so it can scan files that it
> wouldn't otherwise have read access to. I think this should resolve the
> concern about scanning files like /home/user/eicar-test.txt.
>
> I'm unsure why you're getting:
> 133863 ERROR: ClamInotif: could not watch path '/var/www', No such
> file or directory
>
> Perhaps it is a mount point or something? Anyone else have any insights?
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> ------------------------------
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of
> dee heffemm via clamav-users <clamav-users@lists.clamav.net>
> *Sent:* Thursday, September 9, 2021 7:53 AM
> *To:* clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
> *Cc:* dee heffemm <dheffem@gmail.com>
> *Subject:* [clamav-users] Why does clamonacc says /var/www does not exist
> (among other things)?
>
> I'm trying to configure (ClamAV 0.103.2/26289 on Ubuntu 18.04)
> `clamonacc` using the instructions here[1]. I got through the steps and
> tried starting with `User clamav` but got a lot of permission errors in the
> logs when a file was chmod'd 0600:
>
> "/home/user/eicar-test.txt: Can't open file or directory ERROR"
>
> Ok, this makes sense because `clamav` is not UID 0. How is clamonacc
> supposed to scan files with restricted permissions? Many users can set a
> umask in their ~/.bashrc to create files with 0600. In multi-user
> environments, it's typical to have /home/$USER set 0700 as well.
>
> I changed to `User root` to see what happened, but then when using #vi on
> a file in /tmp/, it would take a good minute to open and I would get errors
> like: ERROR: ClamCom: TIMEOUT while waiting on socket (recv). The clamav
> docs[2] seem to state running as 'root' is uneccesary:
>
> "a system admin need only ensure clamd has the read and access
> permissions necessary to deal with any file descriptors clamonacc may pass
> along. "
>
> So, I changed back to `User clamav`.
>
> I'd still like to monitor /tmp as it's a favorite place when any kind of
> process needs to write a file so changed `TemporaryDirectory
> /var/lib/clamav/` since it's not monitored by clamaonacc and maybe won't
> create a race condition with it's own temp files.
>
> These are the other edits I've made to /etc/clamav/clamd.conf. I'd like to
> monitor /var/www since it's a writable place for the apache server (yeah, I
> know, but web apps and webmasters write files and use plugins and this is
> where they manage them, usually from a web console).
>
> ExcludePath ^/proc
> ExcludePath ^/sys
> ExcludePath ^/run
> ExcludePath ^/dev
> ExcludePath ^/var/lib/lxcfs/cgroup
> OnAccessPrevention yes
> OnAccessExcludeUname clamav
> OnAccessIncludePath /var/www
> OnAccessIncludePath /home
> OnAccessIncludePath /tmp
>
> When I reboot however and clamd/clamonacc/freshclam come up, They can't
> seem to find "/var/www" (permissions 0755). Why is this?
>
> 133857 ClamScanQueue: waiting to consume events ...
> 133858 ClamInotif: watching '/var/www' (and all sub-directories)
> 133859 ClamInotif: watching '/home' (and all sub-directories)
> 133860 ClamInotif: watching '/tmp' (and all sub-directories)
> 133861 Excluding temp directory: /var/lib/clamav/
> 133862 ClamInotif: NVM, didn't actually need to exclude '/var/lib/clamav/'
> 133863 ERROR: ClamInotif: could not watch path '/var/www', No such file
> or directory
> 133864 ClamFanotif: attempting to feed consumer queue
>
> Thanks for all your work on clamav! I'm trying not to sound complainy.
>
> [1] https://docs.clamav.net/manual/OnAccess.html
> [2]
> https://blog.clamav.net/2019/09/understanding-and-transitioning-to.html
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

On Thu, Sep 9, 2021 at 1:45 PM Maarten Broekman <maarten.broekman@gmail.com>
wrote:

> It depends on the OS, but if you have something like AppArmor or
> GrSecurity, you may need to grant the appropriate permissions there to
> allow access even for root.
>


Thanks for the info.

I disabled apparmor (systemctl disable apparmor) and rebooted but still got
the 'could not watch /var/www' error, so re-enabled it again.

/var is a separate partition with www being a "regular" subdir under that.
We use autofs to mount some shared directories under www for the webserver
and after disabling autofs, the error has went away. So, I don't know if
autofs itself is the issue, or maybe something could be altered with the
autofs mount options to get this working with the network mounts. It
probably makes more sense to have those files scanned on the NAS rather
than over a network link so maybe the point is moot. If excluding them
works on the web server, then that's probably fine.

This is /etc/auto.master:
/- /etc/auto.sshfs --timeout=30,--ghost

This is a reduced /etc/auto.sshfs. All four entries are basically the same
just different mounts/locations on the NAS:

/var/www/wordpress/incoming
-fstype=fuse,user,idmap=user,transform_symlinks,allow_other,uid=www-data,gid=www-data,ro,nodev,nonempty,noatime,allow_other,max_read=65536,port=61122,identityfile=/root/.ssh/nas_sshfs
:sshfs\#user_sftp@nas.mycorp.com\:/incoming/

I added OnAccessExcludePath for the autofs mounts in clamd.config which
seems to be working but still get some errors for files under that mount
(scan failed with error code 34) which I still need to research.


On Thu, Sep 9, 2021 at 2:34 PM Micah Snyder (micasnyd) via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> Hi!
>>
>> No worries about sounding complainy. I'm glad you're reaching out for
>> help.
>>
>> I recommend always running clamonacc using the --fdpass command line
>> argument, provided it is available on your system Some
>>
>

Thanks! I've adjusted the unit file to use --fdpass

On 09.09.21 16:53, dee heffemm via clamav-users wrote:
>We use autofs to mount some shared directories under www for the webserver
>and after disabling autofs, the error has went away.

due to how clamonaccess works, it is not compatible with autofs.

you'll have to use static mounts, or different way of using clamav, e.g.
clamav module for file uploads/downloads, or simply mount a directory and
run clam(d)scan over it.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml