Mailing List Archive

Hi there,

On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote:

> ... need onaccess scanning but .. clamd .. doesn't have permissions
> to view a user's home directory contents. Am I missing something?

Group read?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Well, I don't want to change permissions on 30 million files to make
this work. Seems like the wrong thing to do.

On 11/11/2019 12:05 PM, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote:
>
>> ... need onaccess scanning but .. clamd .. doesn't have permissions
>> to view a user's home directory contents.  Am I missing something?
>
> Group read?
>

--
Mark Parker - SGL Network Administrator
Applied Research Laboratories : The University of Texas at Austin
(512) 835-3768 / mparker@arlut.utexas.edu

Hi there,

On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote:
> On 11/11/2019 12:05 PM, G.W. Haywood via clamav-users wrote:
>> On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote:
>>
>>> ... need onaccess scanning but .. clamd .. doesn't have permissions
>>> to view a user's home directory contents.  Am I missing something?
>>
>> Group read?
>
> Well, I don't want to change permissions on 30 million files to make this
> work. Seems like the wrong thing to do.

It seems like you've made this harder than it needs to be. Normally
I'd expect a private home directory to contain mostly files with 'ugo'
read, and the permissions on the home directory would be what controls
access to them. Each user will be in a group of the same name (that's
usual in a lot of setups anyway) and all you need to do to permit the
clamav user to scan the files would be to put that user in every group.

Everyone here knows I'm not a great fan of using ClamAV in this way,
but of course in the '.edu' TLD you do have different issues from the
rest of us...

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Mark Parker via clamav-users wrote:
> Hi all,
>     I'm investigating clamav as a solution for a couple hundred linux
> boxes. We need onaccess scanning but I'm running into an issue. For
> clamd to do onaccess scanning it needs to be run as root to use the
> inotify components, but since we export our NFS volumes with
> root_squash, it doesn't have permissions to view a user's home directory
> contents.
>     Am I missing something?

clamd needs to run as root to scan arbitrary files on the system. Try
scanning home directories on the NFS host instead, and exclude the home
directory tree from scanning on the clients if you have reason to scan
elsewhere on those systems.

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml