Mailing List Archive

[clamav-users] Fedora - clamscan/clamdscan - permissions
Good afternoon,

I have installed current version of ClamAV from repos to Fedora 32. I have
a problem with permission while using clamdscan/clamscan. For example, in
Documents I have eicar test file.



If I run clamscan, it has a problem with open file.

WARNING: Can't open file /home/asus/Documents/eicar3.txt: Operation not
permitted

I think it is because I also use on acess scanning. In config file I have
this line:

OnAccessExcludeUname clamscan

However it doesn’t work. But if I replace clamscan by root, clamscan works
but I can also open malicious files as root, which I would like to have
blocked.



If I run clamdscan I get this error

/home/asus/Documents: lstat() failed: Permission denied. ERROR

I have found several articles or topics in forums, but all of this are very
old, and there are settings, which doesn’t exist in current version.



I have also tried this commands, without any results L

setsebool -P antivirus_can_scan_system 1

setsebool -P clamd_use_jit 1





I don’t know why it doesn’t work. I have same settings in Ubuntu, and there
is everything works without problem.

Is there any way how to fix this problem?
Re: [clamav-users] Fedora - clamscan/clamdscan - permissions [ In reply to ]
Hi there,

On Wed, 12 Aug 2020, Silver Surfer via clamav-users wrote:

> I have installed current version of ClamAV from repos to Fedora 32.

Please always specify the exact version, because "current" might mean
the current version in the repo, or it might mean a different version
currently released by ClamAV upstream, and this thread might be being
read by somebody two years from now trying to solve a similar problem.

For anything like ClamAV, my preference would usually be to install
from upstream rather than use a version which has been packaged and
quite likely patched for religious reasons by some distribution's
maintainer. It's usually easier to know what's going on, for example,
if you know where everything is located in the filesystem, the names
of the configuration files, and exactly which libraries are in use.

> I have a problem with permission while using clamdscan/clamscan.
> For example, in Documents I have eicar test file. ...
> If I run clamscan, it has a problem with open file.
>
> WARNING: Can't open file /home/asus/Documents/eicar3.txt: Operation not
> permitted
>
> I think it is because I also use on acess scanning.

If you have on-access scanning enabled this would appear to me to be
the expected behaviour, but you did not give us enough information to
know exactly what to expect. Please post the relevant configuration,
and tell us which user ran the clamscan process in your example. If
you think on-access scanning is causing a problem, why not just try
disabling it? Does scanning other files behave as you expect?

> In config file I have this line:
>
> OnAccessExcludeUname clamscan

Is 'clamscan' a user name on your system? You are making us guess.

> However it doesn?t work.

Please explain exactly what "doesn't work" means. We don't know what
it is you did that you think didn't work, and we don't know why, when
you did it, you think it didn't behave as you expected it to behave.

> But if I replace clamscan by root, clamscan works

Please read the clamd.conf man page, particularly the sections about
the 'OnAccessExcludeRootUID' and 'OnAccessExcludeUID' directives.

Please also describe what you mean by "clamscan works". That's a bit
like saying "it does what I expect" without saying what you expect.
What you expect might be not what someone else would expect. It's
usually best to copy and paste commands and output directly from the
screen to your mail, then we can see what's going on too, instead of
having to guess.

> but I can also open malicious files as root, which I would like to
> have blocked.

You are getting into deep water here. Unless you are very careful
with the configuration, if you block root access to files which ClamAV
flags as suspicious then a false positive on a perfectly innocuous
system file may cause problems which are difficult for you to fix.
False positives are an unfortunate fact of life (and, as a consequence
of Murphy's Law, they appear at the most inconvenient times).

> If I run clamdscan I get this error
>
> /home/asus/Documents: lstat() failed: Permission denied. ERROR

You aren't giving enough information. We need to know the UIDs and
permissions of the relevant users, files and directories.

Do you understand the differences between clamscan and clamdscan?

> I have found several articles or topics in forums, but all of this are very
> old, and there are settings, which doesn?t exist in current version.

There is some rubbish in articles and forums. You are right that a
lot of it is ridiculously out of date and unmaintained. I have seen
articles which claim to explain how ClamAV works which were written by
people who evidently don't know the first thing about it. Always look
to the upstream documentation at http://www.clamav.net first. It may
not be the easiest read, but at least it's (usually) correct. There's
a lot to get under your belt. We can't do it for you, and you need a
fairly good understanding of both clamav and your system to get the
best out of them and to avoid some potentially challenging pitfalls.

> I have also tried this commands, without any results L
>
> setsebool -P antivirus_can_scan_system 1
>
> setsebool -P clamd_use_jit 1

I can't help you with SELinux other than to suggest that you disable
it globally to see if it removes some of the issues which confuse you.
But before doing anything like that please give us more information.

> I don?t know why it doesn?t work. I have same settings in Ubuntu,
> and there is everything works without problem.
>
> Is there any way how to fix this problem?

We need more information. For any access we need to know the UID of
the process which is attempting the access and the permissions of the
entire path to the files and/or directories being accessed. We need
to know the UID which is running clamd. Things like SELinux can get
in the way of fault-finding so you need to be clear on how you can
tell if that's causing problems e.g. by looking at the logs and/or be
clear on how to prevent it from causing the problems without causing
other (and possibly more serious) problems.

What are the threats to which you think your system may be exposed?
Please take a step back and tell us in general terms what you are
trying to achieve and why you think it's necessary. I suspect that as
things stand you might pose a greater danger to your system than the
threats from which think you are trying to protect it.

What will you do if ClamAV finds something? It's usually much easier
to avoid the exposure in the first place than it is to find all the
problems after a compromise. You don't just need to think about the
system itself, you also need to consider what problems it might cause
both for yourself and for everyone else on the Internet.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml