Mailing List Archive

[clamav-users] Freshclam can't get started
I've had this problem since I started using Debian Linux months ago. I'm using Debian Linux 10.6.

/var/local/clamav # freshclam -v --debug -F --user clamav
ERROR: Can't open /var/local/clamav/freshclam.log in append mode (check permissions!).
ERROR: Problem with internal logger (UpdateLogFile = /var/local/clamav/freshclam.log).
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!

Directory permissions for /var and /var/local are 0755.
Directory permisions for /var/local/clamav are 06770 owned by clamav:clamav.
File permissions for /var/local/clamav/freshclam.log are 0660 owned by clamav:clamav.

I get my copies of ClamAV as a Debian package. I used apt install clamav. I just upgraded everything to Debian 10.6 two days ago.

I can't seem to get the malware database started. How do I fix this?

name=Matthew%20Campbell&email=trenix25%40pm.me
Re: [clamav-users] Freshclam can't get started [ In reply to ]
On 2020-10-03 16:39, Matthew Campbell via clamav-users wrote:
> Directory permisions for /var/local/clamav are 06770 owned by clamav:clamav.

So the clamav user can't traverse that directory? (You should also set
that mode o-w, at the very least, or risk exploits.)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Freshclam can't get started [ In reply to ]
Hi there,

On Sat, 3 Oct 2020, Matthew Campbell via clamav-users wrote:

> I've had this problem since I started using Debian Linux months ago. I'm using Debian Linux 10.6.
>
> /var/local/clamav # freshclam -v --debug -F --user clamav
> ERROR: Can't open /var/local/clamav/freshclam.log in append mode (check permissions!).
> ...
> Directory permisions for /var/local/clamav are 06770 owned by clamav:clamav.

Is there any particular reason for using the /var/local/ directory?
I thought Debian maintainers tended to use /var/lib/ more often.

Anyway, either you've done something strange to the system or those
aren't the permissions. Please could you paste the output of

ls -l /var/local/

into a message and let us see what you've got? Here's an example from
one of my systems. You'll see that there is an 'x' in the fourth
column of every line. If you don't have that, then that might be a
problem - but it might not be the only one.

$ ls -l /var
total 48
drwxr-xr-x 2 root root 4096 Oct 3 06:47 backups
drwxr-xr-x 12 root root 4096 Dec 23 2019 cache
drwxr-xr-x 43 root root 4096 Jul 29 12:12 lib
drwxrwsr-x 2 root staff 4096 Aug 30 2019 local
lrwxrwxrwx 1 root root 9 Sep 19 2019 lock -> /run/lock
drwxr-xr-x 18 root root 12288 Oct 2 13:34 log
drwxrwsrwt 2 root mail 4096 Oct 2 05:36 mail
drwxr-xr-x 2 root root 4096 Sep 19 2019 opt
lrwxrwxrwx 1 root root 4 Sep 19 2019 run -> /run
drwxr-xr-x 5 root root 4096 Oct 8 2019 spool
drwxrwxrwt 2 root root 4096 Oct 3 06:47 tmp
drwxr-xr-x 3 root root 4096 Dec 23 2019 www

> File permissions for /var/local/clamav/freshclam.log are 0660 owned by clamav:clamav.

That should be OK if clamav is the UID that's running freshclam.

> I get my copies of ClamAV as a Debian package. I used apt install
> clamav. I just upgraded everything to Debian 10.6 two days ago.
> I can't seem to get the malware database started. How do I fix this?

You could remove all the clamav packages (there's more than one) and
purge them, then reinstall. But if you've done really strange things
to some directory permissions you might need to do a bit more work.

What do you plan to use ClamAV for?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Freshclam can't get started [ In reply to ]
These are the permission in /var/local/

2 /var/local # ls -al
total 48
drwxr-xr-x 9 root root 4096 Jul 27 08:01 .
drwxr-xr-x 14 root root 4096 Oct 1 15:39 ..
drwx------ 2 root root 4096 Oct 4 05:24 aide
drwsrws--- 3 clamav clamav 4096 Oct 3 12:53 clamav
drwx------ 3 root root 4096 Jun 22 17:29 lib
drwxr-xr-x 2 root root 4096 Jul 25 06:24 log
drwx------ 2 root root 16384 Jun 20 23:27 lost+found
drwx------ 2 root root 4096 Jul 21 11:17 lynis
drwx------ 2 root root 4096 Jul 21 07:12 nacctd
2 /var/local #

I use a separate file system to keep private data away from the root partition. I use ClamAV for general malware scanning.

Unfortunately my email app insists on quoting previous replies. Sorry about that.

name=Matthew%20Campbell&email=trenix25%40pm.me

-------- Original Message --------
On Oct 3, 2020, 4:42 PM, G.W. Haywood via clamav-users wrote:

> Hi there,
>
> On Sat, 3 Oct 2020, Matthew Campbell via clamav-users wrote:
>
>> I've had this problem since I started using Debian Linux months ago. I'm using Debian Linux 10.6.
>>
>> /var/local/clamav # freshclam -v --debug -F --user clamav
>> ERROR: Can't open /var/local/clamav/freshclam.log in append mode (check permissions!).
>> ...
>> Directory permisions for /var/local/clamav are 06770 owned by clamav:clamav.
>
> Is there any particular reason for using the /var/local/ directory?
> I thought Debian maintainers tended to use /var/lib/ more often.
>
> Anyway, either you've done something strange to the system or those
> aren't the permissions. Please could you paste the output of
>
> ls -l /var/local/
>
> into a message and let us see what you've got? Here's an example from
> one of my systems. You'll see that there is an 'x' in the fourth
> column of every line. If you don't have that, then that might be a
> problem - but it might not be the only one.
>
> $ ls -l /var
> total 48
> drwxr-xr-x 2 root root 4096 Oct 3 06:47 backups
> drwxr-xr-x 12 root root 4096 Dec 23 2019 cache
> drwxr-xr-x 43 root root 4096 Jul 29 12:12 lib
> drwxrwsr-x 2 root staff 4096 Aug 30 2019 local
> lrwxrwxrwx 1 root root 9 Sep 19 2019 lock -> /run/lock
> drwxr-xr-x 18 root root 12288 Oct 2 13:34 log
> drwxrwsrwt 2 root mail 4096 Oct 2 05:36 mail
> drwxr-xr-x 2 root root 4096 Sep 19 2019 opt
> lrwxrwxrwx 1 root root 4 Sep 19 2019 run -> /run
> drwxr-xr-x 5 root root 4096 Oct 8 2019 spool
> drwxrwxrwt 2 root root 4096 Oct 3 06:47 tmp
> drwxr-xr-x 3 root root 4096 Dec 23 2019 www
>
>> File permissions for /var/local/clamav/freshclam.log are 0660 owned by clamav:clamav.
>
> That should be OK if clamav is the UID that's running freshclam.
>
>> I get my copies of ClamAV as a Debian package. I used apt install
>> clamav. I just upgraded everything to Debian 10.6 two days ago.
>> I can't seem to get the malware database started. How do I fix this?
>
> You could remove all the clamav packages (there's more than one) and
> purge them, then reinstall. But if you've done really strange things
> to some directory permissions you might need to do a bit more work.
>
> What do you plan to use ClamAV for?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
Re: [clamav-users] FreshClam can't get started [ In reply to ]
Not sure this one went through so I'm trying again this way.

These are the permission in /var/local/

2 /var/local # ls -al
total 48
drwxr-xr-x 9 root root 4096 Jul 27 08:01 .
drwxr-xr-x 14 root root 4096 Oct 1 15:39 ..
drwx------ 2 root root 4096 Oct 4 05:24 aide
drwsrws--- 3 clamav clamav 4096 Oct 3 12:53 clamav
drwx------ 3 root root 4096 Jun 22 17:29 lib
drwxr-xr-x 2 root root 4096 Jul 25 06:24 log
drwx------ 2 root root 16384 Jun 20 23:27 lost+found
drwx------ 2 root root 4096 Jul 21 11:17 lynis
drwx------ 2 root root 4096 Jul 21 07:12 nacctd
2 /var/local #

I use a separate file system to keep private data away from the root partition. I use ClamAV for general malware scanning.

name=Matthew%20Campbell&email=trenix25%40pm.me
Re: [clamav-users] Freshclam can't get started [ In reply to ]
Hello again,

To try to make some sense of it I've taken some of this out of order.

On Oct 4, 2020, Matthew Campbell via clamav-users wrote:
> On Oct 3, 2020, 4:42 PM, G.W. Haywood via clamav-users wrote:
>> On Oct 3, 2020, Matthew Campbell via clamav-users wrote:
>>
>>> I've had this problem since I started using Debian Linux months
>>> ago. I'm using Debian Linux 10.6.
>>> /var/local/clamav # freshclam -v --debug -F --user clamav
>>> ERROR: Can't open /var/local/clamav/freshclam.log in append mode (check permissions!).
>>> ...
>>> Directory permisions for /var/local/clamav are 06770 owned by clamav:clamav.
>>> ...
>>> I get my copies of ClamAV as a Debian package. I used apt install
>>> clamav. I just upgraded everything to Debian 10.6 two days ago.
>>
>> Is there any particular reason for using the /var/local/ directory?
>> I thought Debian maintainers tended to use /var/lib/ more often.
>
> I use a separate file system to keep private data away from the root

Well I'd hardly call ClamAV databases "private data", since they are
available to anyone at the cost of an HTTP request. The authors of
ClamAV do things one way. Debian maintainers do it a different way.
You've done it yet another way. If you began your journey into Linux
with an attempt at a non-standard Debian installation then you likely
bit off more than you could chew and you're making things a lot more
difficult than necessary.

Do you have SELinux or AppArmor installed? You haven't mounted the
partition read-only have you? We'd better see your freshclam.conf.

>> What do you plan to use ClamAV for?
> I use ClamAV for general malware scanning.

Given that you say you've had the problems you're describing since you
started using Linux I wonder if it's never found anything. But if it
did, how do you think it got there and what did you do about it? What
security precautions are you taking to prevent compromises?

>> You could remove all the clamav packages (there's more than one)
>> and purge them, then reinstall.

Try it. But don't try anything clever, just let the package manager
do what it wants to do and let it install things where it wants to.
That way at least we'll have a reasonable idea of what you've done.
When you become more familiar with the system you can adjust things
to your needs if it's really necessary. But only if it's necessary.

>> Please could you paste the output of
>> ls -l /var/local/
>
> These are the permission in /var/local/
> ...
> drwsrws--- 3 clamav clamav 4096 Oct 3 12:53 clamav
> ...

Why the setuid/setgid bits? Quoting the 'info coreutils':

"These mechanisms let users share files more easily, by lessening the
need to use ‘chmod’ or ‘chown’ to share new files."

which seems to be the exact opposite of what you're trying to do...

Do the ClamAV daemons run as user clamav? Can we be clear that the
system which is showing us the user and group names is the same one
that's telling you which user and group run the ClamAV daemons? The
reason for asking is that different systems can have a different
mapping of user and group numerical IDs to user and group names, and
there seems to be a lot that you haven't told us yet.

> Unfortunately my email app insists on quoting previous
> replies. Sorry about that.

You might want to try a different mail client for correspondence on
mailing lists, where patience is often at a premium.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Freshclam can't get started [ In reply to ]
Ged wrote:

Well I'd hardly call ClamAV databases "private data", since they are
available to anyone at the cost of an HTTP request. The authors of
ClamAV do things one way. Debian maintainers do it a different way.
You've done it yet another way. If you began your journey into Linux
with an attempt at a non-standard Debian installation then you likely bit off more than you could chew and you're making things a lot more difficult than necessary.

Do you have SELinux or AppArmor installed? You haven't mounted the
partition read-only have you? We'd better see your freshclam.conf.

Matthew writes:

The files in /user/ are private data and /user/ uses a separate file system to keep user data away from the root file system.

I believe SELinux and AppArmor are both installed.
/var/local is not mounted as read-only.

Ged added:

>> What do you plan to use ClamAV for?
> I use ClamAV for general malware scanning.

Given that you say you've had the problems you're describing since you started using Linux I wonder if it's never found anything. But if it did, how do you think it got there and what did you do about it? What security precautions are you taking to prevent compromises?

Matthew writes:

I use aide every day. I use clamscan on /user and /tmp every day. I use clamscan on other areas when deemed necessary.

Ged added:

>> You could remove all the clamav packages (there's more than one)
>> and purge them, then reinstall.

Try it. But don't try anything clever, just let the package manager
do what it wants to do and let it install things where it wants to.
That way at least we'll have a reasonable idea of what you've done.
When you become more familiar with the system you can adjust things
to your needs if it's really necessary. But only if it's necessary.

Matthew writes:

I used:

# apt install clamav-base clamav-daemon clamav-docs clamav-freshclam clamav-milter clamav-testfiles clamav clamdscan

to install ClamAV, at least according to the list of installed packages.

Ged added:

>> Please could you paste the output of
>> ls -l /var/local/
>
> These are the permission in /var/local/
> ...
> drwsrws--- 3 clamav clamav 4096 Oct 3 12:53 clamav
> ...

Why the setuid/setgid bits? Quoting the 'info coreutils':

"These mechanisms let users share files more easily, by lessening the need to use ‘chmod’ or ‘chown’ to share new files."

which seems to be the exact opposite of what you're trying to do...

Do the ClamAV daemons run as user clamav? Can we be clear that the
system which is showing us the user and group names is the same one
that's telling you which user and group run the ClamAV daemons? The
reason for asking is that different systems can have a different
mapping of user and group numerical IDs to user and group names, and
there seems to be a lot that you haven't told us yet.

Matthew writes:

I used the setuid/gid bits to force any newly created files to be owned by the user:group clamav:clamav. The package manager created the clamav user and group.

Ged added:

> Unfortunately my email app insists on quoting previous
> replies. Sorry about that.

You might want to try a different mail client for correspondence on
mailing lists, where patience is often at a premium.

--

73,
Ged.

Matthew writes:

I can only use what is available to me.

Contents of /etc/clamav/freshclam.conf:

# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/local/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing true
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

Contents of /etc/clamav/clamd.conf:

#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks true
ReadTimeout 0
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 10240M
LogFile /var/local/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity Paranoid
BytecodeTimeout 60000
OnAccessMaxFileSize 5M

Contents of /etc/clamav/clamav-milter.conf:

#Automatically Generated by clamav-milter postinst
#To reconfigure clamav-milter run #dpkg-reconfigure clamav-milter
#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
MilterSocket /var/run/clamav/clamav-milter.ctl
FixStaleSocket true
User clamav
ReadTimeout 120
Foreground false
PidFile /var/run/clamav/clamav-milter.pid
ClamdSocket unix:/var/run/clamav/clamd.ctl
OnClean Accept
OnInfected Quarantine
OnFail Defer
AddHeader Replace
LogSyslog false
LogFacility LOG_LOCAL6
LogVerbose false
LogInfected Off
LogClean Off
LogRotate true
MaxFileSize 25M
SupportMultipleRecipients false
TemporaryDirectory /tmp
LogFile /var/log/clamav/clamav-milter.log
LogTime true
LogFileUnlock false
LogFileMaxSize 1M
MilterSocketGroup clamav
MilterSocketMode 666

name=Matthew%20Campbell&email=trenix25%40pm.me
Re: [clamav-users] Freshclam can't get started [ In reply to ]
Hello again,

On Tue, 6 Oct 2020, Matthew Campbell via clamav-users wrote:

> The files in /user/ are private data and /user/ uses a separate file system ...

What is /user/ and how is it relevant?

> I believe SELinux and AppArmor are both installed.

Look at the logs.

If you do just the things that are widely recommended (it's more about
behaviour than it is about clever system tweaks) then a Debian system
doesn't need much help from you to be secure. If you tinker with it
without really knowing what you're doing then the effects might be the
opposite of what you intended, plus you risk breaking things. I think
that's what's happened here.

SELinux is very much more difficult to use than AppArmor and it will
likely be a long time (years) before you can use SELinux effectively.
In my experience they can cause the sort of problems you're seeing. I
don't think you want to use both. I don't want to chase you down that
particular rabbit-hole but you might want to read about them (but be
alert, when reading, for the sound of axes being ground). Some links:

https://security.stackexchange.com/questions/29378/comparison-between-apparmor-and-selinux
https://www.tecmint.com/mandatory-access-control-with-selinux-or-apparmor-linux/
https://en.wikipedia.org/wiki/AppArmor
https://en.wikipedia.org/wiki/Security-Enhanced_Linux#Comparison_with_AppArmor

> Ged wrote:
> > > > You could remove all the clamav packages (there's more than one)
> > > > and purge them, then reinstall.

> Ged added:

> > Try it. But don't try anything clever, just let the package manager
> > do what it wants to do and let it install things where it wants to.
> > That way at least we'll have a reasonable idea of what you've done.
> > When you become more familiar with the system you can adjust things
> > to your needs if it's really necessary. But only if it's necessary.

Matthew replied:

> I used:
>
> # apt install clamav-base clamav-daemon clamav-docs clamav-freshclam clamav-milter clamav-testfiles clamav clamdscan
>
> to install ClamAV, at least according to the list of installed packages.

But did you try to purge and reinstall in the way that I have (twice)
suggested? This is the third (and last) time that I'll suggest that.

I sense some reluctance, but it's trivial to do it on a Debian system
unless you've thoroughly broken it in which case a reinstall might be
the easiest and quickest option. Obviously you will need to copy any
data that you're particularly fond of somewhere safe before doing it,
but obviously you're already doing that with your daily backups.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml