Mailing List Archive

[clamav-users] Samba vfs_virusfilter and clamd
Hi,

do I get it right that clamd has to run as root to work with
vfs_virusfilter in Samba 4.13? I really thought I ran it as non-root the
last time I tested it, but now I can't reproduce it and this confuses me.

thanks
Matthias

PS
I also posted this to Samba mailing list


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Samba vfs_virusfilter and clamd [ In reply to ]
Hi there,

On Tue, 27 Apr 2021, Matthias Leopold via clamav-users wrote:

> do I get it right that clamd has to run as root to work with vfs_virusfilter
> in Samba 4.13? I really thought I ran it as non-root the last time I tested
> it, but now I can't reproduce it and this confuses me.

If you're saying that it all works fine, that's great. :) Otherwise -
it's years since I used SAMBA, I've never come across vfs_virusfilter,
I don't use on-access scanning and I don't (usually) scan filesystems.

Having said that all you really need to know is that if clamd is going
to scan something then it needs to be able to read it. There's more
than one way to arrange for that, but the simplest way is to run clamd
as root and then it can read anything. Obviously if clamd itself is
compromised and it's running as root then you have a serious problem.
There have been vulnerabilities, and they've been fixed as they've been
found, but I don't think I know of any case of clamd being compromised.

If everything you need to scan can be read by an unprivileged process,
or if some privileged process can read the data on clamd's behalf and
pass it to clamd over the clamd socket, then you can run clamd as user
'clamav' or something and give that user very few permissions.

You can start clamd as root and have it drop privileges and run as
another user. That's what I do. It's all in the documentation.

I run clamd on a (more or less) dedicated server, it only scans things
which are passed to it over the network. That might cause performance
problems if I were to try to scan whole filesystems, or to do anything
resembling on-access scanning, but I don't plan to do that.

Be careful with "virusfilter:infected file action", a false positive
could ruin your whole OS. See the warnings in the ClamAV documentation.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml