← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #11828

[Bug 1168422] [NEW] clamdscan permission issues

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Sometimes clamdscan is used as virus check application, which is faster
than clamscan as the file is being passed over for scanning to clam
daemon. However it requires specific permission settings, namely clamd
user that runs daemon should be able to access the file. Changing the
file mode to make it readable to others, which is currently in use, is
not sufficient in some cases, e.g. when data directory is accessible
solely  to www-data user. Clamd user will only be able to access the
file, if each directory it traverses has exec permission for the
matching group (likely 'others' in this case) and able to read the
destination file.

To make clamdscan work, I suggest to use --fdpass parameter that passes
the file descriptor permissions to clamd, which allows to scan given
file irrespective of directory and file permissions (assuming the www-
data user who initiates the scan has access to it, which is always the
case).

** Affects: mahara
     Importance: Undecided
     Assignee: Ruslan Kabalin (rkabalin)
         Status: In Progress

** Changed in: mahara
       Status: New => In Progress

** Changed in: mahara
     Assignee: (unassigned) => Ruslan Kabalin (rkabalin)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1168422

Title:
  clamdscan permission issues

Status in Mahara ePortfolio:
  In Progress

Bug description:
  Sometimes clamdscan is used as virus check application, which is
  faster than clamscan as the file is being passed over for scanning to
  clam daemon. However it requires specific permission settings, namely
  clamd user that runs daemon should be able to access the file.
  Changing the file mode to make it readable to others, which is
  currently in use, is not sufficient in some cases, e.g. when data
  directory is accessible solely  to www-data user. Clamd user will only
  be able to access the file, if each directory it traverses has exec
  permission for the matching group (likely 'others' in this case) and
  able to read the destination file.

  To make clamdscan work, I suggest to use --fdpass parameter that
  passes the file descriptor permissions to clamd, which allows to scan
  given file irrespective of directory and file permissions (assuming
  the www-data user who initiates the scan has access to it, which is
  always the case).

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1168422/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next