any local user can shut clamd down via control socket
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ClamAV |
Unknown
|
Unknown
|
|||
clamav (Debian) |
Confirmed
|
Unknown
|
|||
clamav (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
As the control socket is world read+writeable:
$ namei -l /run/clamav/
f: /run/clamav/
drwxr-xr-x root root /
drwxr-xr-x root root run
drwxr-xr-x clamav root clamav
srw-rw-rw- clamav clamav clamd.ctl
(and needs to be for users to be able to pass files to scan)
and clamd doesn't seem to be doing any access control itself either, any local user can shutdown clamd by sending the SHUTDOWN (aka QUIT) command there:
$ printf 'zSHUTDOWN\0' | socat - unix-connect:
For instance. Which makes it a DoS vulnerability.
Other commands such as RELOAD (clamdscan --reload) or STATS may also need to be restricted.
That's with clamav-daemon 0.103.2+
Changed in clamav (Ubuntu): | |
status: | New → Confirmed |
information type: | Private Security → Public Security |
Changed in clamav: | |
status: | Unknown → New |
Changed in clamav: | |
status: | New → Confirmed |
Changed in clamav (Debian): | |
status: | Unknown → Confirmed |
Hello Stephane, thanks for the report. I get the impression reading /usr/share/ doc/clamav- daemon/ README. Debian. gz that the software isn't generally expected to be useful without configuration. You can use the debconf interactive configuration tool with:
dpkg-reconfigure clamav-daemon
Which will prompt for user, group, and permissions to set on the socket among many other things. Different sites may need to allow different services to connect to the daemon via Unix sockets or via TCP sockets etc.
I believe this is "working as intended" even if it does strike me as silly for the 'please scan this file' socket to be the same as the 'please shut down' socket. (I'm even a bit surprised about that, since signals can do this job just fine, no matter how icky they are..)
I think we should open the bug report up to allow others to suggest the best way to use clamav in different environments.
Thanks