Comment 4 for bug 1930393

Revision history for this message
Stephane Chazelas (stephane-chazelas+lp) wrote :

Also note that amavisd-new, often used in conjunction with postfix and clamav-daemon for spam+malware email filtering like in amavisd-new-postfix (Description: part of Ubuntu mail stack provided by Ubuntu server team) in its default configuration runs as the "amavis" user and "amavis" group.

If, to mitigate this vulnerability we reconfigure clamav-daemon for the socket to have

rw-rw---- clamav clamav

permissions.

Then amavisd-new can no longer connect to clamd via the socket. Adding amavis to the clamav group doesn't work as amavisd-new doesn't set supplementation gids. So, you're left with either reconfiguring amavis so it runs with clamav primary gid instead of amavis or change the group of the clamav socket to amavis (which means that if you need other services to be able to use clamd services, you need to add them to that group and by consequence give them access to some amavis data which they don't need otherwise).