clamav-milter socket permissions wrong

Bug #430418 reported by Stephen Warren
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ClamAV
Unknown
Unknown
clamav (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Binary package hint: clamav

According to /etc/default/clamav-milter on Jaunty:

## SOCKET_RWGROUP
# by default, the socket created by the milter has permissions
# clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the
# permissions to 775 to give read-write access to that group.

This doesn't make sense:

* A socket shouldn't ever have execute permissions.
* If the idea is that only a particular user/group should have access to the socket, no group/world permissions should be set at all.

So, I think the modes should be 600 or 660 respectively.

Revision history for this message
Scott Kitterman (kitterman) wrote :

This is the upstream default. I'd suggest file a bug with upstream and see how open they are to changing it:

https://wwws.clamav.net/bugzilla/

Revision history for this message
Stephen Warren (srwarren) wrote :

Is /etc/init.d/clamav-milter provided by upstream or Debian/Ubuntu? That contains an explicit SOCKET_RWGROUP setting for modifying the socket permissions. It seems that would be an appropriate place for a fix...

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 430418] Re: clamav-milter socket permissions wrong

It's provided by Debian, but uses the same permissions as upstream. When I
discussed it with the Debian maintainer, he suggest discussing it with
upstream.

Revision history for this message
Stephen Warren (srwarren) wrote :

Finally got around to filing an upstream bug: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1726

I'm not sure how to get launchpad to monitor remote bugs, unless they're
for a distro rather than a project...

Revision history for this message
Scott Kitterman (kitterman) wrote :

No, you wanted the project option. Linked now.

Revision history for this message
Stephen Warren (srwarren) wrote :

FYI, the clamav folks said this is just what the sendmail-supplied libmilter(?) library does. Hence, they pointed me at sendmail support. sendmail doesn't seem to have publicly accountable support, just a black-hole email address. I did report the issue to them, but they didn't respond.

Chuck Short (zulcss)
Changed in clamav (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Imre Gergely (cemc) wrote :

I've checked in 0.97.2 in Oneiric, and the socket mode is now 0666, as specified in /etc/clamav/clamav-milter.conf. So the execute permission is gone. The world read/write mode is still present.

root@utest-oos32:~# cat /etc/clamav/clamav-milter.conf |grep Mode
MilterSocketMode 666

root@utest-oos32:~# cat /etc/clamav/clamav-milter.conf |grep MilterSocket
MilterSocket /var/run/clamav/clamav-milter.ctl

root@utest-oos32:~# stat /var/run/clamav/clamav-milter.ctl
  File: `/var/run/clamav/clamav-milter.ctl'
  Size: 0 Blocks: 0 IO Block: 4096 socket
Device: fh/15d Inode: 8078 Links: 1
Access: (0666/srw-rw-rw-) Uid: ( 104/ clamav) Gid: ( 112/ clamav)

The same is true in clamav 0.96.5 which is in Hardy, Lucid and Maverick.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.