LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   question about SLACKBUILD: clamav and problems with milter (http://www.linuxquestions.org/questions/slackware-14/question-about-slackbuild-clamav-and-problems-with-milter-664208/)

ragebot 08-20-2008 10:33 PM

question about SLACKBUILD: clamav and problems with milter
 
Hi everyone

built clamav using the slackbuild at slackbuilds.org and it seemed to go ok, but i can't get the clamav-milter daemon to start.

I haven't altered the build script at all apart from to point it to the latest sources as it's a little out of date.

I've update my sendmail mc file and modified the /etc/rc.d/rc.clamav script so it will start the daemon but each time i do i get:

clamav: Operation not permitted.

I've tried a variety of things from 'how-to's i've found but it's the same issue and i can't get it sorted.

Can anyone help at all as i'm stuck!

Cheers, Jamie

MS3FGX 08-20-2008 10:38 PM

When do you get that error, when you try to execute the rc.clamav file? Have you verified it is executable?

ragebot 08-20-2008 10:51 PM

yeah it's definately executable...checked that.

it starts the clamd daemon and freshclam daemon ok but then gives the error i described and doesn't generate the milter socket.

sendmail is configured with milter support, which i checked also.

ragebot 08-20-2008 11:01 PM

i have just checked /usr/sbin/clamav-milter which does not appear to be executable:

j# ls -l /usr/sbin/ | grep clam
-rws------ 1 clamav root 129892 2008-08-20 23:45 clamav-milter
-rwxr-xr-x 1 root root 61672 2008-08-20 23:45 clamd

do you think this could be my problem?

Jamie

gnashley 08-21-2008 03:54 AM

Sounds like it. You should write a line into the SlackBuild script which makes the file executable. It can't be run if it isn't executable.

ragebot 08-21-2008 12:47 PM

Thanks for your help, i've sorted it. Stupid really; i don't know why i did look at /usr/sbin/clamav-milter permissions before.

changing ownership and permission (chown & chmod) put it right.


Although, i'm not sure why the slackbuild script didn't include a line to put that right in the first place. Not criticising slackbuilds or anything as i use them religiously; just would have saved a lot of time.

Nevermind, thanks again.

Jamie

keefaz 08-21-2008 01:13 PM

I am afraid but the permissions were right to me (I could be wrong)
Code:

-rws------ 1 clamav root  129892 2008-08-20 23:45 clamav-milter
Look closely, the suid bit is set (letter "s") but just for the file owner (first position)
So that means user clamav can execute clamav-milter with root privileges

ragebot 08-21-2008 01:19 PM

hmmm, confusing. You see i tried it over and over and when the clamav-milter daemon was activated (clamd and freshclam were ok) it kept returning an error:

Code:

Clamav: Operation not Permitted
Changing the ownership to root and adding 'chmod +x' resolved it straight away. Is this not correct then?

keefaz 08-21-2008 01:24 PM

I don't know as I don't use clamav but I think you have to create an user named "clamav"
It is like mysql, apache or ftp; those softwares use an user to not execute everything as root

Could you post your rc.clamav script ?

[edit]
I am an idiot, the clamav user is already in your system, else the ls output wouldn't show its name! (check /etc/passwd) So the error must comes from the rc.clamav script

ragebot 08-21-2008 01:30 PM

I had to create the user clamav and its group before i could install the software (as determined by the slackbuild i used) so that was already set up correctly (i believe).

Here's the script i've got:

Code:

#!/bin/sh
# Start/stop/restart clamav.
# $Id: rc.clamav,v 1.1 2007/02/14 10:29:03 root Exp root $
# Author: Eric Hameleers <alien@slackware.com>
# ---------------------------------------------------------------------------
# Slightly modified by Robby Workman <rworkman@slackbuilds.org>
# to replace backticks ( s/`command`/$(command)/ )

# Set to '1' if you want milter support:
MILTER=1

# Start clamav:
clamav_start() {
  if [ -x /usr/sbin/clamd ]; then
    echo -n "Starting clamd daemon:  /usr/sbin/clamd "
    /usr/sbin/clamd
    echo "."
    # Give clamd a chance to create the socket
    sleep 1
    echo -n "Starting freshclam daemon:  /usr/bin/freshclam -d -l /var/log/freshclam.log "
    /usr/bin/freshclam -d -l /var/log/freshclam.log
    echo "."
    if [ "$MILTER" == "1" ]; then
      echo -n "Starting clamav-milter daemon:  /usr/sbin/clamav-milter -dblo --max-children=2 --quarantine-dir=/var/mail/quarantine local:/var/run/clamav/clmilter.sock "
      /usr/sbin/clamav-milter -dblo --max-children=2 --quarantine-dir=/var/mail/quarantine local:/var/run/clamav/clmilter.sock
      echo "."
    fi
  fi
}

# Stop clamav:
clamav_stop() {
  kill $(cat /var/run/clamav/clamd.pid)
  #killall freshclam
  kill $(cat /var/run/clamav/freshclam.pid)
  [ "$MILTER" == "1" ] && killall clamav-milter
}

# Restart clamav:
clamav_restart() {
  clamav_stop
  sleep 1
  clamav_start
}

case "$1" in
'start')
  clamav_start
  ;;
'stop')
  clamav_stop
  ;;
'restart')
  clamav_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac

Jamie

keefaz 08-21-2008 01:45 PM

Could you try:
Code:

su clamav -c '/usr/sbin/clamav-milter -dblo --max-children=2 --quarantine-dir=/var/mail/quarantine local:/var/run/clamav/clmilter.sock'
instead of:
Code:

/usr/sbin/clamav-milter -dblo --max-children=2 --quarantine-dir=/var/mail/quarantine local:/var/run/clamav/clmilter.sock
in the clamav_start() function, after you reset the /usr/sbin/clamav-milter to -rws------

Code:

chown clamav /usr/sbin/clamav-milter
chmod 4600 /usr/sbin/clamav-milter


ragebot 08-21-2008 02:18 PM

Tried that but it did not work: the milter would not start.

Reverting to root ownership on /usr/sbin/clamav-milter and chmod +x /usr/sbin/clamav-milter put it right again.

Jamie

keefaz 08-21-2008 03:01 PM

Yes, whatever works... :)
It's weird though.. I wonder about what the clamav user is supposed to do

[edit]
Also I was wrong with the setuid bit, with the clamav-milter file owner set to clamav and with the setuid bit set, that means that root can execute clamav-milter and the process should have the clamav rights (I said the contrary :p)

ragebot 08-21-2008 04:36 PM

yeah it struck me as odd: i've never needed to change anything when i've used slackbuild scripts in the past. But,obviously the fact it's working is great, i just hope there aren't any security issues running it this way.

Interesingly, clamd is running as user 'clamav' according to the log-files.

i might drop a mail to the clamav list and see what they say.

Thanks for your help though.

Jamie


All times are GMT -5. The time now is 02:30 AM.