I'm trying to run clamscan as an ordinary user on my Slack 12 setup. I used the slackbuild script from slackbuilds.org to compile and install clamav, and all went very well. I configured the /etc/clamd.conf and /etc/freshclam.conf files to suit my preferences (and to remove the Example sections) and had no problems updating or scanning scanning files as root.

However, if I try and do either as an ordinary user, I get the following errors:So it seems I need permission to /usr/share/clamav, but I'm a bit loathed to make it writable by any old ordinary user (even though I'm the only user of this PC - I'd like to keep it that way!). Permissions on /usr/share/clamav are:So it belongs to clamav and members of the clamav group can write to it.

As a fix, I've added myself to the clamav group, allowing me to update and run clamav as an unprivileged use, but this strikes me as a bit of a fudge.

Is there a more "recommended" way of doing this - or should I only run clamcsan as root?

Thanks

Why writable? Just readable and executable.

Although is seems like a kludge, there's really no problem with what you're doing.

With permissions of 770, you're basically only allowing write access to the directory in question to the clamav user, and members of the clamav group (which would be 'clamav' and yourself). Totally secure, no issues to speak of. Does clamav need to write to that directory for some reason? Otherwise, I'd try 750 for the directory to tighten things up a little.

I'm assuming that clamav runs as a totally unprivileged user (no shell, /sbin/nologin for the login shell). That being said, you'd probably run into problems as running the app 'su clamav', which would be the alternative to doing what you're doing now.

As I understand this pwc101 does not belong to clamav group. He runs clamscan and tries to open /usr/share/clamav, but he can't cause this directory is not redable and executable to others.

Your assumption is correct. Immediately after I'd installed it, I wasn't a memeber of the clamav group. I've since added myself to this group, but I wanted to check if anyone knew of another, more "recommended " way of achieving my goal.It needs to be writable so that the freshclam cronjob I have can update the database, and so I can update it should I choose to run freshclam manually.That's correct - the /etc/passwd entry for user clamav is:If I were to do this, I'd need to su to root anyway, at which point I might as well just run the clamscan anyway, and not bother su-ing to the user clamav.

I think I'll leave myself in the clamav users and the permission as 770 so that I can update clamav myself. Since clamav and I are the only members of the clamav group, then nothing (and noone!) else can write to this directory anyway.

Are freshclam and clamscan different processes? Does clamscan starts freshclam each time it is run? If not, just update your clamav database with suing to clamav user account or root. Make /usr/share/clamav directory readable and executable to others so they could run clamscan anytime they want. Clamav (clamscan) running as unprivileged user will only be able to read the rules from database and not update it.

freshclam and clamscan are different processes, and as far as I'm aware, freshclam doesn't get called when clamscan is run.

Given I'm the only user, adding myself to the clamav group means I can update and run clamav. I've left other permissions as 0 because noone else needs to run it (I'm the only user).

Should anyone need to run clamscan at some point (if my girlfriend needs an account, for example!), then I'll probably change the permissions to allow others read and execute access, or add her to the clamav group.

freshclam is run every day as a cronjob, so I shouldn't need to update the database manually.