Run clamscan as an ordinary users: permissions error
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Run clamscan as an ordinary users: permissions error
I'm trying to run clamscan as an ordinary user on my Slack 12 setup. I used the slackbuild script from slackbuilds.org to compile and install clamav, and all went very well. I configured the /etc/clamd.conf and /etc/freshclam.conf files to suit my preferences (and to remove the Example sections) and had no problems updating or scanning scanning files as root.
However, if I try and do either as an ordinary user, I get the following errors:
Code:
pwc101@lqexample:~> clamscan *
LibClamAV Error: cli_loaddbdir(): Can't open directory /usr/share/clamav
ERROR: Unable to open file or directory
----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.91.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 0.001 sec (0 m 0 s)
pwc101@lqexample:~> freshclam
Can't change dir to /usr/share/clamav
So it seems I need permission to /usr/share/clamav, but I'm a bit loathed to make it writable by any old ordinary user (even though I'm the only user of this PC - I'd like to keep it that way!). Permissions on /usr/share/clamav are:
Although is seems like a kludge, there's really no problem with what you're doing.
With permissions of 770, you're basically only allowing write access to the directory in question to the clamav user, and members of the clamav group (which would be 'clamav' and yourself). Totally secure, no issues to speak of. Does clamav need to write to that directory for some reason? Otherwise, I'd try 750 for the directory to tighten things up a little.
I'm assuming that clamav runs as a totally unprivileged user (no shell, /sbin/nologin for the login shell). That being said, you'd probably run into problems as running the app 'su clamav', which would be the alternative to doing what you're doing now.
Last edited by bigbadunix; 11-23-2007 at 03:35 PM.
As I understand this pwc101 does not belong to clamav group. He runs clamscan and tries to open /usr/share/clamav, but he can't cause this directory is not redable and executable to others.
As I understand this pwc101 does not belong to clamav group. He runs clamscan and tries to open /usr/share/clamav, but he can't cause this directory is not redable and executable to others.
Your assumption is correct. Immediately after I'd installed it, I wasn't a memeber of the clamav group. I've since added myself to this group, but I wanted to check if anyone knew of another, more "recommended " way of achieving my goal.
Quote:
Originally Posted by Alien_Hominid
Why writable? Just readable and executable.
It needs to be writable so that the freshclam cronjob I have can update the database, and so I can update it should I choose to run freshclam manually.
Quote:
Originally Posted by bigbadunix
I'm assuming that clamav runs as a totally unprivileged user (no shell, /sbin/nologin for the login shell).
That's correct - the /etc/passwd entry for user clamav is:
That being said, you'd probably run into problems as running the app 'su clamav', which would be the alternative to doing what you're doing now.
If I were to do this, I'd need to su to root anyway, at which point I might as well just run the clamscan anyway, and not bother su-ing to the user clamav.
I think I'll leave myself in the clamav users and the permission as 770 so that I can update clamav myself. Since clamav and I are the only members of the clamav group, then nothing (and noone!) else can write to this directory anyway.
Are freshclam and clamscan different processes? Does clamscan starts freshclam each time it is run? If not, just update your clamav database with suing to clamav user account or root. Make /usr/share/clamav directory readable and executable to others so they could run clamscan anytime they want. Clamav (clamscan) running as unprivileged user will only be able to read the rules from database and not update it.
Are freshclam and clamscan different processes? Does clamscan starts freshclam each time it is run? If not, just update your clamav database with suing to clamav user account or root. Make /usr/share/clamav directory readable and executable to others so they could run clamscan anytime they want. Clamav (clamscan) running as unprivileged user will only be able to read the rules from database and not update it.
freshclam and clamscan are different processes, and as far as I'm aware, freshclam doesn't get called when clamscan is run.
Given I'm the only user, adding myself to the clamav group means I can update and run clamav. I've left other permissions as 0 because noone else needs to run it (I'm the only user).
Should anyone need to run clamscan at some point (if my girlfriend needs an account, for example!), then I'll probably change the permissions to allow others read and execute access, or add her to the clamav group.
freshclam is run every day as a cronjob, so I shouldn't need to update the database manually.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.