https://bugzilla.redhat.com/show_bug.cgi?id=1028653 Bug ID: 1028653 Summary: Freshclam cannot notify clamd of database updates due to permission denied Product: Fedora Version: 19 Component: amavisd-new Severity: low Assignee: steve@xxxxxxxxx Reporter: rocketraman@xxxxxxxxx QA Contact: extras-qa@xxxxxxxxxxxxxxxxx CC: enrico.scholz@xxxxxxxxxxxxxxxxxxxxxxxxx, kanarip@xxxxxxxxxxx, perl-devel@xxxxxxxxxxxxxxxxxxxxxxx, redhat-bugzilla@xxxxxxxxxxxx, steve@xxxxxxxxx The problem initially reported in Bug #548234 is happening again. Here are the permissions on /var/spool/amavisd with a default installation of amavisd-new: # ls -ld /var/spool/amavisd drwx--x---. 8 amavis amavis 4096 May 10 13:27 /var/spool/amavisd # rpm -q --info amavisd-new Name : amavisd-new Version : 2.8.0 Release : 5.fc19 The permissions and group ownership for /var/spool/amavisd should be: # ls -ld /var/spool/amavisd drwxrwx---. 8 amavis clamupdate 4096 May 10 13:27 /var/spool/amavisd ^^^ ^^^^^^^^^^ +++ This bug was initially created as a clone of Bug #548234 +++ clamav-update (freshclam) is unable to notify clamav of updates to the database via local socket. This is on a fresh newly installed Fedora 12 system (not an upgrade). The following package versions are installed: clamav-0.95.2-5.fc12.i686 clamav-lib-0.95.2-5.fc12.i686 clamav-server-0.95.2-5.fc12.i686 clamav-filesystem-0.95.2-5.fc12.noarch clamav-update-0.95.2-5.fc12.i686 clamav-data-0.95.2-5.fc12.noarch amavisd-new-2.6.4-1.fc12.noarch How reproducible: Every time. Steps to Reproduce: 1. Delete /var/lib/clamav/daily.cld 2. Run freshclam Actual results: Freshclam gets the following error: WARNING: Clamd was NOT notified: Can't connect to clamd through /var/spool/amavisd/clamd.sock connect(): Permission denied Expected results: Notify works correctly. Additional info: I have configured /etc/freshclam.conf with AllowSupplementaryGroups yes and also added the clamupdate user to the amavis group: # grep -E "(amavis|clamupdate)" /etc/passwd clamupdate:x:490:471:Clamav database update user:/var/lib/clamav:/sbin/nologin amavis:x:489:470::/var/spool/amavisd:/sbin/nologin # grep -E "(amavis|clamupdate)" /etc/group clamupdate:x:471: amavis:x:470:clamupdate I can also confirm that freshclam is using the clamupdate user and is loading the supplementary amavis group via strace, where I can see this information near the top of the trace: setgroups32(2, [471, 470]) = 0 setgid32(471) = 0 setuid32(490) = 0 However, freshclam still fails. This is the access failure from the strace: connect(5, {sa_family=AF_FILE, path="/var/spool/amavisd/clamd.sock"}, 110) = -1 EACCES (Permission denied) Permissions on the clamd.sock file are as follows: # ls -l /var/spool/amavisd/clamd.sock srwxrwxrwx 1 amavis amavis 0 2009-12-16 19:04 /var/spool/amavisd/clamd.sock # stat /var/spool/amavisd/clamd.sock File: `/var/spool/amavisd/clamd.sock' Size: 0 Blocks: 0 IO Block: 4096 socket Device: fd01h/64769d Inode: 5243668 Links: 1 Access: (0777/srwxrwxrwx) Uid: ( 489/ amavis) Gid: ( 470/ amavis) Access: 2009-12-16 19:07:10.706297129 -0500 Modify: 2009-12-16 19:04:36.167296751 -0500 Change: 2009-12-16 19:04:36.167296751 -0500 --- Additional comment from Enrico Scholz on 2009-12-17 03:38:52 EST --- what are the permissions for the /var/spool/amavisd directory? Are there SELinux avcs? --- Additional comment from Raman Gupta on 2009-12-17 12:04:13 EST --- Yup, /var/spool/amavisd directory permissions are set to 700 -- sorry I should have noticed that. Changing them to 770 works. Should changing these directory perms be permanently applied to the amavisd-new package? The user/group is amavis and the amavis group has no other users in it by default, so changing the perms to 770 is effectively the same access level by default. However, changing the perm to 770 in the package would allow clamav notifications to work as expected out of the box (with the appropriate config and supplementary group entries of course, but a user expects to make those) [1]. It would also prevent people's notifications from breaking every time there is an update to the amavisd-new package, and the directory permissions are reset. If you think this is a good idea, could you change the component to amavisd-new and mark this as an "enhancement"? [1] Note I don't have selinux enabled so perhaps there might be a package change to selinux perms as well. --- Additional comment from Enrico Scholz on 2010-01-17 05:06:24 EST --- reassigned to amavisd-new --- Additional comment from Bug Zapper on 2010-11-03 23:09:21 EDT --- This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping --- Additional comment from Raman Gupta on 2010-12-01 23:21:45 EST --- This is still a problem on Fedora 14 (freshly installed system). A workaround is to use the yum-plugin-post-transaction-actions plugin to change the permissions of /var/spool/amavisd after every update to the amavisd package. However, that really shouldn't be necessary. --- Additional comment from Fedora Update System on 2011-09-18 22:39:47 EDT --- amavisd-new-2.6.6-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/amavisd-new-2.6.6-1.fc15 --- Additional comment from Fedora Update System on 2011-09-18 22:40:31 EDT --- amavisd-new-2.6.6-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/amavisd-new-2.6.6-1.fc16 --- Additional comment from Fedora Update System on 2011-09-19 14:31:17 EDT --- Package amavisd-new-2.6.6-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing amavisd-new-2.6.6-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/amavisd-new-2.6.6-1.fc16 then log in and leave karma (feedback). --- Additional comment from Fedora Update System on 2011-10-02 14:14:46 EDT --- amavisd-new-2.6.6-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. --- Additional comment from Fedora Update System on 2011-10-02 19:06:03 EDT --- amavisd-new-2.6.6-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=PDTqA931lY&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
