cvs commit: ports/security/clamav-devel [...] pkg-install [...]
Oliver Eikemeier
eikemeier at fillmore-labs.com
Tue May 25 03:18:03 PDT 2004
rob at debank.tv wrote:
>>rob at debank.tv wrote:
>>
>>
>>>>Hi,
>>>>
>>>>
>>>>>>>>>On Mon, 24 May 2004 16:02:23 -0700 (PDT)
>>>>>>>>>Pav Lucistnik <pav at FreeBSD.org> said:
>>>>
>>>>[...]
>>>>pav> - Chmod 770 socket directory
>>>>pav> - Diff reduction against security/clamav port
>>>>
>>>>pav> PR: ports/67125
>>>>pav> Submitted by: Rob Evers <rob at debank.tv> (maintainer)
>>>>
>>>>Could you please change mode of /var/run/clamd to 750? Unless this
>>>>change, sendmail complains about it and doesn't run.
>>>>
>>>>Index: pkg-install
>>>>diff -u pkg-install.orig pkg-install
>>>>--- pkg-install.orig Tue May 25 15:57:11 2004
>>>>+++ pkg-install Tue May 25 17:56:03 2004
>>>>@@ -38,7 +38,7 @@
>>>>
>>>>echo "===> Setting permissions..."
>>>>mkdir -p "${CLAMRUN}"
>>>>-chmod 770 "${CLAMRUN}"
>>>>+chmod 750 "${CLAMRUN}"
>>>>chown "${CLAMAVUSER}:${CLAMAVGROUP}" "${CLAMRUN}"
>>>>
>>>>mkdir -p "${CLAMLOG}"
>>>>
>>>>Sincerely,
>>>>
>>>>--
>>>>Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
>>>>ume at mahoroba.org ume@{,jp.}FreeBSD.org
>>>>http://www.imasy.org/~ume/
>>>
>>>I can confirm this,
>>>
>>>Sendmail doesn't like group writable socket directorys, please apply
>>>this
>>>fix. (Bump PORTREVISION)
>>>
>>>Rob Evers
>>
>>I still don't get the purpose of not allowing non-root processes
>>to use clamav. This would break my exim installation, fortunately
>>I'm using security/clamav, where this change hasn't been made.
>>
>>-Oliver
>
> Isn't there a security risk allowing every user to read the clamd socket ?
> (that's why I made this change).
None that I would be aware of. Of course local users could run a denial-of-service
attack using clamdscan, but I don't think this is an adequate counter measure.
What made you think that having every user being able to read the clamd
socket is a security risk?
-Oliver
More information about the cvs-ports
mailing list