Re: issue with volatile clamav and/or freshclam
Hi Stephen,
Thanks for the answers!
On Sun, Jun 22, 2008 at 01:29:31AM +0100, Stephen Gran wrote:
> This one time, at band camp, Jeff Dairiki said:
> >
> > It seems that su fails if there is no controlling terminal. This
> > was making it impossible to successfully run, e.g.,
> > 'invoke-rc.d clamav-daemon restart' from a cron script.
>
> su fails without a controlling terminal? That's the first I've heard of
> this, and I see it in other maintainer scripts run from cron, so I'm not
> sure that's accurate. If you have a repeatable test case, can you file
> a bug with steps to reproduce?
Upon further investigation, they root of my problem was that the cron
job was already running as user 'clamav' when it tried to invoke
'invoke-rc.d clamav-daemon restart'. Now, since we're not root, su
tried to ask for a password (even though we're trying to su to
ourself) --- that's when it failed with a "no controlling terminal"
message.
> > > So, my question is: why the su command is there and is it essential?
> >
> > I am interested in the answer to this question as well. It appears that
> > clamd changes its uid all by itself, even when run (as root) without su.
> > Is there some reason that the su is necessary?
>
> It does, but they've change the order of startup events several times
> during development, and at some points it would do things like create
> it's socket, pidfile or logfile, or read databases in before dropping
> privileges. I think most of the ordering issues are worked out now,
> but given the security record, I'd prefer to have clamd do nothing as
> root if at all possible.
Aha. That makes sense, I guess.
Would you be amenable to changing the init script so that it checks
the current user and does the su only if [ "$(whoami)" != "$User" ]?
(Or maybe only if [ "$UID" = "0" ].)
Jeff
Reply to: