This one time, at band camp, Jeff Dairiki said: > Hi Stephen, > > Thanks for the answers! > > On Sun, Jun 22, 2008 at 01:29:31AM +0100, Stephen Gran wrote: > > This one time, at band camp, Jeff Dairiki said: > > > > > > It seems that su fails if there is no controlling terminal. This > > > was making it impossible to successfully run, e.g., > > > 'invoke-rc.d clamav-daemon restart' from a cron script. > > > > su fails without a controlling terminal? That's the first I've heard of > > this, and I see it in other maintainer scripts run from cron, so I'm not > > sure that's accurate. If you have a repeatable test case, can you file > > a bug with steps to reproduce? > > Upon further investigation, they root of my problem was that the cron > job was already running as user 'clamav' when it tried to invoke > 'invoke-rc.d clamav-daemon restart'. Now, since we're not root, su > tried to ask for a password (even though we're trying to su to > ourself) --- that's when it failed with a "no controlling terminal" > message. That does make sense. Fair enough. > > > > So, my question is: why the su command is there and is it essential? > > > > > > I am interested in the answer to this question as well. It appears that > > > clamd changes its uid all by itself, even when run (as root) without su. > > > Is there some reason that the su is necessary? > > > > It does, but they've change the order of startup events several times > > during development, and at some points it would do things like create > > it's socket, pidfile or logfile, or read databases in before dropping > > privileges. I think most of the ordering issues are worked out now, > > but given the security record, I'd prefer to have clamd do nothing as > > root if at all possible. > > Aha. That makes sense, I guess. Yeah, I've had problems in the past with clamav creating pidfiles and logfiles that it later couldn't write to and so on. > Would you be amenable to changing the init script so that it checks > the current user and does the su only if [ "$(whoami)" != "$User" ]? > (Or maybe only if [ "$UID" = "0" ].) Hmm, I am hoping to avoid adding complexity to the scripts, if I can help it - they are already fairly baroque in some places :) I'm assuming this invoke-rc.d call happens in a longer script that you don't want running as root? If it's the only thing it does, it would be easier on me if you just changed it to run as root, but if it does a bunch of other things, of course that's harder. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature