include much needed antivirus products in FC2
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Wed Jan 7 01:22:56 UTC 2004
steve at silug.org (Steven Pritchard) writes:
>> > Besides, in this case, all you need to do is let clamd run as its
>> > own user, with a writable socket file.
>>
>> Writable for whom? For 'clamd' only would not make sense, world-writable
>> is a huge security risk: user A could gain information about user B by
>> scanning his files.
>
> How? If the (unprivileged) clamd user can read user B's files, then
> user A could just read them with cat. If clamd has any special
> privileges, then it isn't configured properly.
Ok, user A gets mail and want it to be checked. There are two ways for
that:
* mail is at an public place so that clamd can access it -> bad, I do
not want my mails at public places
* mail will be placed at a place accessibly for clamd and A only -> how
can I do this without ACL's? Besiding this, it would be still possibly
for B to gain information about A's mail by invoking clamd to read it.
>
>> DOS attacks are possible also: users should not be
>> able to shutdown system services with a simple 'QUIT' command.
>
> If clamd allows that, it's a bug and should be fixed.
Page 3 in clamdoc.pdf:
| * QUIT
| Perform a clean exit.
> In my amavisd package, I just make the temporary path executable by
> clamd's group, so it can open files when it is given a path BUT THAT'S
> IT. The only problem that arises is if the end-user wants to install
> other virus scanners and do the same thing with them, but that's their
> problem to solve, not mine. :-)
Arises within other situations also. E.g. with spamblockers or webaccess to
the quarantine area. Results in endless, non-auditable bunch of directories
which breaks on minimal modifications.
> I totally disagree. This is no different than random users wanting to
> allow access to something from apache but nothing else...
This requires that ~/public_html is accessible for httpd. In non-ACL
capable systems this means world-access and I would never do this for my
mails.
Enrico
More information about the fedora-devel-list
mailing list