clamd handicraft work (Fedora Core 4)
Lars E. Pettersson
lars at homer.se
Sun Aug 14 14:25:18 UTC 2005
On 08/14/2005 03:20 PM, Michael Schwendt wrote:
> The aforementioned thread on fedora-extras-list gives an answer to
> that. In particular, the thread refreshes why a single clamd is considered
> wrong.
In http://bugzilla.fedora.us/show_bug.cgi?id=268#c8 one may read
"There does not exist "the" clamd daemon per system. Every application
(MTA, webproxy, ...) needs an own instance; this has to do with
permissions (daemon must not be run as root but must be able to read
data provided by the application) and security (the MTA-scanner must not
be able to read the temporary files of the squid-scanner)."
I must say that I do not understand this.
In the crash-hat setup a user and group clamav is created. I.e. not
root. The clamd daemon is run under this user. clamdscan is used to
connect to the clamd daemon. clamdscan runs as the user invoking it.
clamdscan connects to the clamd daemon, sends the file to be checked and
get the result back. As far as I can tell this is the setup explained in
the documentation at the clamav web-site. I could not find anything
about the need for several instances there.
Questions
1. Why the need for instances of clamd for each application? The setup
described above works, no problem with permissions as far as I can tell.
2. How would a MTA-scanner be able to read the temporary files of the
squid-scanner? I can not see that this is possible.
I may have missed something essential. If so, what?
> A
> single package, which "installs and works out-of-the-box" would be a dead
> end for the other packages which will be added on top of the clamav base
> packages.
Why? They use the clamd daemon via clamdscan like all other users of the
clamd daemon.
As I said, I may have missed something essential, if so, please tell me
what I missed.
Lars
--
Lars E. Pettersson <lars at homer.se>
http://www.sm6rpz.se/
More information about the fedora-list
mailing list