Bug 1464269 - PrivateTmp = true breaks all ScanOnAccess features
Summary: PrivateTmp = true breaks all ScanOnAccess features
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: clamav
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Sergio Basto
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1464270 (view as bug list)
Depends On:
Blocks: 1464270
TreeView+ depends on / blocked
 
Reported: 2017-06-22 20:57 UTC by James Ralston
Modified: 2019-02-28 20:25 UTC (History)
6 users (show)

Fixed In Version: clamav-0.99.2-18.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1464270 (view as bug list)
Environment:
Last Closed: 2018-01-25 07:14:58 UTC
Type: Bug


Attachments (Terms of Use)

Description James Ralston 2017-06-22 20:57:53 UTC
"PrivateTmp = true" was added to the clamd@.service unit file per request of Dan Walsh in bug 782488.

Since version 0.99, Clam AntiVirus has been able to use fanotify() in order to provide on-access scanning:

http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Unfortunately, using "PrivateTmp = true" silently breaks all on-access scanning features. Not only does on-access scanning for /tmp and /var/tmp not work (because the clamd service is not looking at the real /tmp and /var/tmp directories), but all other uses of OnAccessIncludePath and OnAccessMountPath silently fail as well.

This is trivial to test. As root:

$ cat >/etc/clamd.d/root.conf <<EOF
ExtendedDetectionInfo yes
LocalSocket /var/run/clamd.sock
ScanOnAccess yes
OnAccessExcludeUID 0
OnAccessExtraScanning yes
OnAccessMountPath /home
OnAccessMountPath /tmp
OnAccessMountPath /var/tmp
EOF

$ systemctl start clamd@root

As a regular user, cd to your home directory, and do:

$ cat >/home/testuser/eicar.com <<EOF
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
EOF

Result: the clamd daemon will not receive a fanotify event, and therefore will not detect the creation of the test virus file.

Now turn off the PrivateTmp feature. As root:

$ cat >/etc/systemd/system/clamd@.service
.include /usr/lib/systemd/system/clamd@.service

[Service]
PrivateTmp = false
EOF

$ systemctl daemon-reload
$ systemctl restart clamd@root

As the regular user, cat the eicar.com test file:

$ cat eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Now, the clam daemon will receive the fanotify event, and emit something like this:

2017-06-22T16:41:41.758517-04:00 host.example.org clamd: ScanOnAccess: /home/testuser/eicar.com: Eicar-Test-Signature(69630e4574ec6798239b091cda43dca0:69) FOUND

While in general, "PrivateTmp = true" is a good idea, it *MUST NOT* be used with clamav, because a service with PrivateTmp = true will never receive any fanotify() events, which breaks clamav core functionality.

Please remove the "PrivateTmp = true" line from the clamd@.service file.

Comment 1 Fedora Admin XMLRPC Client 2017-07-13 02:21:03 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 2 Fedora Admin XMLRPC Client 2017-07-17 12:48:05 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Jan Kurik 2017-08-15 08:22:50 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 4 Sergio Basto 2018-01-08 02:01:12 UTC
*** Bug 1464270 has been marked as a duplicate of this bug. ***

Comment 5 Fedora Update System 2018-01-09 02:22:15 UTC
clamav-0.99.2-15.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc

Comment 6 Fedora Update System 2018-01-09 17:43:57 UTC
clamav-0.99.2-15.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc

Comment 7 Fedora Update System 2018-01-10 00:13:52 UTC
clamav-0.99.2-16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc

Comment 8 Fedora Update System 2018-01-10 16:12:43 UTC
clamav-0.99.2-16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc

Comment 9 Fedora Update System 2018-01-12 02:52:17 UTC
clamav-0.99.2-17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e5e5ec6ca2

Comment 10 Fedora Update System 2018-01-12 03:07:56 UTC
clamav-0.99.2-17.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-1713497ca1

Comment 11 Fedora Update System 2018-01-12 15:14:32 UTC
clamav-0.99.2-17.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-1713497ca1

Comment 12 Fedora Update System 2018-01-12 15:51:50 UTC
clamav-0.99.2-17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e5e5ec6ca2

Comment 13 Fedora Update System 2018-01-17 21:37:21 UTC
clamav-0.99.2-18.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a1f469c85

Comment 14 Fedora Update System 2018-01-17 21:40:28 UTC
clamav-0.99.2-18.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-11ba3bced1

Comment 15 Fedora Update System 2018-01-18 00:32:20 UTC
clamav-0.99.2-18.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-11ba3bced1

Comment 16 Fedora Update System 2018-01-18 02:12:17 UTC
clamav-0.99.2-18.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a1f469c85

Comment 17 Fedora Update System 2018-01-25 07:14:58 UTC
clamav-0.99.2-18.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Mickey Sola 2019-02-28 16:16:22 UTC
Sorry to resurrect an old ticket, but we have a handful of users over on the Clam project who are reporting problems related to this issue, ala: https://bugzilla.clamav.net/show_bug.cgi?id=12272

Did what I could on my end, but promised them I'd bump this up your queue to look at again.

Cheers,
Mickey Sola

Comment 19 Sergio Basto 2019-02-28 20:25:02 UTC
> While in general, "PrivateTmp = true" is a good idea, it *MUST NOT* be used
> with clamav, because a service with PrivateTmp = true will never receive any
> fanotify() events, which breaks clamav core functionality.
> 
> Please remove the "PrivateTmp = true" line from the clamd@.service file.

I did this (removed  PrivateTmp = true ) 

and I can't read https://bugzilla.clamav.net/show_bug.cgi?id=12272 ( You are not authorized to access bug #12272. ) user sergio.at.serjux.com

what is your issue ? 

Thanks,


Note You need to log in before you can comment on or make changes to this bug.