2023371 – clamav updates for permission change to clamupdate, configured to be clamav user

Bug 2023371 - clamav updates for permission change to clamupdate, configured to be clamav user

Summary: clamav updates for permission change to clamupdate, configured to be clamav user

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	clamav
Sub Component:
Version:	37
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Sergio Basto
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-11-15 14:58 UTC by RobbieTheK
Modified:	2022-11-15 02:49 UTC (History)
CC List:	13 users (show)
Fixed In Version:	clamav-0.103.7-4.el9
Clone Of:
Environment:
Last Closed:	2022-11-15 02:49:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description RobbieTheK 2021-11-15 14:58:19 UTC

Whenever ClamAV is upgraded by dnf, the permissions for the /var/lib/clamav directory and 3 .cvd files change to user: clamupdate"

ls -dl /var/lib/clamav
drwxr-xr-x 4 clamupdate clamupdate 8192 Nov 15 04:45 /var/lib/clamav

And these files:

-rw-r--r-- 1 clamupdate clamupdate    293670 Apr  8  2021 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate  56396696 Nov  6 23:30 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate 170479789 Sep 22 10:01 main.cvd


in /etc/clamd.d/clamd.conf the User is set to "User clamav"

There is an archive of a discussion on the ClamAV mailing list at https://www.mail-archive.com/clamav-users@lists.clamav.net/msg50757.html which has even more details. Here's a clamconf:
clamconf -n
Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
LogFile = "/var/log/clamd.log"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"
User = "clamav"
PhishingScanURLs disabled
HeuristicScanPrecedence = "yes"
AlertBrokenExecutables = "yes"
AlertBrokenMedia = "yes"
AlertEncrypted = "yes"
AlertEncryptedArchive = "yes"
AlertEncryptedDoc = "yes"
AlertOLE2Macros = "yes"
AlertPhishingSSLMismatch = "yes"
AlertPartitionIntersection = "yes"
MaxScanTime = "350000"
MaxScanSize = "157286400"
MaxFileSize = "31457280"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "262144000"
LogRotate = "yes"
UpdateLogFile = "/var/log/freshclam.log"
DatabaseOwner = "clamav"
DatabaseMirror = "database.clamav.net"
ConnectTimeout = "60"
ReceiveTimeout = "60"

Config file: mail/clamav-milter.conf
------------------------------------
LogFile = "/var/log/clamav-milter.log"
LogTime = "yes"
LogVerbose = "yes"
User = "clamilt"
ClamdSocket = "tcp:127.0.0.1:3310"
MilterSocket = "inet:6666"
AddHeader = "Add"
Whitelist = "/etc/mail/clamav-milter-whitelist.conf"

Software settings
-----------------
Version: 0.103.4
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
[3rd Party] badmacro.ndb: 621 sigs
[3rd Party] shelter.ldb: 49 sigs
[3rd Party] CVE-2013-0074.yar: 22 sigs
[3rd Party] foxhole_js.cdb: 48 sigs
[3rd Party] rfxn.yara: 11527 sigs
[3rd Party] urlhaus.ndb: 5445 sigs
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 10:21:51 2021
[3rd Party] malware.expert.ndb: 1 sig
[3rd Party] sanesecurity.ftm: 170 sigs
[3rd Party] CVE-2013-0422.yar: 25 sigs
[3rd Party] sigwhitelist.ign2: 12 sigs
[3rd Party] junk.ndb: 55801 sigs
[3rd Party] jurlbl.ndb: 2193 sigs
[3rd Party] phish.ndb: 28055 sigs
[3rd Party] rogue.hdb: 487 sigs
[3rd Party] scam.ndb: 12750 sigs
[3rd Party] spamimg.hdb: 200 sigs
[3rd Party] CVE-2015-1701.yar: 30 sigs
[3rd Party] spamattach.hdb: 14 sigs
[3rd Party] blurl.ndb: 926 sigs
[3rd Party] CVE-2015-2426.yar: 49 sigs
[3rd Party] malwarehash.hsb: 771 sigs
[3rd Party] CVE-2015-2545.yar: 76 sigs
[3rd Party] foxhole_generic.cdb: 212 sigs
[3rd Party] CVE-2015-5119.yar: 22 sigs
[3rd Party] foxhole_filename.cdb: 2612 sigs
[3rd Party] CVE-2016-5195.yar: 40 sigs
[3rd Party] winnow_malware.hdb: 293 sigs
[3rd Party] winnow_extended_malware_links.ndb: 1 sig
[3rd Party] winnow_malware_links.ndb: 133 sigs
[3rd Party] MiscreantPunch099-Low.ldb: 1199 sigs
[3rd Party] winnow_extended_malware.hdb: 245 sigs
[3rd Party] safebrowsing.gdb: 49126 sigs
[3rd Party] winnow.attachments.hdb: 182 sigs
[3rd Party] CVE-2017-11882.yar: 66 sigs
[3rd Party] winnow_bad_cw.hdb: 1 sig
[3rd Party] EK_BleedingLife.yar: 112 sigs
[3rd Party] bofhland_cracked_URL.ndb: 40 sigs
[3rd Party] WShell_ASPXSpy.yar: 21 sigs
[3rd Party] bofhland_malware_URL.ndb: 4 sigs
[3rd Party] WShell_Drupalgeddon2_icos.yar: 26 sigs
[3rd Party] bofhland_phishing_URL.ndb: 72 sigs
[3rd Party] CVE-2010-0805.yar: 19 sigs
[3rd Party] bofhland_malware_attach.hdb: 1836 sigs
[3rd Party] CVE-2018-20250.yar: 22 sigs
[3rd Party] hackingteam.hsb: 435 sigs
[3rd Party] CVE-2018-4878.yar: 39 sigs
[3rd Party] porcupine.ndb: 6474 sigs
[3rd Party] bank_rule.yar: 11 sigs
[3rd Party] phishtank.ndb: 12284 sigs
[3rd Party] EMAIL_Cryptowall.yar: 52 sigs
[3rd Party] porcupine.hsb: 134 sigs
[3rd Party] scam.yar: 35 sigs
[3rd Party] securiteinfo.ign2: 108 sigs
[3rd Party] JJencode.yar: 19 sigs
[3rd Party] securiteinfo.hdb: 144488 sigs
[3rd Party] interserver256.hdb: 3626 sigs
[3rd Party] securiteinfoold.hdb: 3567750 sigs
[3rd Party] interservertopline.db: 161 sigs
[3rd Party] javascript.ndb: 43708 sigs
main.cld: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021
[3rd Party] securiteinfohtml.hdb: 56190 sigs
[3rd Party] CVE-2010-0887.yar: 22 sigs
[3rd Party] securiteinfoascii.hdb: 99373 sigs
daily.cld: version 26353, sigs: 1945034, built on Sun Nov 14 04:19:38 2021
[3rd Party] securiteinfopdf.hdb: 3408 sigs
[3rd Party] CVE-2010-1297.yar: 20 sigs
[3rd Party] securiteinfoandroid.hdb: 84401 sigs
[3rd Party] rfxn.ndb: 2039 sigs
[3rd Party] rfxn.hdb: 12932 sigs
[3rd Party] malware.expert.hdb: 1 sig
[3rd Party] malware.expert.ldb: 1 sig
[3rd Party] foxhole_js.ndb: 4 sigs
[3rd Party] CVE-2012-0158.yar: 27 sigs
[3rd Party] winnow_spam_complete.ndb: 26 sigs
[3rd Party] whitelist.fp: 3081 sigs
[3rd Party] winnow.complex.patterns.ldb: 3 sigs
[3rd Party] Sanesecurity_spam.yara: 46 sigs
[3rd Party] jurlbla.ndb: 1280 sigs
[3rd Party] lott.ndb: 2335 sigs
[3rd Party] spam.ldb: 2 sigs
[3rd Party] spear.ndb: 1 sig
[3rd Party] spearl.ndb: 1 sig
[3rd Party] malware.expert.fp: 1 sig
[3rd Party] scamnailer.ndb: 1 sig
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021
[3rd Party] winnow_phish_complete_url.ndb: 54 sigs
[3rd Party] malwarepatrol.db: 9180 sigs
[3rd Party] Sanesecurity_sigtest.yara: 54 sigs
daily.cvd: version 26345, sigs: 1941849, built on Sat Nov  6 04:23:03 2021
[3rd Party] email_Ukraine_BE_powerattack.yar: 33 sigs
[3rd Party] Email_fake_it_maintenance_bulletin.yar: 29 sigs
[3rd Party] Email_quota_limit_warning.yar: 31 sigs
Total number of signatures: 21411285

Platform information
--------------------
uname: Linux 5.14.16-201.fc34.x86_64 #1 SMP Wed Nov 3 13:57:29 UTC 2021 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a217d7d08000000020b0201

Build information
-----------------
GNU C: 11.2.1 20210728 (Red Hat 11.2.1-1) (11.2.1)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
LDFLAGS: -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld  -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 125, dconf: 125
clamconf -n
Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
LogFile = "/var/log/clamd.log"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"
User = "clamav"
PhishingScanURLs disabled
HeuristicScanPrecedence = "yes"
AlertBrokenExecutables = "yes"
AlertBrokenMedia = "yes"
AlertEncrypted = "yes"
AlertEncryptedArchive = "yes"
AlertEncryptedDoc = "yes"
AlertOLE2Macros = "yes"
AlertPhishingSSLMismatch = "yes"
AlertPartitionIntersection = "yes"
MaxScanTime = "350000"
MaxScanSize = "157286400"
MaxFileSize = "31457280"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "262144000"
LogRotate = "yes"
UpdateLogFile = "/var/log/freshclam.log"
DatabaseOwner = "clamav"
DatabaseMirror = "database.clamav.net"
ConnectTimeout = "60"
ReceiveTimeout = "60"

Config file: mail/clamav-milter.conf
------------------------------------
LogFile = "/var/log/clamav-milter.log"
LogTime = "yes"
LogVerbose = "yes"
User = "clamilt"
ClamdSocket = "tcp:127.0.0.1:3310"
MilterSocket = "inet:6666"
AddHeader = "Add"
Whitelist = "/etc/mail/clamav-milter-whitelist.conf"

Software settings
-----------------
Version: 0.103.4
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
[3rd Party] badmacro.ndb: 621 sigs
[3rd Party] shelter.ldb: 49 sigs
[3rd Party] CVE-2013-0074.yar: 22 sigs
[3rd Party] foxhole_js.cdb: 48 sigs
[3rd Party] rfxn.yara: 11527 sigs
[3rd Party] urlhaus.ndb: 5445 sigs
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 10:21:51 2021
[3rd Party] malware.expert.ndb: 1 sig
[3rd Party] sanesecurity.ftm: 170 sigs
[3rd Party] CVE-2013-0422.yar: 25 sigs
[3rd Party] sigwhitelist.ign2: 12 sigs
[3rd Party] junk.ndb: 55801 sigs
[3rd Party] jurlbl.ndb: 2193 sigs
[3rd Party] phish.ndb: 28055 sigs
[3rd Party] rogue.hdb: 487 sigs
[3rd Party] scam.ndb: 12750 sigs
[3rd Party] spamimg.hdb: 200 sigs
[3rd Party] CVE-2015-1701.yar: 30 sigs
[3rd Party] spamattach.hdb: 14 sigs
[3rd Party] blurl.ndb: 926 sigs
[3rd Party] CVE-2015-2426.yar: 49 sigs
[3rd Party] malwarehash.hsb: 771 sigs
[3rd Party] CVE-2015-2545.yar: 76 sigs
[3rd Party] foxhole_generic.cdb: 212 sigs
[3rd Party] CVE-2015-5119.yar: 22 sigs
[3rd Party] foxhole_filename.cdb: 2612 sigs
[3rd Party] CVE-2016-5195.yar: 40 sigs
[3rd Party] winnow_malware.hdb: 293 sigs
[3rd Party] winnow_extended_malware_links.ndb: 1 sig
[3rd Party] winnow_malware_links.ndb: 133 sigs
[3rd Party] MiscreantPunch099-Low.ldb: 1199 sigs
[3rd Party] winnow_extended_malware.hdb: 245 sigs
[3rd Party] safebrowsing.gdb: 49126 sigs
[3rd Party] winnow.attachments.hdb: 182 sigs
[3rd Party] CVE-2017-11882.yar: 66 sigs
[3rd Party] winnow_bad_cw.hdb: 1 sig
[3rd Party] EK_BleedingLife.yar: 112 sigs
[3rd Party] bofhland_cracked_URL.ndb: 40 sigs
[3rd Party] WShell_ASPXSpy.yar: 21 sigs
[3rd Party] bofhland_malware_URL.ndb: 4 sigs
[3rd Party] WShell_Drupalgeddon2_icos.yar: 26 sigs
[3rd Party] bofhland_phishing_URL.ndb: 72 sigs
[3rd Party] CVE-2010-0805.yar: 19 sigs
[3rd Party] bofhland_malware_attach.hdb: 1836 sigs
[3rd Party] CVE-2018-20250.yar: 22 sigs
[3rd Party] hackingteam.hsb: 435 sigs
[3rd Party] CVE-2018-4878.yar: 39 sigs
[3rd Party] porcupine.ndb: 6474 sigs
[3rd Party] bank_rule.yar: 11 sigs
[3rd Party] phishtank.ndb: 12284 sigs
[3rd Party] EMAIL_Cryptowall.yar: 52 sigs
[3rd Party] porcupine.hsb: 134 sigs
[3rd Party] scam.yar: 35 sigs
[3rd Party] securiteinfo.ign2: 108 sigs
[3rd Party] JJencode.yar: 19 sigs
[3rd Party] securiteinfo.hdb: 144488 sigs
[3rd Party] interserver256.hdb: 3626 sigs
[3rd Party] securiteinfoold.hdb: 3567750 sigs
[3rd Party] interservertopline.db: 161 sigs
[3rd Party] javascript.ndb: 43708 sigs
main.cld: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021
[3rd Party] securiteinfohtml.hdb: 56190 sigs
[3rd Party] CVE-2010-0887.yar: 22 sigs
[3rd Party] securiteinfoascii.hdb: 99373 sigs
daily.cld: version 26353, sigs: 1945034, built on Sun Nov 14 04:19:38 2021
[3rd Party] securiteinfopdf.hdb: 3408 sigs
[3rd Party] CVE-2010-1297.yar: 20 sigs
[3rd Party] securiteinfoandroid.hdb: 84401 sigs
[3rd Party] rfxn.ndb: 2039 sigs
[3rd Party] rfxn.hdb: 12932 sigs
[3rd Party] malware.expert.hdb: 1 sig
[3rd Party] malware.expert.ldb: 1 sig
[3rd Party] foxhole_js.ndb: 4 sigs
[3rd Party] CVE-2012-0158.yar: 27 sigs
[3rd Party] winnow_spam_complete.ndb: 26 sigs
[3rd Party] whitelist.fp: 3081 sigs
[3rd Party] winnow.complex.patterns.ldb: 3 sigs
[3rd Party] Sanesecurity_spam.yara: 46 sigs
[3rd Party] jurlbla.ndb: 1280 sigs
[3rd Party] lott.ndb: 2335 sigs
[3rd Party] spam.ldb: 2 sigs
[3rd Party] spear.ndb: 1 sig
[3rd Party] spearl.ndb: 1 sig
[3rd Party] malware.expert.fp: 1 sig
[3rd Party] scamnailer.ndb: 1 sig
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021
[3rd Party] winnow_phish_complete_url.ndb: 54 sigs
[3rd Party] malwarepatrol.db: 9180 sigs
[3rd Party] Sanesecurity_sigtest.yara: 54 sigs
daily.cvd: version 26345, sigs: 1941849, built on Sat Nov  6 04:23:03 2021
[3rd Party] email_Ukraine_BE_powerattack.yar: 33 sigs
[3rd Party] Email_fake_it_maintenance_bulletin.yar: 29 sigs
[3rd Party] Email_quota_limit_warning.yar: 31 sigs
Total number of signatures: 21411285

Platform information
--------------------
uname: Linux 5.14.16-201.fc34.x86_64 #1 SMP Wed Nov 3 13:57:29 UTC 2021 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a217d7d08000000020b0201

Build information
-----------------
GNU C: 11.2.1 20210728 (Red Hat 11.2.1-1) (11.2.1)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
LDFLAGS: -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld  -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 125, dconf: 125


Perhaps the LDFLAGS of -with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' are a clue? This doesn't happen on our other Fedora server that is running and upgrading ClamAV just fine. How can we configure this to not change the user?

Comment 1 Sergio Basto 2021-11-15 22:11:40 UTC

yes the permissions for /var/lib/clamav is clamupdate [1] 
maybe you don't need clamav-data [2] , if you have clamav-update installed 




[1] 
dnf remove clamav-data 







[1] 
%attr(-,%{updateuser},%{updateuser}) %dir %{homedir}

Comment 2 RobbieTheK 2021-11-15 22:18:12 UTC

(In reply to Sergio Basto from comment #1)
> yes the permissions for /var/lib/clamav is clamupdate [1] 
> maybe you don't need clamav-data [2] , if you have clamav-update installed 

Yes I do have it installed.

> [1] 
> dnf remove clamav-data 

OK I ran this but I won't know it works until the next version is updated.

FWIW I also had this on a server that doesn't have this issue.

> [1] 
> %attr(-,%{updateuser},%{updateuser}) %dir %{homedir}

Is this informational to me?

Comment 3 Sergio Basto 2021-11-15 22:44:17 UTC

(In reply to RobbieTheK from comment #2)
> (In reply to Sergio Basto from comment #1)
> > yes the permissions for /var/lib/clamav is clamupdate [1] 
> > maybe you don't need clamav-data [2] , if you have clamav-update installed 
> 
> Yes I do have it installed.
> 
> > [1] 
> > dnf remove clamav-data 
> 
> OK I ran this but I won't know it works until the next version is updated.
> 
> FWIW I also had this on a server that doesn't have this issue.


the other Fedora server is running the same versions ? if yes doesn't make much sense 

can you send `grep -v ^\# /etc/freshclam.conf | grep  .` of both servers 



> 
> > [1] 
> > %attr(-,%{updateuser},%{updateuser}) %dir %{homedir}
> 
> Is this informational to me?

sorry , it means that package set permissions clamupdate:clamupdate to dir /var/lib/clamav

Comment 4 RobbieTheK 2021-11-16 01:45:00 UTC

(In reply to Sergio Basto from comment #3)
> (In reply to RobbieTheK from comment #2)
> > (In reply to Sergio Basto from comment #1)
> > > yes the permissions for /var/lib/clamav is clamupdate [1] 
> > > maybe you don't need clamav-data [2] , if you have clamav-update installed 
> > 
> > Yes I do have it installed.
> > 
> > > [1] 
> > > dnf remove clamav-data 
> > 
> > OK I ran this but I won't know it works until the next version is updated.
> > 
> > FWIW I also had this on a server that doesn't have this issue.
> 
> 
> the other Fedora server is running the same versions ? if yes doesn't make
> much sense 
> 
> can you send `grep -v ^\# /etc/freshclam.conf | grep  .` of both servers 

From the not affectted server:

DatabaseMirror database.clamav.net
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/6651194e2baf9979742029c715d7dd90c94e25355ca57fdf22c81828f6fe7a3fc01bfbee6c9a20efa1559c52a04cc4aab1cbe6810596bb16afae8518a9400d1/securiteinfo.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/6651194e2baf9979742029c715d7dd90c94e25355ca57fdf22c81828f6fe7a3fc01bfbee6c9a20efa1559c52a04cc4aab1cbe6810596bb16afae8518a9400d1/securiteinfo.ign2
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/6651194e2baf9979742029c715d7dd90c94e25355ca57fdf22c81828f6fe7a3fc01bfbee6c9a20efa1559c52a04cc4aab1cbe6810596bb16afae8518a9400d1/javascript.ndb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/6651194e2baf9979742029c715d7dd90c94e25355ca57fdf22c81828f6fe7a3fc01bfbee6c9a20efa1559c52a04cc4aab1cbe6810596bb16afae8518a9400d1/spam_marketing.ndb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/6651194e2baf9979742029c715d7dd90c94e25355ca57fdf22c81828f6fe7a3fc01bfbee6c9a20efa1559c52a04cc4aab1cbe6810596bb16afae8518a9400d1/securiteinfohtml.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/6651194e2baf9979742029c715d7dd90c94e25355ca57fdf22c81828f6fe7a3fc01bfbee6c9a20efa1559c52a04cc4aab1cbe6810596bb16afae8518a9400d1/securiteinfoascii.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/6651194e2baf9979742029c715d7dd90c94e25355ca57fdf22c81828f6fe7a3fc01bfbee6c9a20efa1559c52a04cc4aab1cbe6810596bb16afae8518a9400d1/securiteinfoandroid.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/6651194e2baf9979742029c715d7dd90c94e25355ca57fdf22c81828f6fe7a3fc01bfbee6c9a20efa1559c52a04cc4aab1cbe6810596bb16afae8518a9400d1/securiteinfoold.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/6651194e2baf9979742029c715d7dd90c94e25355ca57fdf22c81828f6fe7a3fc01bfbee6c9a20efa1559c52a04cc4aab1cbe6810596bb16afae8518a9400d1/securiteinfopdf.hdb
DatabaseCustomURL https://dsm.dsm.fordham.edu/~kudyba/safebrowsing.gdb
ConnectTimeout 60
ReceiveTimeout 60
SafeBrowsing no


From the affected server:
grep -v ^\# /etc/freshclam.conf | grep  .
DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/freshclam.log
LogFileMaxSize 250M
LogRotate yes
DatabaseOwner clamav
DatabaseMirror database.clamav.net
ConnectTimeout 60
ReceiveTimeout 60

Comment 5 RobbieTheK 2021-11-19 18:27:25 UTC

May I suggest a feature that allows admins to choose the username on updates?

Comment 6 Sergio Basto 2021-12-18 03:16:14 UTC

you may copy /usr/lib/systemd/system/clamav-freshclam.service to /etc/systemd/system/  and add  ExecStartPre=+/usr/bin/chown youruser:yourgroup  /var/lib/clamav 
note =+ [1] and updates won't break your configuration ... 

this solution works for you ? 

[1] 
man 5 systemd.service 
(Table 1. Special executable prefixes)
If the executable path is prefixed with "+" then the process is executed with full privileges.

Comment 7 RobbieTheK 2021-12-20 17:19:45 UTC

(In reply to Sergio Basto from comment #6)
> you may copy /usr/lib/systemd/system/clamav-freshclam.service to
> /etc/systemd/system/  and add  ExecStartPre=+/usr/bin/chown
> youruser:yourgroup  /var/lib/clamav 
> note =+ [1] and updates won't break your configuration ... 
> 
> this solution works for you ? 
> 
> [1] 
> man 5 systemd.service 
> (Table 1. Special executable prefixes)
> If the executable path is prefixed with "+" then the process is executed
> with full privileges.

Nice suggestion and use of a drop in file. I didn't know about the =+ either. I added this so I won't know if it really works until the next upgrade is installed. Is this something that can be added to documentation or a FAQ?

Comment 8 Sergio Basto 2022-01-25 23:43:38 UTC

(In reply to RobbieTheK from comment #7)
> (In reply to Sergio Basto from comment #6)
> > you may copy /usr/lib/systemd/system/clamav-freshclam.service to
> > /etc/systemd/system/  and add  ExecStartPre=+/usr/bin/chown
> > youruser:yourgroup  /var/lib/clamav 
> > note =+ [1] and updates won't break your configuration ... 
> > 
> > this solution works for you ? 
> > 
> > [1] 
> > man 5 systemd.service 
> > (Table 1. Special executable prefixes)
> > If the executable path is prefixed with "+" then the process is executed
> > with full privileges.
> 
> Nice suggestion and use of a drop in file. I didn't know about the =+
> either. I added this so I won't know if it really works until the next
> upgrade is installed. 

have you tested with the new clamav update ? 

> Is this something that can be added to documentation
> or a FAQ?

We don't have any FAQ , but at documentation in package, yes I will try find some time

Comment 9 RobbieTheK 2022-01-26 04:27:10 UTC

(In reply to Sergio Basto from comment #8)
> (In reply to RobbieTheK from comment #7)
> > (In reply to Sergio Basto from comment #6)
> > > you may copy /usr/lib/systemd/system/clamav-freshclam.service to
> > > /etc/systemd/system/  and add  ExecStartPre=+/usr/bin/chown
> > > youruser:yourgroup  /var/lib/clamav 
> > > note =+ [1] and updates won't break your configuration ... 
> > > 
> > > this solution works for you ? 
> > > 
> > > [1] 
> > > man 5 systemd.service 
> > > (Table 1. Special executable prefixes)
> > > If the executable path is prefixed with "+" then the process is executed
> > > with full privileges.
> > 
> > Nice suggestion and use of a drop in file. I didn't know about the =+
> > either. I added this so I won't know if it really works until the next
> > upgrade is installed. 
> 
> have you tested with the new clamav update ? 

clamav updated on Jan 16 2022, no issues or errors any where including /var/lib/clamav so your ExecStartPre=+ solution worked...and I learned something. Perhaps it'll help someone down the line.
 
> > Is this something that can be added to documentation
> > or a FAQ?
> 
> We don't have any FAQ , but at documentation in package, yes I will try find
> some time

Great idea to add it to docs. 

I'm surprised others have not reported this issue but perhaps they just take the default settings on installation.

Comment 10 Ben Cotton 2022-05-12 16:33:26 UTC

This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 34 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 11 Sergio Basto 2022-05-12 19:17:57 UTC

still need add this documentation

Comment 12 Ben Cotton 2022-08-09 13:12:19 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle.
Changing version to 37.

Comment 13 Fedora Update System 2022-11-07 12:17:33 UTC

FEDORA-EPEL-2022-cbdcfc18d6 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-cbdcfc18d6

Comment 14 Fedora Update System 2022-11-07 21:42:29 UTC

FEDORA-EPEL-2022-cbdcfc18d6 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-cbdcfc18d6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 15 Fedora Update System 2022-11-15 02:49:09 UTC

FEDORA-EPEL-2022-cbdcfc18d6 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.