Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requesting new variable #1

Open
SolomonHD opened this issue Dec 6, 2019 · 6 comments
Open

Requesting new variable #1

SolomonHD opened this issue Dec 6, 2019 · 6 comments

Comments

@SolomonHD
Copy link

Greetings.

First, this is a great role I appreciate the effort you've put into it. I've tried three ClamAV roles and this is the best one so far.

I would like to request you add a variable that will let users control the permissions on clamav_daemon_localsocket's directory. I understand what you're trying to do with the 'add users to the virusgroup' functionality, but sometimes it's just easier and simpler to relax perms on the directory itself.
@jeromedrouet
Copy link
Owner

Hi,
this should work now using clamav_daemon_socket_group variable
see also other variables added in commit

note that this will require to create/fix run directory for clamav daemon accordingly to the value you give (using tmpfiles.d) , so this may require to restart server or launch "systemd-tmpfiles --create" each time you change this value

sorry for the late reply

@jeromedrouet jeromedrouet reopened this Mar 6, 2020
@jeromedrouet
Copy link
Owner

let me know if it does not work as expected

@SolomonHD
Copy link
Author

SolomonHD commented Mar 14, 2020
edited
Loading

I think you mean the clamav_daemon_socketdir_mode variable? Yes it does look like I can use that instead of changing it in a post task, Will test out soon.

@SolomonHD
Copy link
Author

SolomonHD commented Mar 17, 2020
edited
Loading

It's not working, adjusting the clamav_daemon_socketdir_mode variable doesn't do anything, that var is not being used anywhere as far as I can tell.

ETA: I believe that new variable needs to go here:

Mode 0750 is still hard coded.

@jeromedrouet
Copy link
Owner

jeromedrouet commented Mar 19, 2020
edited
Loading

in fact there are plenty of variables, and permission layers :
socket itself has a group and associated mode, using clamav_daemon_socket_group and
clamav_daemon_socket_mode variables
those ones are used in scan.conf.j2 template
by default (by packaging) rights are restricted at the socket directory level
you can use clamav_daemon_socket_group (used in templates tmpfiles.d_clamd.scan.conf.j2) variable

by changing only the latter clamav_daemon_socket_group and leaving the other ones by default it should work (allow users in that group the directory traversal needed to reach the world-writable socket), but see my warning above on using tmpfiles.d : you need some more step to actually "recreate" the directory with your custom group if you do not want to reboot

@jeromedrouet
Copy link
Owner

sorry i forgot i've changed the "world-writable" default socket permissions to user and group writable : see variable clamav_daemon_socket_mode: '660', but the comment above still applies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeromedrouet @SolomonHD