Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1464269 - PrivateTmp = true breaks all ScanOnAccess features
Summary: PrivateTmp = true breaks all ScanOnAccess features
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: clamav
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Sergio Basto
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1464270 (view as bug list)
Depends On:
Blocks: 1464270
TreeView+ depends on / blocked
 
Reported: 2017-06-22 20:57 UTC by James Ralston
Modified: 2019-02-28 20:25 UTC (History)
6 users (show)

Fixed In Version: clamav-0.99.2-18.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1464270 (view as bug list)
Environment:
Last Closed: 2018-01-25 07:14:58 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description James Ralston 2017-06-22 20:57:53 UTC
"PrivateTmp = true" was added to the clamd@.service unit file per request of Dan Walsh in bug 782488.

Since version 0.99, Clam AntiVirus has been able to use fanotify() in order to provide on-access scanning:

http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Unfortunately, using "PrivateTmp = true" silently breaks all on-access scanning features. Not only does on-access scanning for /tmp and /var/tmp not work (because the clamd service is not looking at the real /tmp and /var/tmp directories), but all other uses of OnAccessIncludePath and OnAccessMountPath silently fail as well.

This is trivial to test. As root:

$ cat >/etc/clamd.d/root.conf <<EOF
ExtendedDetectionInfo yes
LocalSocket /var/run/clamd.sock
ScanOnAccess yes
OnAccessExcludeUID 0
OnAccessExtraScanning yes
OnAccessMountPath /home
OnAccessMountPath /tmp
OnAccessMountPath /var/tmp
EOF

$ systemctl start clamd@root

As a regular user, cd to your home directory, and do:

$ cat >/home/testuser/eicar.com <<EOF
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
EOF

Result: the clamd daemon will not receive a fanotify event, and therefore will not detect the creation of the test virus file.

Now turn off the PrivateTmp feature. As root:

$ cat >/etc/systemd/system/clamd@.service
.include /usr/lib/systemd/system/clamd@.service

[Service]
PrivateTmp = false
EOF

$ systemctl daemon-reload
$ systemctl restart clamd@root

As the regular user, cat the eicar.com test file:

$ cat eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Now, the clam daemon will receive the fanotify event, and emit something like this:

2017-06-22T16:41:41.758517-04:00 host.example.org clamd: ScanOnAccess: /home/testuser/eicar.com: Eicar-Test-Signature(69630e4574ec6798239b091cda43dca0:69) FOUND

While in general, "PrivateTmp = true" is a good idea, it *MUST NOT* be used with clamav, because a service with PrivateTmp = true will never receive any fanotify() events, which breaks clamav core functionality.

Please remove the "PrivateTmp = true" line from the clamd@.service file.

Comment 1 Fedora Admin XMLRPC Client 2017-07-13 02:21:03 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 2 Fedora Admin XMLRPC Client 2017-07-17 12:48:05 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Jan Kurik 2017-08-15 08:22:50 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 4 Sergio Basto 2018-01-08 02:01:12 UTC
*** Bug 1464270 has been marked as a duplicate of this bug. ***

Comment 5 Fedora Update System 2018-01-09 02:22:15 UTC
clamav-0.99.2-15.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc

Comment 6 Fedora Update System 2018-01-09 17:43:57 UTC
clamav-0.99.2-15.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc

Comment 7 Fedora Update System 2018-01-10 00:13:52 UTC
clamav-0.99.2-16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc

Comment 8 Fedora Update System 2018-01-10 16:12:43 UTC
clamav-0.99.2-16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc

Comment 9 Fedora Update System 2018-01-12 02:52:17 UTC
clamav-0.99.2-17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e5e5ec6ca2

Comment 10 Fedora Update System 2018-01-12 03:07:56 UTC
clamav-0.99.2-17.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-1713497ca1

Comment 11 Fedora Update System 2018-01-12 15:14:32 UTC
clamav-0.99.2-17.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-1713497ca1

Comment 12 Fedora Update System 2018-01-12 15:51:50 UTC
clamav-0.99.2-17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e5e5ec6ca2

Comment 13 Fedora Update System 2018-01-17 21:37:21 UTC
clamav-0.99.2-18.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a1f469c85

Comment 14 Fedora Update System 2018-01-17 21:40:28 UTC
clamav-0.99.2-18.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-11ba3bced1

Comment 15 Fedora Update System 2018-01-18 00:32:20 UTC
clamav-0.99.2-18.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-11ba3bced1

Comment 16 Fedora Update System 2018-01-18 02:12:17 UTC
clamav-0.99.2-18.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a1f469c85

Comment 17 Fedora Update System 2018-01-25 07:14:58 UTC
clamav-0.99.2-18.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Mickey Sola 2019-02-28 16:16:22 UTC
Sorry to resurrect an old ticket, but we have a handful of users over on the Clam project who are reporting problems related to this issue, ala: https://bugzilla.clamav.net/show_bug.cgi?id=12272

Did what I could on my end, but promised them I'd bump this up your queue to look at again.

Cheers,
Mickey Sola

Comment 19 Sergio Basto 2019-02-28 20:25:02 UTC
> While in general, "PrivateTmp = true" is a good idea, it *MUST NOT* be used
> with clamav, because a service with PrivateTmp = true will never receive any
> fanotify() events, which breaks clamav core functionality.
> 
> Please remove the "PrivateTmp = true" line from the clamd@.service file.

I did this (removed  PrivateTmp = true ) 

and I can't read https://bugzilla.clamav.net/show_bug.cgi?id=12272 ( You are not authorized to access bug #12272. ) user sergio.at.serjux.com

what is your issue ? 

Thanks,


Note You need to log in before you can comment on or make changes to this bug.