-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move PID file out of user-writable directory #1076
Comments
The actual That commit just changed suggested filepaths. The intention had been to make it align with how the clamav docker image was using it, although now that I look I see we're actually using I think a good compromise would be to list both filepath options in the sample config with some explanation as to which you may choose. For the one that requires |
I don't think the docker image needs a PID file at all. Problem solved :) |
TBH I don't know why the pidfiles are enabled for the docker image. But I am hesitant to go remove that. Someone probably found a way to use it. 🤷 |
More generally, the only situation where a PID file is useful is when you have a dumb init system (namely sysvinit) and a daemon that drops privileges and forks. In the docker image there is no init system, you're just launching clamd in the foreground and forgetting about it, so the PID can't really be useful. And everybody else is using systemd or OpenRC who can track the PID themselves; again no PID file is needed in those cases. In the only situation where a PID is actually needed, you want it to live in |
I'm with @orlitzky here - I can't see any real value added by the PID file in docker and it will resolve this issue just to drop it. |
Incidentally, we do have one suggestion on using the pid file, here Cisco-Talos/clamav-docker#45 |
A PID is used there, but not a PID file. The |
Oh silly me. I didn't read close enough. I was in a bit of a scramble and just saw "pid" 🤦. So long as |
revbump 1.3.1 with the following fixes: - add postinst message for 'clamonacc' - fix x32 builds - fix PID paths - drop py310; add py313 Bug: Cisco-Talos/clamav#1076 Bug: https://bugs.gentoo.org/921088 Bug: https://bugs.gentoo.org/916147 Bug: https://bugs.gentoo.org/787233 Closes: https://bugs.gentoo.org/927214 Signed-off-by: Matt Jolly <[email protected]>
Hi Micah, Any update / thoughts on this one? I've started patching our configs downstream but I'd really prefer to avoid maintaining that if we can come up with an acceptable solution for everyone :). |
@micahsnyder ping |
There should be no need for freshclam, clamd, or clamav-milter to create a PID file. There is a very minor security concern that the PID file is located in a user-writable directory in that a naive service manager might kill the wrong process if the PID file has been modified. Granted, these Docker images do not have a service manager which operates in this way. However, I believe there is no harm in removing the PID files so as to eliminate the hypothetical risk if one were to use those PID files. Refs: - Cisco-Talos/clamav#1076 - Cisco-Talos/clamav@5b168b5
@Kangie @orlitzky would this make you feel better? Cisco-Talos/clamav-docker#69 |
Sorry my phrasing wasn't great. I mean, would this change resolve your security concerns about the pid file in the Docker images? |
I don't think either of us necessarily cares what goes on in docker, but it's certainly an improvement to skip the PID file there if it doesn't need one and if it simplifies the reasoning about PID files in general. The problem is that the suggestion,
has some risk of creating a vulnerability if
For the local socket, the sample config suggests
The first one will only work if If you are very smart you can figure this stuff out for yourself but I can see no reason not to suggest |
In ed630ab the PID file was moved to
/run/clamav
. Since/run/clamav
is typically writable by the clamav user (so that he can create the socket after dropping privileges), this reintroduces the vulnerability fixed in 5b168b5.The socket needs to be writable by clamd after it starts, but the PID file doesn't. The PID should go in
/run/clamd.pid
, or better yet,@RUNSTATEDIR@/clamd.pid
.I mentioned this on the mailing list when the release was announced, but I don't want it to get lost.
The text was updated successfully, but these errors were encountered: