James Kosin disse: > > clamd can be run by almost anyone. The application by default changes > the user based on the config file for clamd after starting. This was so > a user could not crash clamav and gain root privilages. (At least I > think that was the reasoning) Yes, the application start whit root permission and then change the user whit a new user based on the config file, this is my setting: [root@sisborgo log]# grep -i user /etc/clamav.conf # Run as selected user (clamd must be started by root). #User clamav User qscand therefore the application run whit permission of user "qscand" and NOT the user "clamav", owner of file clamav.log [root@sisborgo log]# ps -fea|grep clamd qscand 2840 1 0 Sep13 ? 00:00:05 /usr/sbin/clamd [root@sisborgo log]# lsof -u qscand|grep clamd.log clamd 2840 qscand 3w REG 58,3 5413 60860 \ /var/log/clamav/clamd.log [root@sisborgo log]# ls -l /var/log/clamav/clamd.log -rw-r----- 1 clamav clamav 5413 14 set 21:58 /var/log/clamav/clamd.log then: the process "clamd" running with permission of user "qscand" write the clamd.log file with the write permission only for user "clamav". > | Question: How can the process /usr/sbin/clamd write in this file??? > > Look at the configuration file!!! Into configuration files I have found that the process run whit permission of user "qscand" and clamd would not have to be able to write into clamd.log! Probably the file clamd.log is opened when the user is "root", before modifying the user from "root" to "qscand". If I ask to process to re-opening log file (killall -HUP clamd, for log rotation) the file it does not opened. Therefore the lsof tell lies! the clamd.log file is non opened from "qscand" but "root" ... this could be a problem? some suggest? Many thanks, and sorry for my bad english Dario Lesca
