chmod 0700 directory -> lstat() failed: Permission denied
thk12 opened this issue · comments
hello there,
not sure if this is an issue, but I encountered problems when setting directory to chmod 700:
Mar 31 09:56:37 test1 clamd[2159]: Tue Mar 31 09:56:36 2020 -> ^lstat() failed on: /var/www/htdocs/test/fonts/font1.otf
Mar 31 09:56:37 test1 proftpd[16792]: 192.168.100.65 85.13.159.249[85.13.159.249] - mod_clamav/0.14rc2: Clamd Error: /var/www/htdocs/test/fonts/font1.otf: lstat() failed: Permission denied.
Mar 31 09:56:37 test1 proftpd[16792]: 192.168.100.65 85.13.159.249[85.13.159.249] - notice: error closing '/test/fonts/font1.otf': Operation not permitted
setting /var/www/htdocs/test/fonts/ chmod to 755 and it works flawlessly.
clamav.conf for proftpd:
ClamAV on
ClamServer 127.0.0.1
ClamPort 3310
system is ubuntu18 with ProFTPD Version 1.3.5e and ClamAV 0.102.2/25767/Mon Mar 30 15:08:30 2020
id test
uid=1000(test) gid=1000(test) groups=1000(test)
groups clamav
clamav : clamav adm www-data
greetings, thomas
Hi!
The problem is the whole chain of processing does not have enough permissions; however, this may be desired depending on your situation. Without additional information, I cannot really give a quick fix answer.
However, I am thinking you are trying to have ProFTPd switch to this user's account, within their own home folder (which has chmod 0700 applied). If so then the information below applies.
a. Test to ensure the above works on ProFTPd, without mod_clamav. Are you able to successfully upload and download files with the account?
b. Next, you probably want to have mod_clamav set to streaming mode. This is because the daemon clamd most certainly does not have access to the user's home directory. By adding ClamStream on, mod_clamav sends the whole file content to clamd for scan.
c. Test the whole combination, and hopefully profit! :)
Best regards,
-Joe
a ClamStream on does the job.
are there any downsides of this option?
greetings, thomas
The downside is increased network activity, since the files to scan are streamed over to clamd; as opposed to clamd being told a full path to scan.
Best regards,
-Joe
thanks a lot for explanation! thomas
Hi Joe,
i have a problem streaming large 50MB+ files to clamd:
Apr 7 14:05:31 test1 proftpd[6186]: 192.168.100.65 (85.13.159.249[85.13.159.249]) - mod_clamav/0.14rc2: Cannot stream file to Clamd socket: 1
Apr 7 14:05:44 test1 clamd[15636]: Tue Apr 7 14:05:43 2020 -> ^INSTREAM: Size limit reached, (requested: 4096, max: 0)
Apr 7 14:05:44 test1 proftpd[6185]: 192.168.100.65 (85.13.159.249[85.13.159.249]) - mod_clamav/0.14rc2: Cannot stream file to Clamd socket: 1
Apr 7 14:06:23 test1 clamd[15636]: Tue Apr 7 14:06:22 2020 -> ^INSTREAM: Size limit reached, (requested: 4096, max: 0)
Apr 7 14:06:23 test1 proftpd[6186]: 192.168.100.65 (85.13.159.249[85.13.159.249]) - mod_clamav/0.14rc2: Cannot stream file to Clamd socket: 1
Apr 7 14:06:42 test1 clamd[15636]: Tue Apr 7 14:06:42 2020 -> ^INSTREAM: Size limit reached, (requested: 4096, max: 0)
Apr 7 14:06:42 test1 proftpd[6185]: 192.168.100.65 (85.13.159.249[85.13.159.249]) - mod_clamav/0.14rc2: Cannot stream file to Clamd socket: 1
Apr 7 14:07:12 test1 clamd[15636]: Tue Apr 7 14:07:11 2020 -> ^INSTREAM: Size limit reached, (requested: 4096, max: 0)
my conf now:
ClamAV on ClamStream on ClamServer 127.0.0.1 ClamPort 3310
I can test the case with option ClamMaxSize, but I think it should work without limiting the size?
greetings ,thomas
You'll have to read the Clam daemon documentation on increasing the maximum size for streamed content.
However, there's a trade off and limits are needed by both!