Univention Bugzilla – Bug 54070
ClamAV database update not possible, because of wrong permissions on /var/lib/clamav/mirrors.dat
Last modified: 2022-02-02 16:05:13 CET
In UCS 5.0 the file /var/lib/clamav/mirrors.dat is created with 644 / root:root permissions, which results in /var/log/syslog: ---------------------------------------------------------------------------------- Nov 16 09:05:04 m31 freshclam[13864]: Testing database: '/var/lib/clamav//tmp.e08d8a7fbf/clamav-8237f2606f59d7fade48481f7f0459b7.tmp-daily.cvd' ... Nov 16 09:05:13 m31 freshclam[13864]: Database test passed. Nov 16 09:05:13 m31 freshclam[13864]: daily.cvd updated (version: 26354, sigs: 1945178, f-level: 90, builder: raynman) Nov 16 09:05:13 m31 freshclam[13864]: main database available for download (remote version: 62) Nov 16 09:05:13 m31 freshclam[13864]: ERROR: Can't create mirrors.dat in /var/lib/clamav Nov 16 09:05:13 m31 freshclam[13864]: Hint: The database directory must be writable for UID 121 or GID 127 Nov 16 09:05:13 m31 freshclam[13864]: WARNING: Can't download main.cvd from https://database.clamav.net/main.cvd Nov 16 09:05:13 m31 freshclam[13864]: WARNING: FreshClam received error code 429 from the ClamAV Content Delivery Network (CDN). Nov 16 09:05:13 m31 freshclam[13864]: This means that you have been rate limited by the CDN. Nov 16 09:05:13 m31 freshclam[13864]: 1. Run FreshClam no more than once an hour to check for updates. Nov 16 09:05:13 m31 freshclam[13864]: FreshClam should check DNS first to see if an update is needed. Nov 16 09:05:13 m31 freshclam[13864]: 2. If you have more than 10 hosts on your network attempting to download, Nov 16 09:05:13 m31 freshclam[13864]: it is recommended that you set up a private mirror on your network using Nov 16 09:05:13 m31 freshclam[13864]: cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the Nov 16 09:05:13 m31 freshclam[13864]: CDN and your own network. Nov 16 09:05:13 m31 freshclam[13864]: 3. Please do not open a ticket asking for an exemption from the rate limit, Nov 16 09:05:13 m31 freshclam[13864]: it will not be granted. Nov 16 09:05:13 m31 freshclam[13864]: WARNING: You are on cool-down until after: 2021-11-16 13:05:13 Nov 16 09:05:13 m31 freshclam[13864]: bytecode database available for download (remote version: 333) Nov 16 09:05:13 m31 freshclam[13864]: Testing database: '/var/lib/clamav//tmp.e08d8a7fbf/clamav-ce689eb447f41d67e3f83fb384a87e34.tmp-bytecode.cvd' ... Nov 16 09:05:13 m31 freshclam[13864]: Database test passed. Nov 16 09:05:13 m31 freshclam[13864]: bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2) ---------------------------------------------------------------------------------- The result is that the ClamAV daemon cannot start: ---------------------------------------------------------------------------------- root@m31:~# systemctl status clamav-daemon.service ● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/clamav-daemon.service.d └─extend.conf Active: inactive (dead) Condition: start condition failed at Tue 2021-11-16 09:10:26 CET; 3s ago └─ ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc} was not met Docs: man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ Nov 16 08:57:05 m31 systemd[1]: Condition check resulted in Clam AntiVirus userspace daemon being skipped. ---------------------------------------------------------------------------------- The unmet "condition" is the existence of /var/lib/clamav/main.cvd. But it is not that file that freshclam cannot create, it is /var/lib/clamav/mirrors.dat. This command fixes the problem: ---------------------------------------------------------------------------------- chown clamav:clamav /var/lib/clamav/mirrors.dat ---------------------------------------------------------------------------------- It should be added to univention-antivir-mail.postinst.
I also experienced the problem, that /var/run/clamav didn't exist and thus both the ClamAV daemon and freshclam daemon clouldn't start. I had to create it manually. I'm not sure this always happens, please also check that, when working on this bug.
Issue: Clamav/Freshclam could not update/create the mirrors.dat (permission where not set correctly) Fix: resolved permission issues by changing the owner of /var/lib/clamav to the clamav user fixed with branch: asteffen/54070-fix-clam-permissions requesting QA
Set Target Milestone to 5.0-1 errata OK: permission is set / error does not occur Reopen for merge into UCS 5.0-1
Merged: [5.0-1] d75d3cdae6 Bug #54070: workaround for permission error, causing problems on creating and updating mirrors.dat in freshclam [5.0-1] e00079cb34 Bug #54070: Advisory added. build as: univention-antivir-mail_11.0.0-2A Bug is resolved.
mirrors.dat was renamed to freshclam.dat with ClamAV 0.103.3, which is used since UCS-5.0-0: <https://blog.clamav.net/2021/06/clamav-01033-patch-release.html> <http://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/clamav/> Please stop touching /var/lib/clamav/mirrors.dat
Actually UCS 5.0-0 delivers 0.102.4 and 0.103.2 and only 5.0-1 delivers 103.3: Version 0.102.4+dfsg-0+deb10u1 Rev 153587 Date 2020-08-03 08:53:37 Release 5.0-0-0 Version 0.103.2+dfsg-0+deb10u1 Rev 157315 Date 2021-06-21 09:56:20 Release 5.0-0-0 Scope errata5.0-0 Version 0.103.3+dfsg-0+deb10u1 Rev 158808 Date 2021-12-09 13:48:53 Release 5.0-0-0 Scope ucs5.0-1 @Alex: please test, that in a 5.0-1 system the patch without the "touch" line (only "chmod") fixes the problem as well.
(In reply to Daniel Tröder from comment #7) > Actually UCS 5.0-0 delivers 0.102.4 and 0.103.2 and only 5.0-1 delivers > 103.3: > > Version 0.102.4+dfsg-0+deb10u1 Rev 153587 Date 2020-08-03 08:53:37 > Release 5.0-0-0 > Version 0.103.2+dfsg-0+deb10u1 Rev 157315 Date 2021-06-21 09:56:20 > Release 5.0-0-0 Scope errata5.0-0 > Version 0.103.3+dfsg-0+deb10u1 Rev 158808 Date 2021-12-09 13:48:53 > Release 5.0-0-0 Scope ucs5.0-1 Your stats might be wrong: `repo_stat.py` only tells you into which UCS release a *source* package was imported, not that is was ever built or even where it was *released* to: in that case 0.103.3 did not list any CVE back than and as such was just imported for 5.0-1, but did not get released as erratum for 5.0-0, which will be out-of-maintenance next week anyway as 5.0-1 was released 5 weeks ago: <http://univention.gitpages.knut.univention.de/dist/release-dates/> If it would have had a CVE listed it would have been released for both 5.0-0 and 5.0-1. (As this issue does not fix a security issue with a CVE it only will get released for 5.0-1 anyway according to our current policy!) You should check <https://errata.software-univention.de/#/?package=clamav> or even better <http://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/clamav/> which shows the real packages being available. > @Alex: please test, that in a 5.0-1 system the patch without the "touch" > line (only "chmod") fixes the problem as well. - univention-mail-antivir depends on clamav, which depends on clamav-base, so clamav-base.postinst gets called before univention-mail-antivir.postint - the former creates the user `clamav:clamav` and its $HOME=/var/lib/clammav with the right permissions. - univention-antivir-mail.postinst is executes as `root:root` and as such `cp /usr/share/univention-antivir-mail/*.cvd /var/lib/clamav/` creates files owned by `root:root` → use `install -o clamav -g clamav -m 0644 …` instead - `chown -R clamav:clamav /var/lib/clamav` should be moved after the `install` or even better removed at all. - The `touch /var/lib/clamav/mirrors.dat` is touching the wrong file and should no longer be needed: clamav-0.104.0-rc2~103 https://github.com/Cisco-Talos/clamav/commit/9064d6a7c05ee58cda829ea54b43317f5f3fcbe3 clamav-0.103.3~8 https://github.com/Cisco-Talos/clamav/commit/1e70242fb76e54117a74eaf53f12fcecbee55877
Issue: Please read comment #8 by Phillip Hahn. Fix: Removed code from previous commit (d755d3cda). Implemented fix suggested in comment #8. fixed with: https://git.knut.univention.de/univention/ucs/-/commit/6ee4432dce5579ac2c2ca9d2bf02174ee0d32e77 requesting QA
due to inconsistency the branch alongside with the commit mentioned in comment #9 needed to be deleted. the fix can now be found here: https://git.knut.univention.de/univention/ucs/-/commit/92aadb4634254b082790f590523e3e950b30c0a2
(In reply to Alexander Steffen from comment #10) > due to inconsistency the branch alongside with the commit mentioned in > comment #9 needed to be deleted. the fix can now be found here: > > https://git.knut.univention.de/univention/ucs/-/commit/ > 92aadb4634254b082790f590523e3e950b30c0a2 looks good * freshclam no longer uses mirrors.dat (upstream fix) - this is obviously in conflict with comment #0 but as Philipp pointed out, we use the correct version, and even 0.102.4 should be ok as this mirrors stuff has been removed in 0.102.0 - https://github.com/Cisco-Talos/clamav/blob/rel/0.102/NEWS.md, i can not reproduce this with UCS 5.0-0(1) * clamav-base creates /var/lib/clamav/ with the correct ownership * univention-antivir-mail/ creates /var/lib/clamav/daily.cvd and main.cvd with the correct ownership TOOD * merge to 5.0-1 * build package * update errata yaml
Successful build Package: univention-antivir-mail Version: 11.0.0-3A~5.0.0.202201281438 Branch: ucs_5.0-0 Scope: errata5.0-1
OK - merged OK - built (11.0.0-3A~5.0.0.202201281438) OK - yaml
<https://errata.software-univention.de/#/?erratum=5.0x201>