From 55b25f143b51d705a12572f62b6cd99ff3802965 Mon Sep 17 00:00:00 2001 From: Enrico Scholz Date: Sat, 25 Feb 2012 12:03:46 +0100 Subject: [PATCH] updated doc removed obsolete SysV related information; mentioned systemd + tmpfiles.d --- clamd-README | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/clamd-README b/clamd-README index e62b487..711fc7d 100644 --- a/clamd-README +++ b/clamd-README @@ -2,13 +2,18 @@ To create individual clamd-instance take the following files and modify/copy them in the suggested way: clamd.conf: - * set LogFile, PidFile, LocalSocket and User to suitable values + * set LocalSocket (or better: TCPSocket) and User to suitable values; + avoid PidFile unless it required by system monitoring or something + else. Logging through syslog is usually better than an indidual + Logfile. * place this file into /etc/clamd.d with an unique service-name; e.g. as /etc/clamd.d/.conf - To make logfile rotation work properly, the LogFile should be - writable for the assigned User. Recommended way to reach this, is - to: + When using TCPSocket, create iptables rules which are limitting the + access by source and/or by using '-m owner'. + + When LogFile feature is wanted, it must be writable for the assigned + User. Recommended way to reach this, is to: * make it owned by the User's *group* * assign at least 0620 (u+rw,g+w) permissions @@ -16,6 +21,7 @@ clamd.conf: | # touch | # chgrp | # chmod 0620 + | # restorecon NEVER use 'clamav' as the user since he can modify the database. This is the user who is running the application; e.g. for mimedefang @@ -25,29 +31,24 @@ clamd.conf: and that the clamd-user can access the files asked by the application to be checked. - -clamd.logrotate: +clamd.logrotate: (only when LogFile feature is used) * set the correct value for the logfile * place it into /etc/logrotate.d -clamd.sysconfig: - * set the name of the config-file and the local socket - * copy it to /etc/sysconfig/clamd. +clamd@.service: (systemd instance) + * instance of clamd@.service -clamd.init: - * set the service-name - * place it into /etc/init.d/ with an unique name and activate it - (e.g. with /sbin/chkconfig clamd. on) +Additionally, when using LocalSocket instead of TCPSocket, the directory +for the socket file must be created. For tmpfiles based systems, you +might want to create a file /usr/lib/tmpfiles.d/clamd..conf +with a content of -Additionally, a symlink must be set to clamd in a way like - | # ln -s clamd /usr/sbin/clamd. -and the directory for the socket file must be created (see 'LocalSocket' -in clamd.conf) - | # mkdir -p /var/run/clamd. - - -This directory must be writable by the 'User' chosen in the config-file. + | d /var/run/clamd. +Adjust (0710 should suffice for most cases) and + +so that the socket can be accessed by clamd and by the applications +using clamd. Make sure that the socket is not world accessible; else, +DOS attacks or worse are trivial. [Disclaimer: