[clamav-users] ClamAV failed to scan files in /tmp folder

Discussion:

cpass test

2018-01-29 19:27:44 UTC

Hello,

I installed the ClamAV on my linux server
<https://moodle.org/mod/glossary/showentry.php?eid=30&displayformat=dictionary>
and
configured a Moodle LMS to use the ClamAV. They have a plugin in Moodle for
it. Here are the parameters for connecting to ClamAV:

Running method: Unix domain
<https://moodle.org/mod/glossary/showentry.php?eid=17&displayformat=dictionary>
socket

Unix domain socket: /var/run/clamd.scan/clamd.sock

The clamd server is running and the socket really exist in specified
location.

But when I tried to upload
<https://moodle.org/mod/glossary/showentry.php?eid=19&displayformat=dictionary>
files in Moodle to test the anti-virus, messages like the following,
appear in the log file of Clamd:

WARNING: lstat() failed on: /tmp/phpag0dQF

I added user clamscan (the user under which clamd server is running) to the
apache group.

The permission
<https://moodle.org/mod/glossary/showentry.php?eid=9986&displayformat=dictionary>
of /tmp/ are :

drwxrwxrwt. root root

I have disabled SELinux to ensure it is not blocking anything.

I don't understand what is preventing ClamAV to scan files uploaded via
Moodle.

Thank for your help.

Karl
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reindl Harald

2018-01-29 21:55:02 UTC

Permalink

Post by cpass test
configured a Moodle LMS to use the ClamAV. They have a plugin in Moodle for
Unix domain socket: /var/run/clamd.scan/clamd.sock
The clamd server is running and the socket really exist in specified
location.
WARNING: lstat() failed on: /tmp/phpag0dQF

let me guess:

* systemd
* one or both of the invloved services has "PrivateTmp=yes" in it's unit

don't use /tmp or /var/tmp then for files which both should be able to
access
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

cpass test

2018-01-30 15:19:11 UTC

Permalink

Thanks for your help.

httpd as the "PrivateTmp=yes".

I did what you suggested, and changed the directory of the temporary folder
of PHP (variable sys_temp_dir) to another directory and it work.
Thanks

Post by Reindl Harald

* systemd
* one or both of the invloved services has "PrivateTmp=yes" in it's unit
don't use /tmp or /var/tmp then for files which both should be able to
access
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reindl Harald

2018-01-30 15:45:52 UTC

Permalink

Post by cpass test
Thanks for your help.
httpd as the "PrivateTmp=yes".
I did what you suggested, and changed the directory of the temporary folder
of PHP (variable sys_temp_dir) to another directory and it work.
Thanks

thought so

the reason for this settings is that you often find CVE's that random
software creates whatever files in /tmp with bad permissions and so when
your webserver has access to /tmp this becomes problematic

temp/session/upload-files should be as strictly as possible seperated
and also be different per virtual host - 10 years ago somebody who
insulted me used the same webhoster with shared session-dir and had his
database credentials in the PHP session - bad mistake leading to a
"re-design" some drunken night later :-)

Post by cpass test

Post by Reindl Harald

* systemd
* one or both of the invloved services has "PrivateTmp=yes" in it's unit
don't use /tmp or /var/tmp then for files which both should be able to
access

cpass test

2018-01-30 15:55:49 UTC

Permalink

Thanks for your help and for the educational explanations.

Post by Reindl Harald

thought so
the reason for this settings is that you often find CVE's that random
software creates whatever files in /tmp with bad permissions and so when
your webserver has access to /tmp this becomes problematic
temp/session/upload-files should be as strictly as possible seperated and
also be different per virtual host - 10 years ago somebody who insulted me
used the same webhoster with shared session-dir and had his database
credentials in the PHP session - bad mistake leading to a "re-design" some
drunken night later :-)

Post by cpass test

Post by cpass test
configured a Moodle LMS to use the ClamAV. They have a plugin in Moodle

Post by cpass test
for
Unix domain socket: /var/run/clamd.scan/clamd.sock
The clamd server is running and the socket really exist in specified
location.
WARNING: lstat() failed on: /tmp/phpag0dQF

* systemd
* one or both of the invloved services has "PrivateTmp=yes" in it's unit
don't use /tmp or /var/tmp then for files which both should be able to
access

_______________________________________________

clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml