Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move PID file out of user-writable directory #1076

Open
orlitzky opened this issue Oct 27, 2023 · 13 comments
Open

Move PID file out of user-writable directory #1076

orlitzky opened this issue Oct 27, 2023 · 13 comments

Comments

@orlitzky
Copy link
Contributor

In ed630ab the PID file was moved to /run/clamav. Since /run/clamav is typically writable by the clamav user (so that he can create the socket after dropping privileges), this reintroduces the vulnerability fixed in 5b168b5.

The socket needs to be writable by clamd after it starts, but the PID file doesn't. The PID should go in /run/clamd.pid, or better yet, @RUNSTATEDIR@/clamd.pid.

I mentioned this on the mailing list when the release was announced, but I don't want it to get lost.
@micahsnyder
Copy link
Contributor

The actual clamd.pid filepath is set when you create your own clamd.conf file.

That commit just changed suggested filepaths. The intention had been to make it align with how the clamav docker image was using it, although now that I look I see we're actually using /tmp/*.pid, because people want to start the whole container as the clamav user instead of starting as root and dropping privs.

I think a good compromise would be to list both filepath options in the sample config with some explanation as to which you may choose.

For the one that requires root to run, we could switch to use @RUNSTATEDIR@, but only if we switch to have CMake generate the sample config in the configure-step of the build process.

@orlitzky
Copy link
Contributor Author

orlitzky commented Nov 3, 2023

I don't think the docker image needs a PID file at all. Problem solved :)

@micahsnyder
Copy link
Contributor

TBH I don't know why the pidfiles are enabled for the docker image. But I am hesitant to go remove that. Someone probably found a way to use it. 🤷

@orlitzky
Copy link
Contributor Author

orlitzky commented Nov 3, 2023

More generally, the only situation where a PID file is useful is when you have a dumb init system (namely sysvinit) and a daemon that drops privileges and forks.

In the docker image there is no init system, you're just launching clamd in the foreground and forgetting about it, so the PID can't really be useful. And everybody else is using systemd or OpenRC who can track the PID themselves; again no PID file is needed in those cases.

In the only situation where a PID is actually needed, you want it to live in @RUNSTATEDIR@. (Almost) all other uses are cargo cult. And the ones that aren't are even more insane.

@Kangie
Copy link
Contributor

Kangie commented Mar 21, 2024

I'm with @orlitzky here - I can't see any real value added by the PID file in docker and it will resolve this issue just to drop it.

@micahsnyder
Copy link
Contributor

Incidentally, we do have one suggestion on using the pid file, here Cisco-Talos/clamav-docker#45

@orlitzky
Copy link
Contributor Author

Incidentally, we do have one suggestion on using the pid file, here Cisco-Talos/clamav-docker#45

A PID is used there, but not a PID file. The clamdpid=$! line uses a magic variable to obtain the PID of the process that was just launched, and then wait $clamdpidpasses its value to wait. Since all of this is happening within the same script, there's no reason to store the PID in a persistent location to be retrieved at a later time from another process (as is the case with dumb init systems).

@micahsnyder
Copy link
Contributor

micahsnyder commented Mar 26, 2024
edited
Loading

Oh silly me. I didn't read close enough. I was in a bit of a scramble and just saw "pid" 🤦. So long as clamd's --foreground option is used that will also work okay.

gentoo-bot pushed a commit to gentoo/gentoo that referenced this issue Jun 24, 2024
@Kangie
app-antivirus/clamav: package maintenance
7b99345 
revbump 1.3.1 with the following fixes:

- add postinst message for 'clamonacc'
- fix x32 builds
- fix PID paths
- drop py310; add py313

Bug: Cisco-Talos/clamav#1076
Bug: https://bugs.gentoo.org/921088
Bug: https://bugs.gentoo.org/916147
Bug: https://bugs.gentoo.org/787233
Closes: https://bugs.gentoo.org/927214
Signed-off-by: Matt Jolly <[email protected]>
@Kangie
Copy link
Contributor

Kangie commented Jun 26, 2024

Hi Micah,

Any update / thoughts on this one? I've started patching our configs downstream but I'd really prefer to avoid maintaining that if we can come up with an acceptable solution for everyone :).

@Kangie
Copy link
Contributor

Kangie commented Nov 21, 2024

@micahsnyder ping

micahsnyder added a commit to Cisco-Talos/clamav-docker that referenced this issue Nov 21, 2024
@micahsnyder
Remove PidFile configuration
3c3789b 
There should be no need for freshclam, clamd, or clamav-milter to create
a PID file.

There is a very minor security concern that the PID file is located in a
user-writable directory in that a naive service manager might kill the
wrong process if the PID file has been modified.

Granted, these Docker images do not have a service manager which
operates in this way. However, I believe there is no harm in removing
the PID files so as to eliminate the hypothetical risk if one were to
use those PID files.

Refs:
- Cisco-Talos/clamav#1076
- Cisco-Talos/clamav@5b168b5
@micahsnyder micahsnyder mentioned this issue Nov 21, 2024
Merged
@micahsnyder
Copy link
Contributor

@Kangie @orlitzky would this make you feel better? Cisco-Talos/clamav-docker#69

@micahsnyder
Copy link
Contributor

Sorry my phrasing wasn't great. I mean, would this change resolve your security concerns about the pid file in the Docker images?

@orlitzky
Copy link
Contributor Author

I don't think either of us necessarily cares what goes on in docker, but it's certainly an improvement to skip the PID file there if it doesn't need one and if it simplifies the reasoning about PID files in general.

The problem is that the suggestion,

# This file will be owned by root, as long as clamd was started by root.
# It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
# Default: disabled
#PidFile /run/clamav/clamd.pid

has some risk of creating a vulnerability if /run/clamav is writable by anyone other than root. It's a strictly worse choice than /run/clamd.pid:

  • The permissions on /run are already safe
  • The permissions on /run/clamav are likely to be unsafe if it just happens to exist; the main reason people create subdirectories of /run is to mess with the permissions
  • Users don't have to worry about creating the subdirectory at boot
  • It doesn't conflict with the example for the local socket

For the local socket, the sample config suggests

# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
#LocalSocket /run/clamav/clamd.sock
#LocalSocket /tmp/clamd.sock

The first one will only work if /run/clamav is NOT safe for a PID file, because clamd needs to create the socket there after dropping permissions. And the second (which I am just now noticing), is just plain unsafe, because /tmp will typically be world-writable.

If you are very smart you can figure this stuff out for yourself but I can see no reason not to suggest /run for the PID file instead and save people the trouble.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@orlitzky @Kangie @micahsnyder