clamdscan 存取 deny 的問題答案

clamdscan is just a command line tool that issues commands to clamav-daemon. The files are scanned by clamav-daemon, which runs as a daemon with clamav user (by default). You can only scan folders and files to which clamav-daemon (the clamav user) has access to.

So if you want to check a directory like /a/b/c, every directory along the way has to have the correct permissions for clamav user to access them. If /a doesn’t have it, clamav-daemon can’t get to b or c…

clamdscan is not really ment to be run by normal users from the command line. If you really want that, you have to give the correct permissions to clamav-daemon (= clamav user).

clamscan on the other hand should work just fine on every directory your user has access to, it’s just that it’s slower because it has to load the virus database at startup.

The above goes when apparmor/selinux is not running. If apparmor is running, there are more restrictions on clamav-daemon.

clamdscan 其實就是 clamd 服務,而服務預設是由「clamav」這帳號啟動的。所以當我們提出掃描檔案時clamd就會以clamav帳號的身份進入到指定的目錄下檢查指定的檔案。如果指定的檔案路徑clamav沒有權限可以進入和讀取,就會丟出無法存取權限deny的錯誤。

除了 clamav 帳號的訪問權限外,如果apparmor有限定clamd的設定也會引響clamdscan 的運作。

clamd 無法刪除被感染的資料檔案出於安全性考量,因為總不希望別人跑到你家把人給殺了吧!

發表迴響

在下方填入你的資料或按右方圖示以社群網站登入:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 變更 )

Twitter picture

You are commenting using your Twitter account. Log Out / 變更 )

Facebook照片

You are commenting using your Facebook account. Log Out / 變更 )

Google+ photo

You are commenting using your Google+ account. Log Out / 變更 )

連結到 %s