> Hello Stephane, maybe joining the amavisd-new user's to the clamav group would be a simpler way around the stricter socket permissions you are proposing?
Hi Simon, No, as I said in comment #4, that doesn't work as amavisd-new doesn't set supplementary IDs, just does a setuid() and setgid() with the configured user and group. Also we don't want to give it access to all of clamav's restricted resources (mailbox, logs...), only the socket (which we'd only restrict here to mitigate this vulnerability). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
