** Description changed: * Note that the FFe sections outlined in https://documentation.ubuntu.com/project/release-team/request-a-freeze- exception/#what-to-include (description of the proposed changes, benefits of the change, testing performed, output of seeded-in-ubuntu) are present below [IMPACT] clamav-daemon won't listen on TCP sockets when reconfiguring the package. This is not an upstream clamav bug, it is a packaging one. When `sudo dpkg-reconfigure clamav-daemon` is run, the postinst script correctly updates the main configuration file (clamd.conf). In Ubuntu, clamav-daemon is integrated as a systemd service. Whether clamav listens to a unix file of a TCP socket is configured in clamd.conf (upstream bit). In Ubuntu this is passed to systemd service by making the service depend on a systemd socket: root@jammy:/usr/lib/systemd/system# cat clamav-daemon.socket [Unit] Description=Socket for Clam AntiVirus userspace daemon Documentation=man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/ # Check for database existence ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc} ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} [Socket] ListenStream=/run/clamav/clamd.ctl #ListenStream=1024 SocketUser=clamav SocketGroup=clamav RemoveOnStop=True [Install] WantedBy=sockets.target The problem is that when reconfiguring the package to make clamav listen to a TCP socket, this change is never reflected in the systemd socket file which keeps the old config (unix file). [Description of the Proposed Changes] * Add systemd socket generator for clamav-daemon (LP: #2129160) - debian/clamav-daemon-socket-generator: Implement clamav-daemon-socket-generator to align clamav-daemon.socket with clamd.conf. - debian/clamav-daemon.postinst.in: Execute daemon-reload to regenerate configuration. - debian/clamav-daemon.install: Install clamav-daemon-socket-generator The socket generator allows for configurability of both LocalSocket and TCPSocket (IPv4 or IPv6) ListenStreams, as well as configurability over the LocalSocketMode and LocalSocketGroup. [Benefits of the proposed change] This will fix a packaging issue that prevents customization and reconfiguration of clamav. [TEST CASE] - Run "sudo apt install clamav-daemon" - Run "sudo dpkg-reconfigure clamav-daemon" + Install the package + sudo apt install clamav-daemon + + To test TCP configurability + --------------------------- + sudo dpkg-reconfigure clamav-daemon Select "Socket type" as "TCP" Leave everything else as defaults and finish the config setup - Run "sudo systemctl restart clamav-daemon" - Check for the daemon running on a TCP socket (it won't be): sudo ss -pln | grep 3310 + sudo systemctl restart clamav-daemon + sudo ss -pln | grep 3310 # Check for the daemon running on a TCP socket (it won't be): + printf "PING\n" | nc 127.0.0.1 3310 # Try to ping the socket (it won't work) + systemctl cat clamav-daemon.socket # Doesn't show any configuration with respect to TCP + + To Test Local Socket Configurability + ------------------------------------ + sudo dpkg-reconfigure clamav-daemon + Select "Socket type" as "UNIX" + Set the socket path to something like /run/clamav/clamd-alt.ctl # Anything other than the default /var/run/clamav/clamd.ctl so that it is obvious the configuration was considered and has taken effect + Set custom group owner and permission mode for the socket (eg. a user other than ubuntu and permissions other than 666) + sudo systemctl restart clamav-daemon + printf "PING\n" | socat - UNIX-CONNECT:/run/clamav/clamd-alt.ctl # Try to ping the socket (it won't work) + systemctl cat clamav-daemon.socket # Shows that the specified group and permissions [Testing Performed Against Devel Release] The above test plan has been executed with the proposed changes on Resolute to verify the changes work as intended (service is listening on the expected port, and or local socket) The package builds on all architectures against -updates [1] and -proposed [2] [1] https://launchpad.net/~bryanfraschetti/+archive/ubuntu/lp2129160-updates [2] https://launchpad.net/~bryanfraschetti/+archive/ubuntu/lp2129160-proposed The package successfully upgrades from 1.4.3+dfsg-2ubuntu2 (the current version in Resolute) [Seeded in Ubuntu] seeded-in-ubuntu clamav-daemon The source package 'clamav-daemon' does not exist in the Ubuntu primary archive in resolute for pockets Release, Security, Updates, Proposed with status in Pending, Published [Where problems could occur] - While the proposed changes resolve all problems that we identified such as the inability to reconfigure the package, set the port, IPv4 or IPv6 address on which the clamav-daemon listens, or the local socket path, it is possible that this is not a comprehensive list of the upstream features. That is to say, there may be additional configurability not yet captured in the generator. - Given the current broken behaviour, users may have defined systemd overrides and workarounds in place and should be careful when reconfiguring the package to avoid conflicting configurations. For example, they may want to remove custom overrides before or after upgrading [Other] Open PR to Debian unstable: https://salsa.debian.org/clamav- team/clamav/-/merge_requests/12 Upstream related bug: https://github.com/Cisco-Talos/clamav/issues/1464
** Description changed: * Note that the FFe sections outlined in https://documentation.ubuntu.com/project/release-team/request-a-freeze- exception/#what-to-include (description of the proposed changes, benefits of the change, testing performed, output of seeded-in-ubuntu) are present below [IMPACT] clamav-daemon won't listen on TCP sockets when reconfiguring the package. This is not an upstream clamav bug, it is a packaging one. When `sudo dpkg-reconfigure clamav-daemon` is run, the postinst script correctly updates the main configuration file (clamd.conf). In Ubuntu, clamav-daemon is integrated as a systemd service. Whether clamav listens to a unix file of a TCP socket is configured in clamd.conf (upstream bit). In Ubuntu this is passed to systemd service by making the service depend on a systemd socket: root@jammy:/usr/lib/systemd/system# cat clamav-daemon.socket [Unit] Description=Socket for Clam AntiVirus userspace daemon Documentation=man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/ # Check for database existence ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc} ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} [Socket] ListenStream=/run/clamav/clamd.ctl #ListenStream=1024 SocketUser=clamav SocketGroup=clamav RemoveOnStop=True [Install] WantedBy=sockets.target The problem is that when reconfiguring the package to make clamav listen to a TCP socket, this change is never reflected in the systemd socket file which keeps the old config (unix file). [Description of the Proposed Changes] * Add systemd socket generator for clamav-daemon (LP: #2129160) - debian/clamav-daemon-socket-generator: Implement clamav-daemon-socket-generator to align clamav-daemon.socket with clamd.conf. - debian/clamav-daemon.postinst.in: Execute daemon-reload to regenerate configuration. - debian/clamav-daemon.install: Install clamav-daemon-socket-generator The socket generator allows for configurability of both LocalSocket and TCPSocket (IPv4 or IPv6) ListenStreams, as well as configurability over the LocalSocketMode and LocalSocketGroup. [Benefits of the proposed change] This will fix a packaging issue that prevents customization and reconfiguration of clamav. [TEST CASE] Install the package sudo apt install clamav-daemon To test TCP configurability --------------------------- sudo dpkg-reconfigure clamav-daemon Select "Socket type" as "TCP" + Specify a custom address and port (eg. the ip on the machine's primary interface, and a port other than 3310). For example 10.108.97.118 and 3330 Leave everything else as defaults and finish the config setup sudo systemctl restart clamav-daemon - sudo ss -pln | grep 3310 # Check for the daemon running on a TCP socket (it won't be): - printf "PING\n" | nc 127.0.0.1 3310 # Try to ping the socket (it won't work) + sudo ss -pln | grep 3330 # Check for the daemon running on a TCP socket (it won't be): + printf "PING\n" | nc 10.108.97.118 3330 # Try to ping the socket (it won't work) systemctl cat clamav-daemon.socket # Doesn't show any configuration with respect to TCP To Test Local Socket Configurability ------------------------------------ sudo dpkg-reconfigure clamav-daemon Select "Socket type" as "UNIX" Set the socket path to something like /run/clamav/clamd-alt.ctl # Anything other than the default /var/run/clamav/clamd.ctl so that it is obvious the configuration was considered and has taken effect Set custom group owner and permission mode for the socket (eg. a user other than ubuntu and permissions other than 666) sudo systemctl restart clamav-daemon printf "PING\n" | socat - UNIX-CONNECT:/run/clamav/clamd-alt.ctl # Try to ping the socket (it won't work) systemctl cat clamav-daemon.socket # Shows that the specified group and permissions [Testing Performed Against Devel Release] The above test plan has been executed with the proposed changes on Resolute to verify the changes work as intended (service is listening on the expected port, and or local socket) The package builds on all architectures against -updates [1] and -proposed [2] [1] https://launchpad.net/~bryanfraschetti/+archive/ubuntu/lp2129160-updates [2] https://launchpad.net/~bryanfraschetti/+archive/ubuntu/lp2129160-proposed The package successfully upgrades from 1.4.3+dfsg-2ubuntu2 (the current version in Resolute) [Seeded in Ubuntu] seeded-in-ubuntu clamav-daemon The source package 'clamav-daemon' does not exist in the Ubuntu primary archive in resolute for pockets Release, Security, Updates, Proposed with status in Pending, Published [Where problems could occur] - While the proposed changes resolve all problems that we identified such as the inability to reconfigure the package, set the port, IPv4 or IPv6 address on which the clamav-daemon listens, or the local socket path, it is possible that this is not a comprehensive list of the upstream features. That is to say, there may be additional configurability not yet captured in the generator. - Given the current broken behaviour, users may have defined systemd overrides and workarounds in place and should be careful when reconfiguring the package to avoid conflicting configurations. For example, they may want to remove custom overrides before or after upgrading [Other] Open PR to Debian unstable: https://salsa.debian.org/clamav- team/clamav/-/merge_requests/12 Upstream related bug: https://github.com/Cisco-Talos/clamav/issues/1464 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2129160 Title: [FFe] [SRU] dpkg-reconfigure clamav-daemon does not respect TCP configuration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2129160/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
