include much needed antivirus products in FC2

Steven Pritchard steve at silug.org
Wed Jan 7 18:22:27 UTC 2004 

On Wed, Jan 07, 2004 at 02:22:56AM +0100, Enrico Scholz wrote:
> Ok, user A gets mail and want it to be checked. There are two ways for
> that:
> 
> * mail is at an public place so that clamd can access it -> bad, I do
>   not want my mails at public places

Mail should be scanned by a daemon like amavisd.  It already has the
mail.  Letting clamd get to it (by using appropriate group
permissions) is easy and safe.

> * mail will be placed at a place accessibly for clamd and A only -> how
>   can I do this without ACL's? Besiding this, it would be still possibly
>   for B to gain information about A's mail by invoking clamd to read it.

If the user wants to scan their mail, they can use clamscan instead of
clamdscan.  It's a non-issue.

> Page 3 in clamdoc.pdf:
> 
> | * QUIT
> |    Perform a clean exit.

OK, so you got me there.  That just means you need a "mailscan" group
(not "vscan", since that's used by a whole lot of packages out in the
wild already) that clamd's user and whatever mail scanners (amavis-ng,
amavisd-new, mailscanner, etc.) are members of.  Make the socket
directory executable by that group.  Problem solved.

> > I totally disagree.  This is no different than random users wanting to
> > allow access to something from apache but nothing else...
> 
> This requires that ~/public_html is accessible for httpd. In non-ACL
> capable systems this means world-access and I would never do this for my
> mails.

You don't understand.  Let's say I want to password-protect a
directory.  I create a .htaccess file that refers to a .htpasswd file
somewhere.  Now I don't want to let the world have access to that (but
httpd needs to be able to read it), so I "chgrp apache .htpasswd &&
chmod 640 .htpasswd".  Easy, safe, and sufficiently secure for this
problem.  I still don't see where this is fundamentally any different.

Oh, and at this point I think we either need to agree to disagree, or
take this off-list.  This is a packaging detail that the rest of the
people on this list probably don't care about.

Steve
-- 
Steven Pritchard - K&S Pritchard Enterprises, Inc.
Email: steve at kspei.com             http://www.kspei.com/
Phone: (618)398-7360               Mobile: (618)567-7320

More information about the fedora-devel-list mailing list