[Mimedefang] Error with mimedefang + clamd

Bill Cole mdlist-20140424 at billmail.scconsult.com
Wed Nov 22 13:52:28 EST 2017 

On 22 Nov 2017, at 10:11 (-0500), Info @ brainwash wrote:

> /var/spool/MIMEDefang/ directory has rights 0766 and belongs to user
> defang:defang (it is been reset to these values every time the 
> mimedefang
> service restarts or the server reboots).

Dianne has already given the proper solution but this begs for a general 
warning...

Setting the world-writable bit on any file or on a directory without 
also setting the sticky bit is a risky action. You should NEVER leave a 
file or directory world-writable. Also on directories, it is generally 
not useful to set read bits without also setting the execute (i.e. 
search, for directories) bits.

> From what I found when Googling this error, the issue is that 
> MIMEDefang cannot create the work directory thus Clam cannot find the 
> file to scan.

It's usually best to read the man pages that are written by the author 
of a program before searching for random answers on the web who may not 
understand their problem, may not be getting an error message for the 
same reason you are, and may be using a version (or platform variant) 
that is unlike yours. This looks to me like a wrong answer but it really 
does not matter because the fix is simple and clearly documented in the 
mimedefang man page.

> I tried to make the directory 0777 and even change the users using 
> chown, to no effect.

Reiterating the above: don't set the world-writable bit anywhere except 
on shared directories with the sticky bit set (e.g. /tmp and /var/tmp 
use mode 1777) and (sometimes) sockets and devices. It's not a safe 
solution to any problem and usually isn't even helpful as a 
troubleshooting tool.

MIMEDefang by design creates and destroys many files and directories for 
short lives, so for safety it needs to manage permissions itself very 
carefully and tightly. It cannot rely on sysadmins creating safe working 
ownership and permission constructs because it is a known fact that many 
sysadmins never actually read documentation. It is conceivable that MD 
could have been written to be entirely ignorant of security issues and 
rely on sysadmins to use whatever mix of standard ownership & 
permissions, BSD setgid semantics, and ACLs is available and necessary 
to allow everything MD does to work safely. I believe that if that were 
the case, MD would have a reputation of being hard to make work and 
grossly insecure. It's better this way.

-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

More information about the MIMEDefang mailing list