Skip to content

Check for root user when processing SHUTDOWN command.#347

Closed
toddr wants to merge 1 commit intoCisco-Talos:mainfrom
toddr:root_shutdown
Closed

Check for root user when processing SHUTDOWN command.#347
toddr wants to merge 1 commit intoCisco-Talos:mainfrom
toddr:root_shutdown

Conversation

@toddr
Copy link
Copy Markdown

@toddr toddr commented Nov 1, 2021

By default, any arbitrary user is able to use the userspace socket file
to shutdown the clamd daemon. This adds a check for connections to the
local socket server, ensuring that only root is able to do this.

@toddr
Check for root user when processing SHUTDOWN command.
b65702b 
By default, any arbitrary user is able to use the userspace socket file
to shutdown the clamd daemon. This adds a check for connections to the
local socket server, ensuring that only root is able to do this.
@toddr
Copy link
Copy Markdown
Author

toddr commented Nov 1, 2021
edited
Loading

I'm uncertain what the policy was on non-root users doing this but wanted to share a patch we're using.

Possibly this needs to be a config file setting but I lack the knowledge to add that to this patch.

@val-ms
Copy link
Copy Markdown
Contributor

val-ms commented Nov 3, 2021

It should probably be a config option if we take this patch. Thank you for sharing it. I will bring it up with the team in our next standup.

We're also considering giving ClamD a REST (HTTP) API and have had some discussion about implementing certificate-based authentication at that time. But we need to dedicate some time to plan what to do with an application sandbox prototype developed by my colleague @zaddach which may necessitate an overhaul or full Rust re-write of ClamD, or simply a new server program as an alternative to ClamD. That decision will tie in with what we do for the socket API for ClamD and ultimately if we should use this patch with a new config option, or if we should find a different mechanism to authorize administrative-type commands.

@val-ms
Copy link
Copy Markdown
Contributor

val-ms commented Nov 3, 2021

Looks like the build fails on Mac & Windows, and fails a test on Linux with:

6: Wed Nov 3 20:27:22 2021 -> Command invalid for non root users: STATS

This was referenced Feb 20, 2023
Closed
Merged
@val-ms
Copy link
Copy Markdown
Contributor

val-ms commented Nov 14, 2023

I'm closing this PR due to inactivity, and because I do not believe this is the right solution to prevent other users on the local box from running these commands.

Outside of the build issues on Mac and Windows, this solution would prevent regular users from using the STATS and SHUTDOWN commands when running clamd as themselves. The STATS command, in particular, is used by clamdtop and there is a strong use case for this program whether clamd is run as the current user or when run as the clamav user.

But this also does not prevent anyone who can access the TCP socket from running these commands when clamd is listening to the TCP socket. So it is not a full solution for the unauthorized-shutdown concern.

The only solution I can think to allow users to run scans but prevent them from running these commands is to add clamd.conf config options to disable the SHUTDOWN and STATS commands (separately). In this way the admin can choose if they are comfortable with allowing anyone who can access the socket to issue those commands. For this approach I'm not opposed to having support for the SHUTDOWN command to be default-off, but the STATS command support should be on by default, in order for clamdtop to function.

An additional note regarding the STATS command: In case you're concerned that an unauthorized user may index another user's private directory by running clamdscan -r /home/other_user, I should remind you that you should not run clamd as the root user or as another high privileged user. clamd is best run as your own user or better yet as a lower privileged user like the clamav service account. If running clamd as your own user, you can secure a unix socket by locating it within your home directory. The clamdscan --fdpass (or clamonacc --fdpass) options will allow you to have clamd scan files that the clamav user cannot open on its own.

Finally, for administrators that wish to run a clamd server and allow some local users to perform scans while denying all other users from issuing clamd commands, they should use the LocalSocket option in combination with the LocalSocketGroup and LocalSocketMode options.

Take for example this scenario. An admin may wish to configure clamonacc to monitor specific directories on the system such as as a webserver upload directory, or user home directories or downloads directories. The clamonacc process would run as root. The clamd process would run as the low-privileged clamav service account user, or start as root and drop to run as the clamav user. In the clamd.conf, something like this would be set:

/var/lib/clamav/clamd.sock
LocalSocketMode 660

The 660 setting will restrict opening the socket file to only root, the owner (e.g. clamav), and any user in the clamav group. Alternatively you may also set

LocalSocketGroup virusgroup

or maybe instead

LocalSocketGroup wheel

to instead allow users from the virusgroup or wheel groups to access that file and thus issue clamd commands.

This would effectively prevent untrusted user accounts from interacting with the clamd scanning service. It does not solve the problem of preventing users that may issue scans from shutting down the scanning service, but it should alleviate the most common concern.

We are open to future work to move control commands such as SHUTDOWN and STATS to a separate socket so that access can be more tightly controlled. But this will have ripple effects on all applications that use them today, including clamdtop.

@val-ms val-ms closed this Nov 14, 2023
@toddr toddr deleted the root_shutdown branch November 14, 2023 20:26
@defnull defnull mentioned this pull request Feb 8, 2024
Closed
@ChaoticByte ChaoticByte mentioned this pull request May 10, 2025
Merged
val-ms pushed a commit that referenced this pull request Jun 4, 2025
@ChaoticByte
clamd: Add options to toggle SHUTDOWN, RELOAD, STATS and VERSION (#1502)
a3be0d2 
The `clamd` protocol lacks authentication or authorization controls
needed to limit access to more administrative commands.
Depending on your use case, disabling some commands like `SHUTDOWN`
may improve the security of the scanning daemon.

This commit adds options to enable/disable the `SHUTDOWN`, `RELOAD`,
`STATS` and `VERSION` commands in `clamd.conf`.
When a client sends one of the following commands but it is disabled,
`clamd` will respond with "COMMAND UNAVAILABLE".

The new `clamd.conf` options are:

- `EnableShutdownCommand`: Enable the `SHUTDOWN` command.
  Setting this to no prevents a client to stop `clamd` via the
  protocol.
  Default: yes

- `EnableReloadCommand` Enable the `RELOAD` command.
  Setting this to no prevents a client to reload the database.
  This disables Freshclam's `NotifyClamd` option. 
  `clamd` monitors for database directory changes, so this should 
  Default: yes

- `EnableStatsCommand` Enable the `STATS` command.
  Setting this to no prevents a client from querying statistics.
  This disables the `clamdtop` program.
  Default: yes

- `EnableVersionCommand` Enable the `VERSION` command.
  Setting this to no prevents a client from querying version
  information.
  This disables the `clamdtop` program and will cause `clamdscan` to
  display a warning when using the `--version` option.
  Default: yes

Resolves: #922
Resolves: #1169
Related: #347
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@toddr @val-ms