apache 用户启动 Clamdscan 时出现错误“未收到文件描述符。错误”

Question 1

均不适用setsebool -P antivirus_can_scan_system 1（来自此设置过程) 或者彻底禁用 SELinux 已经/etc/selinux/config改善了这种情况。

结果，strace已经生成了一个以了解发生了什么，运行如下apache：

$ strace /usr/bin/clamdscan --stdout --fdpass /var/www/html/cours/moodledata/temp/filetoscan
[...]
rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER, 0x7ff93f13c650}, NULL, 8) = 0
lstat("/var/www/html/cours/moodledata/temp/filetoscan", {st_mode=S_IFREG|0755, st_size=7256, ...}) = 0
socket(PF_LOCAL, SOCK_STREAM, 0)        = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/clamd.scan/clamd.sock"}, 110) = -1 EACCES (Permission denied)
close(3)                                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(3310), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
open("/var/www/html/cours/moodledata/temp/filetoscan", O_RDONLY) = 4
sendto(3, "zFILDES\0", 8, 0, NULL, 0)   = 8
sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"\0", 1}], msg_controllen=20, {cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, {4}}, msg_flags=0}, 0) = 1
close(4)                                = 0
recvfrom(3, "No file descriptor received. ERR"..., 5120, 0, NULL, NULL) = 35
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff93fd3b000
write(1, "Failed to parse reply: \"No file "..., 60Failed to parse reply: "No file descriptor received. ERROR"

首先访问 unix 套接字文件失败，然后由于其他原因/var/run/clamd.scan/clamd.sock回退到 TCP 通信失败。127.0.0.1/3301

也许添加apache访问 unix 套接字所需的组可以解决您的问题。

Answer

均不适用setsebool -P antivirus_can_scan_system 1（来自此设置过程) 或者彻底禁用 SELinux 已经/etc/selinux/config改善了这种情况。

结果，strace已经生成了一个以了解发生了什么，运行如下apache：

$ strace /usr/bin/clamdscan --stdout --fdpass /var/www/html/cours/moodledata/temp/filetoscan
[...]
rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER, 0x7ff93f13c650}, NULL, 8) = 0
lstat("/var/www/html/cours/moodledata/temp/filetoscan", {st_mode=S_IFREG|0755, st_size=7256, ...}) = 0
socket(PF_LOCAL, SOCK_STREAM, 0)        = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/clamd.scan/clamd.sock"}, 110) = -1 EACCES (Permission denied)
close(3)                                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(3310), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
open("/var/www/html/cours/moodledata/temp/filetoscan", O_RDONLY) = 4
sendto(3, "zFILDES\0", 8, 0, NULL, 0)   = 8
sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"\0", 1}], msg_controllen=20, {cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, {4}}, msg_flags=0}, 0) = 1
close(4)                                = 0
recvfrom(3, "No file descriptor received. ERR"..., 5120, 0, NULL, NULL) = 35
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff93fd3b000
write(1, "Failed to parse reply: \"No file "..., 60Failed to parse reply: "No file descriptor received. ERROR"

首先访问 unix 套接字文件失败，然后由于其他原因/var/run/clamd.scan/clamd.sock回退到 TCP 通信失败。127.0.0.1/3301

也许添加apache访问 unix 套接字所需的组可以解决您的问题。

Question 2

编辑 /etc/clamd.conf 以配置 Unix 用户 clamav 应在以下用户下运行：用户 apache

修复文件/目录权限：chown -R apache:apache /var/run/clamd.scan; chown apache:apache /var/run/clamd.scan/clamd.sock

否则，clamav 将默认以用户 clamscan 的身份运行，该用户没有访问此文件的权限，即使您在扫描中添加了 --fdpass 作为参数。

Answer

编辑 /etc/clamd.conf 以配置 Unix 用户 clamav 应在以下用户下运行：用户 apache

修复文件/目录权限：chown -R apache:apache /var/run/clamd.scan; chown apache:apache /var/run/clamd.scan/clamd.sock

否则，clamav 将默认以用户 clamscan 的身份运行，该用户没有访问此文件的权限，即使您在扫描中添加了 --fdpass 作为参数。

apache 用户启动 Clamdscan 时出现错误“未收到文件描述符。错误”

答案1

答案2

相关内容