-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clamscan systemd service and timer #928
base: main
Are you sure you want to change the base?
Conversation
Hi @nils-werner. This is a very interesting PR. I have mixed feelings about it.
I dislike suggesting anyone should scan with root permissions. Until we are able to sandbox the scanning process, it makes me pretty uncomfortable.
This is kinda cool. Although I imagine it breaks if you want to scan a directory with a hyphen in it, like I'm not certain how the changes in this PR are much different from asking users to set up a cron job. And cron is more universally available than systemd. I'll talk about this a bit with my team, but I'm inclined to to decline this PR. You're welcome to try to change my mind and explain the benefits of using a systemd service and timer for clamscan. |
Hi @micahsnyder thanks for your response!
Don't worry, that's not possible. Only
That's no problem. You can use
So to scan
This is of course only an additional option, it does not replace cron or prevent users from using cron. However, here is a list of neat features that systemd timers can do and cron can't. One neat feature for example is you can inspect the output of your scan using
|
1419e52
to
603fe78
Compare
603fe78
to
46e0c5d
Compare
Sorry about the really long delay replying to you.
What I mean to say is that if That said, I guess I don't have anything against providing the clamscan timer as an option, but I would strongly discourage it in favor of using clamd + the clamdscan timer.
Cool!
Got it! Very nice! |
46e0c5d
to
6eb69cc
Compare
Just rebased and force-pushed to run through CI/tests, not that we have any automated tests using systemd. @nils-werner As with #962 would you be up for writing documentation to put in https://github.com/Cisco-Talos/clamav-documentation/blob/main/src/manual/Usage/Services.md You could probably mostly just copy-paste stuff from the PR descriptions. |
Ah I see! What's the recommended solution for this? Is there a special clamav user, or simply disallow running as root? Both are possible. And I'm also wondering if the same shouldn't be considered for freshclam and all the other services... |
If you start freshclam it drops privileges to run as the If you start clamd as root, it drops privileges to run as the
|
@nils-werner Is it possible to make the I'm inclined to suggest we also remove the |
# Use pkg-config to look up the systemd user unit install directory | ||
execute_process(COMMAND ${PKG_CONFIG_EXECUTABLE} | ||
--variable=systemduserunitdir systemd | ||
OUTPUT_VARIABLE SYSTEMD_USER_UNIT_DIR) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may also be nice to have the main CMakeList.txt summary print out this variable next to the other one:
Line 1256 in 90a9fbd
${_} unit directory ${e}${SYSTEMD_UNIT_DIR} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nils-werner I think we forgot about this.
However
I'm not sure I understand... do you want to remove |
Can we make
I take it back. The |
I am also curious about your thoughts on this but don't consider it a blocker for this PR. |
This PR contains a systemd service and timer for clamscan. They are parameterized units, which means you can pass the escaped paths you'd like to scan into them:
With these you can do the following:
Start a system scan
will start a scan of
/home
in the background. The process runs with root permissions.Start a user scan
Unprivileged users can start
to start a scan of
/home/user
in the background. The process runs with your user permissions, so you can only scan files that belong to you.Schedule a weekly system scan
will scan
/home
once a week, with root permissionsSchedule a weekly user scan
will scan
/home/user
once a week, with my user permissions.Customize them
You can change any of the config file parameters (commandline arguments, timer frequency etc) in the units. So if for example you want to scan your home dir daily you can run
and add
into the dropin config file.
etc...