On 2011-03-12, Kevin Fenzi kevin@scrye.com wrote:
Anyhow, yeah, if we could add the wrapper thing that amavisd-new needs that might be a quick solution.=20
Just tested now by copying /usr/share/clamav/clamd-wrapper from the old installation to the new.
First problem:
Mar 13 18:49:50 asav clamd[23281]: Can't save PID in file /var/run/clamd.amavisd/clamd.pid
(actually the same problem with old clamd-installation). So i manually created this directory, and things seems to be working.
What runs as 'clam'? clamd?
Yes.
yes, thats true. It does mean the clam user could modify the db files, but the additional security here I don't know is worth it.
.. and if we can get in the /usr/share/clamav/clamd-wrapper, running the virus-scanner as amavis instead becomes trivial.
If you wish to seperate things like that, I would suggest running clamscan instead as whatever user.=20
clamscan is waay too slow on a busy mailserver.
- clamav packaged the new way on 4/5/6
- amavisd-new packaged to use that on 4/5/6
How we get there is up to the maintainers... I know several people were looking at amavisd-new. Perhaps we could get everyone together at an irc meeting and hash out what needs to happen?
1 - Add back /usr/share/clamav/clamd-wrapper to the clamd-package + possibly the README-file /usr/share/doc/clamav-server-0.96.1/README which explains how to set up individual clamd-instances:
http://blag.tanso.net/code/clamav.spec http://blag.tanso.net/code/clamav-0.97-4.el6.src.rpm
It's maybe not pretty to put this in %{_prefix}/share/clamav/, but IMHO it's needed for compatibility with older packaging and existing installations on EL4/5.
2 - Modify amavisd-new from f14 to create the directory /var/run/clamd.amavisd (it's already adding the service "clamd.amavisd" which use this directory).
3 - Make amavisd-new not use "PidFile /var/run/amavisd/clamd.pid" in /etc/clamd.d/amavisd.conf, since it's using the wrapper which overrides this pidfile anyway.
I'll get #2/#3 done as well, but would appreciate if someone could sponsor me as a fedora maintainer, so that can also get this submitted to EPEL properly.
-jf