0

I have a simple python3 script running on ubuntu server 20.04 that tries to call clamd (clamav-daemon process) library to scan a file. The scan ping() and version() function all work correctly. However when I actually do a test write and scan, i get the following error:

{'/filedrop/test.doc': ('ERROR', "Can't open file or directory")}

This is the code that I used to call the test write and scan, and this is all standard sample from the clamd website:

open('/filedrop/test.doc','wb').write(clamd.EICAR)
print(cd.scan('/filedrop/test.doc'))

After the code is run, i get the following string in the test file which indicates that the python3 script was able to successfully write to the file, yet i keep getting the error that the file can't be opened when i use the clamd scan function.

This is the string that was written to the file:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

I am also able to run clamscan from command line on the folder and it successfully scans the files as well.

I'm running as root user while the service is using clamav:clamav. I did give read/write permission to the folder and the files to "other users", and also indicated by the fact that the file could be written by the python script.

John Edwards
  • 13
  • 2
  • Did you give execute permission to the folder to other users? – Chris Mar 24 '21 at 16:48
  • i did. The permission is available for all users. one strange behavior i see is that I can't seem to change the "ownership" of those files but other processes should still be able to modify/execute. – John Edwards Mar 24 '21 at 16:52
  • Be good to see the output of: ls -lt / | grep filedrop; ls -lt /filedrop/; You may even be falling fail of something like AppArmour https://ubuntu.com/server/docs/security-apparmor – Chris Mar 24 '21 at 16:54
  • drwxrwxrwx 2 clamav clamav 4096 Mar 24 17:03 filedrop total 8 -rw-rw-rw- 1 clamav clamav 68 Mar 24 16:44 test.doc -rw-rw-rw- 1 clamav clamav 692 Mar 24 16:29 autoscan.py – John Edwards Mar 24 '21 at 17:03
  • grep audit /var/log/kern.log or if it exists: grep DENIED /var/log/audit/audit.log – Chris Mar 24 '21 at 17:06
  • i have stopped the apparmor service via sudo systemctl stop apparmor, but still having same issue with the python script – John Edwards Mar 24 '21 at 17:09
  • and I think you still need to disable it also with: sudo systemctl disable apparmor – Chris Mar 24 '21 at 17:13
  • i saw this in the audit log: kernel: [108386.130893] audit: type=1400 audit(1616605697.875:129): apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" name="/filedrop/test.doc" pid=53749 comm="clamd" requested_mask="r" denied_mask="r" fsuid=123 ouid=123 – John Edwards Mar 24 '21 at 17:13
  • does this indicate it was apparmor? – John Edwards Mar 24 '21 at 17:14

1 Answers1

0

I believe the solution to the problem here is that AppArmour is blocking clamd for that particular directory. I would look at the AppArmour profile for clamd. It should be called something like /etc/apparmor.d/clamav or similar. You can adjust that profile or alternatively disable it (according to Ubuntu):

sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name

More complete instructions available here: https://help.ubuntu.com/community/AppArmor

You can also disable AppArmour, for the purposes of testing (I don't like to advise anyone to remove security features permanently), with:

sudo systemctl stop apparmor
sudo systemctl disable apparmor
Chris
  • 391
  • 1
  • 4
  • woohoo, disabling didn't work at first but after restart it worked! Thank you so much! i would have never thought of this in a million years. – John Edwards Mar 24 '21 at 17:35