ClamAV permissions

Issues & Assistance
2

What is the ownership of /var/lib/clamav getting reset to (before you chown it back)?

Edit:

I decided to just install it and take a look for myself.

❯ eza -ldg /var/lib/clamav
drwxr-xr-x - clamav clamav  7 Sep 21:39 /var/lib/clamav

I did figure out why the ownership reverts like this, but before we get into it I think it should be noted that the most typical way to run freshclam is with sudo or as root.

image
image689×603 54 KB

See also the ClamAV docs here: FreshClam (Signature Updater) - ClamAV Documentation

If running Freshclam as root (or with sudo), then Freshclam will try to automatically switch to run as the clamav user, or whichever user is specified as the DatabaseOwner in freshclam.conf.

Considering this behavior, the default ownership (clamav:clamav) is appropriate.

Now that we have the big “yeah, but…” out of the way, let’s get back to your question:

The short answer is ClamAV adds a file to systemd-tmpfiles along with the other service files it ships with.

https://wiki.archlinux.org/title/Systemd#systemd-tmpfiles_-_temporary_files

systemd-tmpfiles can be used to manage maintenance of files or directories, ensuring they exist and have correct permissions and ownership at boot or runtime. Commonly they are used with temporary files, where they address the need for consistency across reboots (especially for directories in tmpfs, where the directories are stood up from scratch every boot).

You may have already guessed it, but here’s what ClamAV adds to systemd-tmpfiles:

❯ cat /usr/lib/tmpfiles.d/clamav.conf 
File: /usr/lib/tmpfiles.d/clamav.conf
d /run/clamav 0755 clamav clamav
d /var/log/clamav 0755 clamav clamav
d /var/lib/clamav 0755 clamav clamav

The d indicates that a directory should be created if it does not already exist. They probably went with systemd-tmpfiles for this because the directory added to /run gets wiped every time you shut down (since it is on tmpfs).

So: that’s why the ownership of /var/lib/clamav is being reset. If you want to overwrite this behavior, you can copy the file from /usr/lib/tmpfiles.d to /etc/tmpfiles.d and make whatever edits you want to it.

sudo cp /usr/lib/tmpfiles.d/clamav.conf /etc/tmpfiles.d/clamav.conf

Change the ownership in the last line so it looks like this:

d /run/clamav 0755 clamav clamav
d /var/log/clamav 0755 clamav clamav
d /var/lib/clamav 0755 locutus locutus

Then, when you reboot or whenever systemd-tmpfiles is called, your custom ownership will remain intact.

6 Likes