[Avcheck] Readme.avp

Morten Christensen mc-avcheck@mc.cx
Sat, 27 Jul 2002 17:04:58 +0200 

Michael Tokarev wrote:

>Morten Christensen wrote:
>  
>
>>I had a problem when installing avcheck the first time.
>>I think a few more lines in the readme.avp-file would
>>have spared me and the friendly people on this list some
>>time. Here is my proposal. You must look carefully if it
>>is the right technical solution:
>>
>>--->today start<---
>>
>>Some descriptions for those directories inside /var/spool/avp:
>>
>> /var/spool/avp itself: a root for all avp "activity"/files.
>>   This directory will be modified only during the installation,
>>   kavdaemon and avcheck will not write to it or modify files here.
>>
>>---<today end>---
>>
>>--->changed start<---
>>
>>Some descriptions for those directories inside /var/spool/avp:
>>
>> /var/spool/avp itself: a root for all avp "activity"/files.
>>   This directory will be modified only during the installation,
>>   kavdaemon and avcheck will not write to it or modify files here.
>>   The user, kavdaemon and avcheck is started as, must have
>>   execute-rights on those files. That can be done with:
>>     chown :avgroup /var/spool/avp/*
>>
>>---<changed end>---
>>    
>>
>
>I don't think this is a correct way.  Here is my a listing of
>/var/spool/drweb from my machine:
>
>drwxr-xr-x    6 root     root         1024 Jul 24 14:29 .
>drwxr-xr-x    2 root     root         1024 Jul 24 14:26 bases/
>-rw-r--r--    1 root     root       570368 Jul 12 04:28 drweb32.dll
>-rwxr-xr-x    1 root     root       931192 May 15 03:59 drwebd*
>-rw-r--r--    1 root     root          501 Nov 20  2001 drwebd.ini
>-r--r--r--    1 root     root         1165 Aug 14  2001 drwebd.key
>drwxr-xr-x    2 root     root         1024 Oct  1  2001 etc/
>drwxr-x---    2 drwebd   avscan       1024 Jul 24 14:29 run/
>drwxr-xr-x    2 drwebc   avscan       1024 Jul 27 17:56 tst/
>  
>
Basically you give read- and/or exe-access to everybody,
where I tried to restrict it to root and the av-group.
I am no security-expert so I don't know what is best,
or what is needed.

I knew, that I probably hit too many files with my
command, but I was unsecure on, where it was needed.

>(this is drweb not avp, and user/group names are somewhat different,
>but the same rules applies anyway).
>
Does the avcheck and infected-executables need exe-access
from the av-group?

Basically, does every file in /var/spool/avp need
read or exe-rights from the av-group?

>I think it's sufficient to add similar listing (as above) to some
>README files to serve as an example, and this shuld solve this
>issue.  Please correct me if I'm wrong here (until it's too late... ;
>
In my case, a listing would have been enough.
I just needed to be aware of the problem.


>Thanks for a tip.
>

Thanks for a program :-)


---
mvh...
Morten Christensen