[Avcheck] Readme.avp
Michael Tokarev
mjt@tls.msk.ru
Sat, 27 Jul 2002 19:30:44 +0400
Morten Christensen wrote:
>
> Michael Tokarev wrote:
[]
> >I don't think this is a correct way. Here is my a listing of
> >/var/spool/drweb from my machine:
> >
> >drwxr-xr-x 6 root root 1024 Jul 24 14:29 .
> >drwxr-xr-x 2 root root 1024 Jul 24 14:26 bases/
> >-rw-r--r-- 1 root root 570368 Jul 12 04:28 drweb32.dll
> >-rwxr-xr-x 1 root root 931192 May 15 03:59 drwebd*
> >-rw-r--r-- 1 root root 501 Nov 20 2001 drwebd.ini
> >-r--r--r-- 1 root root 1165 Aug 14 2001 drwebd.key
> >drwxr-xr-x 2 root root 1024 Oct 1 2001 etc/
> >drwxr-x--- 2 drwebd avscan 1024 Jul 24 14:29 run/
> >drwxr-xr-x 2 drwebc avscan 1024 Jul 27 17:56 tst/
^^^ this is incorrect, should be drwxr-x---, 0750.
> Basically you give read- and/or exe-access to everybody,
> where I tried to restrict it to root and the av-group.
> I am no security-expert so I don't know what is best,
> or what is needed.
All the *real* restrictions placed on directories are really
necessary for:
tst: noone except of client should be able to write there,
and noone except daemon should be able to access any files
there (email privacy). Daemon should not be able to modify
this directory and files within (to ensure that mail will
not be modified even in case of bugs in daemon).
run: directory holding control sockets, daemon creates it's
socket here. No other program should be able to perform
a "DoS attack" against a daemon, and client should be
able to access daemon's socket.
tmp (not for drweb, probably not needed for avp) - in case
daemon will want to write some temp file(s). Such files
may also contain private information (from email msg), and
there should be no way to do somethin evil with a daemon
trashing/changing temp files.
Other than that, no other user on a system should be able to
modify any files in those directories (well, except of some
process that will upload new virus signatures into bases/,
and rare cases when executables needs to be updated).
I hope you don't restrict permissions for /etc directory
allowing accessing files within for only a dedicated group.
This is possible and sometimes feasible, but such cases are
*so* rare and *so* special, and a person who does so should
understand why he does so and how to do so properly.
> I knew, that I probably hit too many files with my
> command, but I was unsecure on, where it was needed.
>
> >(this is drweb not avp, and user/group names are somewhat different,
> >but the same rules applies anyway).
> >
> Does the avcheck and infected-executables need exe-access
> from the av-group?
Avcheck itself gets called by postfix with avclient:avgroup
user:group, so yes, postfix should be able to call it. The
same is for infected-handler - avcheck is unable to change
it's uid/gid since it's not running as root.
I think it's okay to have world-accessible files (except of
those mentioned above) just like you have your /etc readable
by everyone. Well, *some* files may be more protected as
stated in my previous email (.key for example).
The question is - what you want to achieve. Those executables
are publicly available, so code analisys is possible without
reading them on your machine. No executables here are setuid
or setgid. The only possible harm may be an ability to execute
some binary program and crash it giving it some invalid arguments -
but heh, those programs aren't setuid or setgid anyway, so no
additional privileges will be obtained.
> Basically, does every file in /var/spool/avp need
> read or exe-rights from the av-group?
Well, almost. Maybe except tmp directory that is private to daemon.
/mjt