clamonacc kills shells if clamd running as root

[lightthemad]

Describe the bug

if the /etc/clamav/clamd.conf has the following lines

User root
OnAccessMaxFileSize 500M
OnAccessPrevention yes
OnAccessExcludeUname clamav
OnAccessIncludePath /tmp/
OnAccessIncludePath /dev/shm/
OnAccessIncludePath /home/
OnAccessIncludePath /root/
OnAccessIncludePath /opt/

(other lines are default)

and clamonacc is ran by root user in any directory - the terminals (both physical and SSH) become unresponsive and take a lot of time to load. When the clamonacc process is stopped, terminals work fine.

clamconf -n results:

Config file: clamd.conf

PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
MaxThreads = "12"
ReadTimeout = "180"
SendBufTimeout = "200"
SelfCheck = "3600"
User = "root"
BytecodeTimeout = "60000"
MaxScanTime = "120000"
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
OnAccessIncludePath = "/tmp/", "/dev/shm/", "/home/", "/root/", "/opt/"
OnAccessExcludeUname = "clamav"
OnAccessMaxFileSize = "524288000"
OnAccessPrevention = "yes"

Config file: freshclam.conf

LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "24"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"
ReceiveTimeout disabled

clamav-milter.conf not found

Software settings

Version: 1.0.5
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information

Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
daily.cvd: version 27386, sigs: 2066267, built on Mon Sep 2 08:35:36 2024
bytecode.cvd: version 335, sigs: 86, built on Tue Feb 27 15:37:24 2024
Total number of signatures: 8713780

Platform information

uname: Linux 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 2 20:41:06 UTC 2024 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
Full OS version: No LSB modules are available.
Ubuntu 24.04.1 LTS
zlib version: 1.3 (1.3), compile flags: a9
platform id: 0x0a21a5a508000000000d0200

Build information

GNU C: 13.2.0 (13.2.0)
sizeof(void*) = 8
Engine flevel: 165, dconf: 165

[micahsnyder]

If you're running clamd as User root then you need to also set OnAccessExcludeUname root.

Otherwise, clamonacc is going to request scans for temp files created by clamd, which will create new temp files, which will have clamonacc request scans for temp files created by clamd, etc, etc, and everything will lock up, as you observed.

[lightthemad]

If only I knew that before doing that on a production server :/ Stupid me, I guess, but, I wish the clamav had some protective measure to prevent "shooting it's own leg"... @micahsnyder thanks for clarifying the situation.

[micahsnyder]

I agree. I feel like it should automatically exclude the "User" user.