Yet Another Way To Configure DAZ

One morning, after drinking my first cup of coffee at this day I decided to try DAZ. In handbook appeared that was required to run as root, but with the strength given by my breakfast I decided, not I will not. Here you have the result:

I'm one hardened gentoo user so I decided emerge clamav (in case you weren't you must be sure that your clamav is not compiled with –disable-clamuko). Into its configuration file (/etc/clamd.conf) I set this options in (one of them, the interesting one):

User clamav

UM RELATED STUFF

After setting up UM clamav user properly with (as secoff or bofh in my system):

  bofh@orion~$rsbac_useradd -m -r -P -i 20 -d /adm/clamav -g 700 -u 700 

The user was added with its own password by separation of duties concern.

I proceed to configure AUTH properly:

AUTH RELATED STUFF

 bofh@orion~$auth_set_cap FD add /usr/sbin/clamd 0/700
 bofh@orion~$auth_set_cap -e FD add /usr/sbin/clamd 0/700
 bofh@orion~$auth_set_cap -f FD add /usr/sbin/clamd 0/700

Above commands with -e and -f flags are only required if you have CONFIG_RSBAC_AUTH_DAC_OWNER in you kernel config if not omit them.

Other question you have to keep in mind is that if you enabled CONFIG_RSBAC_AUTH_GROUP you have to add the AUTH capabilities to its group (-G -E -F flags to auth_set_cap).

And then I start granting clamd the privileges required to work (in capabilities):

CAP RELATED STUFF

In my tests, clamd needs CHOWN DAC_READ_SEARCH FOWNER SETGID and SETUID as minimal capabilities. So I grant them as minimal caps:

bofh@orion~$attr_set_file_dir FD /usr/sbin/clamd min_caps CHOWN DAC_READ_SEARCH FOWNER SETGID SETUID

and of course as I granted minimal caps I forbid passing LD environment variables

bofh@orion~$attr_set_file_dir FD /usr/sbin/clamd cap_ld_env 0

___ to be continued… soon