Problem configuring ClamAV in Moodle

Problem configuring ClamAV in Moodle

by cpass test -
Number of replies: 13

Moodle 3.2.3


Hello,

I configured the ClamAV plugin in Moodle and installed the necessary ClamAV packages on my linux server

Running method: Unix domain socket

Unix domain socket:  /var/run/clamd.scan/clamd.sock

The clamd server is running and the socket really exist in specified location.

But when I tried to upload files in Moodle to test the anti-virus, messages like the following, appear in the log file of Clamd:

WARNING: lstat() failed on: /tmp/phpag0dQF

I added user clamscan (the user under which clamd server is running) to the apache group; and added user apache (the user under which httpd server is running) to the clamscan group.

The permission of /tmp/ are :

drwxrwxrwt. root root

I have disabled SELinux to ensure it is not blocking anything.

I don't understand what is preventing ClamAV to scan files uploaded via Moodle.

Thank for your help.

Karl

Average of ratings: -
In reply to cpass test

Re: Problem configuring ClamAV in Moodle

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

I don't think this is a Moodle issue as such. 

I think you're on the right track... it's almost certainly a permissions error of some sort. I would very carefully re-check whatever instructions you used to install clamav.

There are loads of people having this problem on the clamav mailing lists. Have you looked at those... I'm guessing you have wink

Average of ratings: -
In reply to Howard Miller

Re: Problem configuring ClamAV in Moodle

by cpass test -
Hi,



Thank for your answer.



I looked on the clamav mailing lists and the propose solution didn't work

for me.



After more testing I found that the problem seems to be with the temporary

destination folder where Moodle upload files (/tmp/)

Even if a call directly clamdscan from a shell, to scan any files in the

/tmp folder I get the same error. But if I scan any other folder it works.



Another option might be to add the option "--stream" in the Moodle ClamAV

plugin when calling the clamav binary.
Average of ratings: -
In reply to cpass test

Re: Problem configuring ClamAV in Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

Isn't /tmp for uploading a php variable?

fgrep '/tmp' /etc/php.ini

If that were changed to a directory that clamav (that runs under user clam or clamav) can scan, problem solved?

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Problem configuring ClamAV in Moodle

by cpass test -

By default, PHP use the default temporary directory; which is /tmp on my Linux distribution.

I change the "sys_temp_dir" variable in php.ini to force it to use another folder and it work.

Thank you.

Average of ratings: Useful (1)
In reply to cpass test

Re: Problem configuring ClamAV in Moodle

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hello,
could you share more details about your Server?
It could be e.g. SELinux: https://bugzilla.redhat.com/show_bug.cgi?id=1351752 .

Edit: oops.. didn't read the initial post tongueout.
Out of your issue, you could propose to enhance the way Moodle calls ClamAV like the way Drupal did some years ago (https://www.drupal.org/project/clamav/issues/1571596 and https://www.drupal.org/files/1571596-1.instream.patch).

Some more info about how /tmp is mount? Did you restart Clamav after adding the user to the group? What have you configured within Moodle for the command line? Did you try both CLI and daemon?

HTH,
Matteo

Average of ratings: Useful (1)
In reply to Matteo Scaramuccia

Re: Problem configuring ClamAV in Moodle

by cpass test -

Yes I restarted Clamav and the web server after adding the user to the group.

In Moodle is use the following settings:

Running method: Unix domain socket

Unix domain socket:  /var/run/clamd.scan/clamd.sock

Before using the "Unix domain socket" method, I try with de "Command line" method.

It work, but this method is way much longer. It take a minimum 15 seconds to scan a file of less that 1 Mb.

Thank you.

Average of ratings: -
In reply to cpass test

Re: Problem configuring ClamAV in Moodle

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Have you checked the clamav log?

Average of ratings: -
In reply to Howard Miller

Re: Problem configuring ClamAV in Moodle

by cpass test -

Yes the "WARNING: lstat() failed on: /tmp/phpXXXXXX" came from the clamav log.

It now work with the "sys_temp_dir" (in php.ini) variable change to a directory other than the default /tmp.

Same permissions and ownership.

Not working:

drwxrwxrwt.  15 root root 4096 30 jan 10:10 tmp

Working:

drwxrwxrwt.   2 root root   23 30 jan 09:57 tmp2

Thank you.

Average of ratings: -
In reply to cpass test

Re: Problem configuring ClamAV in Moodle

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

And is sestatus actually reporting that SELinux is really disabled?
What is the output of mount about /tmp ?

HTH,
Matteo

Average of ratings: -
In reply to Matteo Scaramuccia

Re: Problem configuring ClamAV in Moodle

by cpass test -

Selinux was in permissive mode and it didn't show any warning.

The /tmp is a folder not a mount.

Someone form the ClamAV mailing list point me the problem; the web server (httpd) as the variable "PrivateTmp=yes" which seems to prevent other service (like clamd) to access files they put inside.

I change in PHP.ini the variable "sys_temp_dir" to specify a different directory than /tmp; and it work.


Thanks

Average of ratings: Useful (1)
In reply to cpass test

Re: Problem configuring ClamAV in Moodle

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hello,
TNX for sharing the PrivateTmp hint (coming from systemd...)!
Your solution now sounds absolutely reasonable but for the permissions: you can create a candidate TMP folder with the proper permissions avoiding 777 wink.

For the record, the real solution depends on the way clamd has been deployed, starting from disabling PrivateTmp from httpd (e.g.: https://github.com/certbot/certbot/issues/5427).

I'll add some notes in the Wiki, spare time permitted: a good reference can be found also in https://moodle.org/mod/forum/discuss.php?d=316066, but I didn't recall it at the time of my first post.

Matteo

Average of ratings: -
In reply to Matteo Scaramuccia

Re: Problem configuring ClamAV in Moodle

by Jörg S. -

I have a similar problem under Ubuntu 16.04 with moodle and clamd. The files in the Temp folder can only be read by the user www-data at the moment of the upload. The group www-data cannot read the file. This causes an error when accessing clamd. I have already changed the temp directory and modified the permissions accordingly. But even with the SGID bit set for this folder, the permissions on the file remain unchanged.
So it seems (depending on the operating system) that it is not enough to give the user clamav the group www-data.
Any ideas?

Average of ratings: -
In reply to Jörg S.

Re: Problem configuring ClamAV in Moodle

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Jörg,
the issue looks like Ubuntu is using PrivateTmp while starting Apache via systemd: search for its setting in /etc/systemd/system/multi-user.target.wants/apache2.service.

https://upwork.link/apache2/centos7-how-do-disable-privatetmp-for-apache-with-systemd/ should give you an idea about how to disable it for testing purposes - it works fine on RHEL/CentOS.

HTH,
Matteo

Average of ratings: Useful (1)