This is really a note to self, but I've spent all day trying to figure this out, so thought it might be useful to others. I do have a couple of questions though, so if someone knows about systemd that would be great.
Running Moodle 3.4 on Ubuntu 18.04 with apache2.
I was getting the following error:
ClamAV has failed to run.
The return error message was "An error occured".
Here is the output from ClamAV:
/tmp/phpXejPcp: lstat() failed: No such file or directory. ERROR
So clearly a permissions error on /tmp
I followed instructions like: add the user (clamav) to the apache group (www-data).
No change.
Finally got to a setting in systemd:
PrivateTmp=true
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=
(on Ubuntu 18.04 this is found here: /etc/systemd/system/multi-user.target.wants/apache2.service)
This, it turns out, creates Private dirs in tmp for each service. And for security's sake, one service's tmp files can't be read by another.
So the obvious thing to do is set that to false. And after restarting the daemon and apache2, it does indeed work.
But... doesn't that undo that cross process security feature? I guess so. Does that really matter? I'm not qualified to say. I'd be happy to hear from someone who actually knows.
So I did a bit more digging, and found that there is another setting:
JoinsNamespaceOf=
https://www.freedesktop.org/software/systemd/man/systemd.unit.html#JoinsNamespaceOf=
This can be used to join 2 namespaces into a single private tmp area.
So, in /etc/systemd/system/multi-user.target.wants/clamav-daemon.service I set:
[Unit]
...
JoinsNamespaceOf=apache2.service
(add it under [Unit] if it's not already there)
And in /etc/systemd/system/multi-user.target.wants/apache2.service, I reverted to PrivateTmp=true
Restarted services etc and this also works.
I would love to hear opinions of which is the best solution, or if I completely barked up the wrong tree.
Ta
