Add documentation for ExecPaths in systemd units

eternaltyro · eternaltyro · commit 9bdf02f3e70c · 2023-04-04T18:09:38.000+01:00
In systemd unit files, I had missed some paths to commands that are
potentially executed in response to events. These commands are arbitrary
and configurable in clamd.conf and freshclam.conf.

Each of these options invoke an appropriate path to a configured
executable when - for example - a scan is complete or signature update
fails. In order for these executables to run, systemd should allow it.
It is necessary to add these paths to `ExecPaths` in systemd service
unit files.

This change adds comments instructing users and administrators how to do
that and generally helps make sense of the defaults.

- Plus some formatting changes
diff --git a/clamd/clamav-daemon.service.in b/clamd/clamav-daemon.service.in
@@ -11,14 +11,25 @@ ExecStart=@prefix@/sbin/clamd --foreground=true
 # Reload the database
 ExecReload=/bin/kill -USR2 $MAINPID
 TimeoutStartSec=420
-# Security options
-# Remove ProtectSystem, ProtectHome, and ReadWritePaths..
-# if you want clamav to be able to remove infected files.
+
+##
+## Security Hardening Options
+##
+
+# Remove `ProtectSystem`, `ProtectHome`, and `ReadWritePaths`
+# if you want ClamAV to be able to remove infected files.
 ProtectSystem=strict
 ProtectHome=read-only
 ReadWritePaths=/var/log/
+
 NoExecPaths=/
+# If you want to run commands or execute binaries on event,
+# append the full path of the binary or executable to `ExecPaths`
+# Commonly, this is used for `VirusEvent` in clamd.conf or `VirusAction`
+# in clamav-milter.conf.The binaries must be space separated like so:
+;ExecPaths=@prefix@/sbin/clamd /bin/kill /usr/local/bin/send_sms /usr/local/bin/my_infected_message_handler
 ExecPaths=@prefix@/sbin/clamd /bin/kill
+
 ProtectClock=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
diff --git a/etc/clamav-milter.conf.sample b/etc/clamav-milter.conf.sample
@@ -202,6 +202,9 @@ Example
 # Note #2: the process is invoked in the context of clamav-milter
 # Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
 # avoid unnecessary delays in email delivery
+# Note #4: When using systemd to manage ClamAv daemon, ensure that the full path to
+#   the VirusAction target binary / executable is listed in ExecPaths in the service
+#   file clamav-daemon.service in order for the process to be able to execute it.
 # Default: disabled
 #VirusAction /usr/local/bin/my_infected_message_handler
 
diff --git a/etc/clamd.conf.sample b/etc/clamd.conf.sample
@@ -213,6 +213,9 @@ Example
 # be replaced with the virus name and %f will be replaced with the file name.
 # Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
 # and $CLAM_VIRUSEVENT_VIRUSNAME.
+# Note: When using systemd to manage ClamAV daemon, ensure that the full path to
+#   the VirusEvent target binary / executable is listed in ExecPaths in the service
+#   file clamav-daemon.service in order for the process to be able to execute it.
 # Default: no
 #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
 
diff --git a/etc/freshclam.conf.sample b/etc/freshclam.conf.sample
@@ -151,15 +151,27 @@ DatabaseMirror database.clamav.net
 
 # Run command after successful database update.
 # Use EXIT_1 to return 1 after successful database update.
+# Note: When using systemd to manage FreshClam service, append the
+#   full path to the OnUpdateExecute target command to `ExecPaths` in the
+#   service file clamav-freshclam.service in order for the  process to
+#   be able to execute it.
 # Default: disabled
 #OnUpdateExecute command
 
 # Run command when database update process fails.
+# Note: When using systemd to manage FreshClam service, append the
+#   full path to the OnErrorExecute target command to `ExecPaths` in the
+#   service file clamav-freshclam.service in order for the process to
+#   be able to execute it.
 # Default: disabled
 #OnErrorExecute command
 
 # Run command when freshclam reports outdated version.
 # In the command string %v will be replaced by the new version number.
+# Note: When using systemd to manage FreshClam service, append the
+#   full path to the OnOutdatedExecute target command to `ExecPaths`
+#   in the service file clamav-freshclam.service in order for the process to
+#   be able to execute it.
 # Default: disabled
 #OnOutdatedExecute command
 
diff --git a/freshclam/clamav-freshclam.service.in b/freshclam/clamav-freshclam.service.in
@@ -8,15 +8,24 @@ After=network-online.target
 
 [Service]
 ExecStart=@prefix@/bin/freshclam -d --foreground=true
-# Security Options
+
+##
+## Security Hardening Options
+##
 ProtectSystem=full
 ProtectHome=tmpfs
 ProtectClock=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 ProtectKernelLogs=yes
 ProtectControlGroups=yes
+
 NoExecPaths=/
+# If you want to run commands on event, append the full path of the command or
+# executable to `ExecPaths`. Commonly, this is used for `OnUpdateExecute`,
+# `OnErrorExecute`, and `OnOutdatedExecute` options in freshclam.conf. Make sure
+# there is only one `ExecPaths` option. The binaries must be space separated like so:
+;ExecPaths=@prefix@/sbin/freshclam /usr/local/bin/OnOutdated.sh /usr/local/bin/OnErrorExecute.sh
 ExecPaths=@prefix@/bin/freshclam
 
 [Install]
