clamd crash with : ERROR: Failed to open log file /dev/stdout: Too many levels of symbolic links

[ybrock]

Since the patch regarding CVE-2024-20506, it is not possible to use /dev/stdout as Logfile parameter.
In containerized environment, this is an issue, as we want to capture the output of the process to the console (to be sent later on the any log stack).

If you set "LogFile /dev/stdout" in clamd.conf, clamd refuses to start now :

cat /etc/clamd.conf  | grep ^LogFile
LogFile /dev/stdout

clamd -c /etc/clamd.conf --debug
ERROR: Failed to open log file /dev/stdout: Too many levels of symbolic links
ERROR: Can't initialize the internal logger

[ybrock]

I forgot to mention that this is a new issue introduced with 1.7.0 and this was working with 1.6.0, before the patch for CVE-2024-20506

[micahsnyder]

Hi @ybrock. You're the second person I've heard that ran into this.

I feel like I must be misunderstanding something. I am still confused why it is necessary to use LogFile /dev/stdout. In addition to the LogFile feature that writes to a file, clamd also writes logs to stdout or stderr.

If you need the stderr messages sent to stdout, perhaps you can change to start clamd with 2>&1 ?

[benweaver37]

We were running clamav in a kubernetes and were using /dev/stdout for log visibility. Since the patch that @ybrock mentioned, clamav has been crashing across our environments with the "Too many levels of symbolic links" error.

Our solution was to remove any reference to /dev/stdout in clam.conf and freshclam.conf, use a log file location for clamd and freshclam, and then tail -f those log files to /dev/stdout with an entrypoint.sh.

[mortaelth]

link to the commit which changed the behavior for reference: 88efeda

[mortaelth]

the same in our case. clamd running in kubernetes. We don't want to lose the freshclam logs so we are sending them to /dev/stdout using this:
UpdateLogFile /dev/stdout

it would be nice if there was a built in way to do it to avoid customizing dockerfiles just for that. Or perhaps I am missing some piece from the documentation.

The advice of using 2>&1 is not useful here, as it would require adjustments in the original init script

[micahsnyder]

I'm not sure why I didn't mention this earlier but freshclam also has a --stdout option:

    --stdout                             Write to stdout instead of stderr.
                                         Does not affect 'debug' messages.

It is already used in that init script. If I just run the container with docker, I see messages from both freshclam and clamd:

❯ docker run -it --mount type=bind,source=$HOME/clams/1.4.1/etc/,target=/usr/local/etc clamav/clamav:latest
Starting Freshclamd
Starting ClamAV
Socket for clamd not found yet, retrying (0/1800) ...ClamAV update process started at Thu Oct 17 14:25:14 2024
daily database available for update (local version: 27426, remote version: 27430)
Current database is 4 versions behind.
Downloading database patch # 27427...
Time:    0.2s, ETA:    0.0s [========================>]    5.09KiB/5.09KiB  0.2s [============>            ]    2.67KiB/5.09KiB
Downloading database patch # 27428...
Time:    0.2s, ETA:    0.0s [========================>]    2.93KiB/2.93KiB
Downloading database patch # 27429...
Time:    0.1s, ETA:    0.0s [========================>]       916B/916B
Downloading database patch # 27430...
Time:    0.1s, ETA:    0.0s [========================>]    1.27KiB/1.27KiB
Testing database: '/var/lib/clamav/tmp.01f8d1b70c/clamav-d69c91ecb3deec374b6f4643a7ac4988.tmp-daily.cld' ...
Socket for clamd not found yet, retrying (8/1800) ...Database test passed.
daily.cld updated (version: 27430, sigs: 2067245, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 335, sigs: 86, f-level: 90, builder: raynman)
WARNING: Clamd was NOT notified: Can't connect to clamd through /tmp/clamd.sock: No such file or directory
Socket for clamd not found yet, retrying (18/1800) ...Thu Oct 17 14:25:33 2024 -> Limits: Global time limit set to 120000 milliseconds.
Thu Oct 17 14:25:33 2024 -> Limits: Global size limit set to 419430400 bytes.
Thu Oct 17 14:25:33 2024 -> Limits: File size limit set to 104857600 bytes.
Thu Oct 17 14:25:33 2024 -> Limits: Recursion level limit set to 17.
Thu Oct 17 14:25:33 2024 -> Limits: Files limit set to 10000.
Thu Oct 17 14:25:33 2024 -> Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Thu Oct 17 14:25:33 2024 -> Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Thu Oct 17 14:25:33 2024 -> Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Thu Oct 17 14:25:33 2024 -> Limits: MaxScriptNormalize limit set to 20971520 bytes.
Thu Oct 17 14:25:33 2024 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Thu Oct 17 14:25:33 2024 -> Limits: MaxPartitions limit set to 50.
Thu Oct 17 14:25:33 2024 -> Limits: MaxIconsPE limit set to 100.
Thu Oct 17 14:25:33 2024 -> Limits: MaxRecHWP3 limit set to 16.
Thu Oct 17 14:25:33 2024 -> Limits: PCREMatchLimit limit set to 100000.
Thu Oct 17 14:25:33 2024 -> Limits: PCRERecMatchLimit limit set to 2000.
Thu Oct 17 14:25:33 2024 -> Limits: PCREMaxFileSize limit set to 104857600.
Thu Oct 17 14:25:33 2024 -> Archive support enabled.
Thu Oct 17 14:25:33 2024 -> Image (graphics) scanning support enabled.
Thu Oct 17 14:25:33 2024 -> Detection using image fuzzy hash enabled.
Thu Oct 17 14:25:33 2024 -> AlertExceedsMax heuristic detection disabled.
Thu Oct 17 14:25:33 2024 -> Heuristic alerts enabled.
Thu Oct 17 14:25:33 2024 -> Portable Executable support enabled.
Thu Oct 17 14:25:33 2024 -> ELF support enabled.
Thu Oct 17 14:25:33 2024 -> Mail files support enabled.
Thu Oct 17 14:25:33 2024 -> OLE2 support enabled.
Thu Oct 17 14:25:33 2024 -> PDF support enabled.
Thu Oct 17 14:25:33 2024 -> SWF support enabled.
Thu Oct 17 14:25:33 2024 -> HTML support enabled.
Thu Oct 17 14:25:33 2024 -> XMLDOCS support enabled.
Thu Oct 17 14:25:33 2024 -> HWP3 support enabled.
Thu Oct 17 14:25:33 2024 -> OneNote support enabled.
Thu Oct 17 14:25:33 2024 -> Self checking every 600 seconds.
Thu Oct 17 14:25:33 2024 -> Set stacksize to 1048576
socket found, clamd started.

Is there something about kubernetes that silences stdout from the init script unless you write to /dev/stdout?

I tried basically the same thing, using microk8s to run a clamav/clamav:latest pod and checked the logs. It looks the same:

❯ microk8s kubectl get pods
NAME                      READY   STATUS    RESTARTS   AGE
clamav-8648bbbf65-46r97   1/1     Running   0          2m27s

❯ microk8s kubectl logs -f clamav-8648bbbf65-46r97
Starting Freshclamd
Starting ClamAV
Socket for clamd not found yet, retrying (0/1800) ...ClamAV update process started at Thu Oct 17 15:23:17 2024
daily database available for update (local version: 27426, remote version: 27430)
Socket for clamd not found yet, retrying (1/1800) ...Testing database: '/var/lib/clamav/tmp.3b9c4f7e77/clamav-a272eb565b7babca78698fb468e92e4c.tmp-daily.cld' ...
Socket for clamd not found yet, retrying (8/1800) ...Database test passed.
daily.cld updated (version: 27430, sigs: 2067245, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 335, sigs: 86, f-level: 90, builder: raynman)
WARNING: Clamd was NOT notified: Can't connect to clamd through /tmp/clamd.sock: No such file or directory
Socket for clamd not found yet, retrying (21/1800) ...Thu Oct 17 15:23:39 2024 -> Limits: Global time limit set to 120000 milliseconds.
Thu Oct 17 15:23:39 2024 -> Limits: Global size limit set to 419430400 bytes.
Thu Oct 17 15:23:39 2024 -> Limits: File size limit set to 104857600 bytes.
Thu Oct 17 15:23:39 2024 -> Limits: Recursion level limit set to 17.
Thu Oct 17 15:23:39 2024 -> Limits: Files limit set to 10000.
Thu Oct 17 15:23:39 2024 -> Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Thu Oct 17 15:23:39 2024 -> Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Thu Oct 17 15:23:39 2024 -> Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Thu Oct 17 15:23:39 2024 -> Limits: MaxScriptNormalize limit set to 20971520 bytes.
Thu Oct 17 15:23:39 2024 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Thu Oct 17 15:23:39 2024 -> Limits: MaxPartitions limit set to 50.
Thu Oct 17 15:23:39 2024 -> Limits: MaxIconsPE limit set to 100.
Thu Oct 17 15:23:39 2024 -> Limits: MaxRecHWP3 limit set to 16.
Thu Oct 17 15:23:39 2024 -> Limits: PCREMatchLimit limit set to 100000.
Thu Oct 17 15:23:39 2024 -> Limits: PCRERecMatchLimit limit set to 2000.
Thu Oct 17 15:23:39 2024 -> Limits: PCREMaxFileSize limit set to 104857600.
Thu Oct 17 15:23:39 2024 -> Archive support enabled.
Thu Oct 17 15:23:39 2024 -> Image (graphics) scanning support enabled.
Thu Oct 17 15:23:39 2024 -> Detection using image fuzzy hash enabled.
Thu Oct 17 15:23:39 2024 -> AlertExceedsMax heuristic detection disabled.
Thu Oct 17 15:23:39 2024 -> Heuristic alerts enabled.
Thu Oct 17 15:23:39 2024 -> Portable Executable support enabled.
Thu Oct 17 15:23:39 2024 -> ELF support enabled.
Thu Oct 17 15:23:39 2024 -> Mail files support enabled.
Thu Oct 17 15:23:39 2024 -> OLE2 support enabled.
Thu Oct 17 15:23:39 2024 -> PDF support enabled.
Thu Oct 17 15:23:39 2024 -> SWF support enabled.
Thu Oct 17 15:23:39 2024 -> HTML support enabled.
Thu Oct 17 15:23:39 2024 -> XMLDOCS support enabled.
Thu Oct 17 15:23:39 2024 -> HWP3 support enabled.
Thu Oct 17 15:23:39 2024 -> OneNote support enabled.
Thu Oct 17 15:23:39 2024 -> Self checking every 600 seconds.
Thu Oct 17 15:23:39 2024 -> Set stacksize to 1048576
socket found, clamd started.