Browse code

bb11978 - onas: document limitations of OnAccessExcludeRootUID and OnAccessExcludeUID.

James Ralston authored on 2017/12/14 06:56:30
Showing 2 changed files
... ...
@@ -659,17 +659,21 @@ This option allows excluding directories from on-access scanning. It can be used
659 659
 Default: disabled
660 660
 .TP
661 661
 \fBOnAccessExcludeRootUID BOOL\fR
662
-With this option you can whitelist the root UID (0). Processes run under root with be able to access all files without triggering scans or permission denied events.
662
+With this option you can whitelist the root UID (0). Processes run under root will be able to access all files without triggering scans or permission denied events.
663
+.br
664
+Note that if clamd cannot check the uid of the process that generated an on-access scan event (e.g., because \fBOnAccessPrevention\fR was not enabled, and the process already exited), clamd will perform a scan.  Thus, setting \fBOnAccessExcludeRootUID\fR is not \fIguaranteed\fR to prevent every access by the root user from triggering a scan (unless \fBOnAccessPrevention\fR is enabled).
663 665
 .br
664 666
 Default: no
665 667
 .TP
666 668
 \fBOnAccessExcludeUID NUMBER\fR
667
-With this option you can whitelist specific UIDs. Processes with these UIDs will be able to access all files.
669
+With this option you can whitelist specific UIDs. Processes with these UIDs will be able to access all files without triggering scans or permission denied events.
668 670
 .br
669 671
 This option can be used multiple times (one per line).
670 672
 .br
671 673
 Note: using a value of 0 on any line will disable this option entirely. To whitelist the root UID (0) please enable the OnAccessExcludeRootUID option.
672 674
 .br
675
+Also note that if clamd cannot check the uid of the process that generated an on-access scan event (e.g., because \fBOnAccessPrevention\fR was not enabled, and the process already exited), clamd will perform a scan.  Thus, setting \fBOnAccessExcludeUID\fR is not \fIguaranteed\fR to prevent every access by the specified uid from triggering a scan (unless \fBOnAccessPrevention\fR is enabled).
676
+.br
673 677
 Default: disabled
674 678
 .TP
675 679
 \fBOnAccessMaxFileSize SIZE\fR
... ...
@@ -612,6 +612,11 @@ Example
612 612
 # With this option you can whitelist the root UID (0). Processes run under
613 613
 # root with be able to access all files without triggering scans or
614 614
 # permission denied events.
615
+# Note that if clamd cannot check the uid of the process that generated an
616
+# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
617
+# the process already exited), clamd will perform a scan.  Thus, setting
618
+# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
619
+# root user from triggering a scan (unless OnAccessPrevention is enabled).
615 620
 # Default: no
616 621
 #OnAccessExcludeRootUID no
617 622
 
... ...
@@ -621,6 +626,11 @@ Example
621 621
 # This option can be used multiple times (one per line).
622 622
 # Using a value of 0 on any line will disable this option entirely. To whitelist
623 623
 # the root UID (0) please enable the OnAccessExcludeRootUID option.
624
+# Also note that if clamd cannot check the uid of the process that generated an
625
+# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
626
+# the process already exited), clamd will perform a scan.  Thus, setting
627
+# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
628
+# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
624 629
 # Default: disabled
625 630
 #OnAccessExcludeUID -1
626 631