MacOS X Server Security Update 2009-005 Breaks Something About Freshclam

| | Comments (8)

If you're seeing a lot of this

Sep 15 19:26:03 shr-g5 org.clamav.freshclam[3087]: ERROR: Incorrect argument format for option <strike>-checks (</strike>c) Sep 15 19:26:03 shr-g5 org.clamav.freshclam[3087]: ERROR: Can't parse command line options Sep 15 19:26:03 shr-g5 com.apple.launchd[1] (org.clamav.freshclam[3087]): Exited with exit code: 1 Sep 15 19:26:03 shr-g5 com.apple.launchd[1] (org.clamav.freshclam): Throttling respawn: Will start in 10 seconds in your /var/log/system.log file, then it's because the file /System/Library/LaunchDaemons/org.clamav.freshclam.plist is somewhat hosed.1 If you Google the error, you'll come up dry. Examining the plist file doesn't yield any excitement. It looks like this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Iterations</key> <integer>1</integer> <key>Label</key> <string>org.clamav.freshclam</string> <key>OnDemand</key> <false/> <key>Program</key> <string>/usr/bin/freshclam</string> <key>ProgramArguments</key> <array> <string>freshclam</string> <string>-d</string> <string>-c 4</string> </array> <key>ServiceIPC</key> <false/> <key>UserName</key> <string>_clamav</string> </dict> </plist> And, in fact, if you try executing /usr/freshclam -d -c 4, you will see, as I did, that there is nothing amiss. It works fine. So what gives?

I don't know what made me do it, but I used Lingon, a very wonderful but, alas, dead program to generate a launchd.plist file to compare this one against. There was one very subtle difference. The one that Lingon generated had this bit in it:

<array> <string>freshclam</string> <string>-d</string> <string>-c</string> <string>4</string> </array>

Didja' catch that? It's subtle, but it's apparently a killer. I don't know how XML is really supposed to work, but it seems that a string with "-c 4" in it doesn't get properly placed into the command line arguments for freshclam, but two strings, one with "-c" and the other with "4", get concatenated into the proper "-c 4". Go figure.

The other problem the file has, but which doesn't seem to be a real problem, is that the Iterations key seems to be unknown. I couldn't find it anywhere in the manpage for launchd.plist and launchd complains about it somewhere else in the logfile, so I took that key out.

So... give the command line a little sudo lovin', make these changes, unload the faulty plist and load up the new one, and you're good to go.

sudo emacs /System/Library/LaunchDaemons/org.clamav.freshclam.plist editing occurs sudo launchctl unload /System/Library/LaunchDaemons/org.clamav.freshclam.plist sudo launchctl load /System/Library/LaunchDaemons/org.clamav.freshclam.plist

Problem...

...solved.


1 I broke the lines strangely here because code blocks don't wrap, for one, and because I wanted Google to pick up on the error message in its entirety.

8 Comments

Ted Dively said:

Thanks for this entry, Bill! I ran into the problem on a handful of clients' servers. What fixed it for me though, was making sure a space was in front of the "-c" string, like this:

    <key>ProgramArguments</key>
    <array>
            <string>freshclam</string>
            <string>-d</string>
            <string> -c</string>
            <string>3</string>
    </array>

Without the string, it still kicked out errors in /var/log/system.log, but now all is good.

Hans Kruse said:

Indeed, thanks for the detective work. Not much information on the web when OS X Server issues pop up!

I did the fix a bit differently, after looking at the man page for freshclam, I replaced

"-c 4"

with

"--checks=4"

I like this because it keeps the argument in one XML value, and it is more readable. I guess the security update broke something in launchd when it tries to pass a program argument with a space in it.

Bill Eccles said:

Oh, hey, both good solutions. I like Hans's solution a bit better, and in fact I would go so far as to change the other argument to "--daemon" just for visual consistency, too.

Thanks, guys. Glad to have helped.

Mike said:

Thanks - wouldn't have guessed that one :)

Bayard Bell said:

I noticed that Server Admin will break this whenever it tries to "fix" its mapping between the argument words as expected by freshclam and the way it passes them to launchd via the XML. As used as I am to looking at things based on how shells see words, the XML is actually a bit easier to understand, in that each string element will be passed as a quoted word to the shell (or just to the relevant exec system call, which may or may not allow for and think necessary first calling a shell for argument interpolation), without having to think about single or double quote roles or escape characters.

I filed a bug report with Apple for this. The URL for the bug reporting system is http://bugreport.apple.com. The ID for the bug is 7293993, although I don't know if the system allows people to see issues opened by others.

David Wilson said:

Thank you!

Fixed it for me too.

  • David
Woody said:

Thanks soooooo much. I've been seeing this a while, and it's hard to debug other problems when syslog keeps scrolling because clamav isn't running right.

Printed and stuck in my "Binder of All Knowledge" LOL

pneame said:

Fabulous - thanks!