git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@124 77e5149b-7576-45b1-b177-96237e5ba77b
Nigel Horne authored on 2003/11/24 13:50:37... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Mon Nov 24 10:19:48 IST 2003 (njh) |
|
2 |
+---------------------------------- |
|
3 |
+ * clamav-milter: Support AllowSupplementaryGroups |
|
4 |
+ |
|
1 | 5 |
Sun Nov 23 23:40:53 CET 2003 (tk) |
2 | 6 |
--------------------------------- |
3 | 7 |
* clamd: redirect the descriptors 1 and 2 to /dev/null by default, to |
... | ... |
@@ -156,9 +156,14 @@ |
156 | 156 |
* Added setpgrp() |
157 | 157 |
* 0.65b 22/11/03 Ensure milter is not run as root if requested |
158 | 158 |
* Added quarantine support |
159 |
+ * 0.65c 24/11/03 Support AllowSupplementaryGroups |
|
160 |
+ * Fix warning about root usage |
|
159 | 161 |
* |
160 | 162 |
* Change History: |
161 | 163 |
* $Log: clamav-milter.c,v $ |
164 |
+ * Revision 1.22 2003/11/24 04:48:44 nigelhorne |
|
165 |
+ * Support AllowSupplementaryGroups |
|
166 |
+ * |
|
162 | 167 |
* Revision 1.21 2003/11/22 11:47:45 nigelhorne |
163 | 168 |
* Drop root priviliges and support quanrantine |
164 | 169 |
* |
... | ... |
@@ -207,9 +212,9 @@ |
207 | 207 |
* Revision 1.6 2003/09/28 16:37:23 nigelhorne |
208 | 208 |
* Added -f flag use MaxThreads if --max-children not set |
209 | 209 |
*/ |
210 |
-static char const rcsid[] = "$Id: clamav-milter.c,v 1.21 2003/11/22 11:47:45 nigelhorne Exp $"; |
|
210 |
+static char const rcsid[] = "$Id: clamav-milter.c,v 1.22 2003/11/24 04:48:44 nigelhorne Exp $"; |
|
211 | 211 |
|
212 |
-#define CM_VERSION "0.65b" |
|
212 |
+#define CM_VERSION "0.65c" |
|
213 | 213 |
|
214 | 214 |
/*#define CONFDIR "/usr/local/etc"*/ |
215 | 215 |
|
... | ... |
@@ -245,15 +250,18 @@ static char const rcsid[] = "$Id: clamav-milter.c,v 1.21 2003/11/22 11:47:45 nig |
245 | 245 |
#include <regex.h> |
246 | 246 |
#include <fcntl.h> |
247 | 247 |
#include <pwd.h> |
248 |
+#include <grp.h> |
|
248 | 249 |
|
249 | 250 |
#define _GNU_SOURCE |
250 | 251 |
#include "getopt.h" |
251 | 252 |
|
252 | 253 |
/* |
253 | 254 |
* TODO: optional: xmessage on console when virus stopped (SNMP would be real nice!) |
255 |
+ * Having said that, with LogSysLog you can (on Linux) configure the system |
|
256 |
+ * to get messages on the system console, see syslog.conf(5), also you |
|
257 |
+ * can use wall(1) in the VirusEvent entry in clamav.conf |
|
254 | 258 |
* TODO: allow -s server to use a name as well as an IP address |
255 | 259 |
* TODO: build with libclamav.so rather than libclamav.a |
256 |
- * TODO: check security - which UID will this run under? |
|
257 | 260 |
* TODO: bounce message should optionally be read from a file |
258 | 261 |
* TODO: optionally add a signature that the message has been scanned with ClamAV |
259 | 262 |
* TODO: Support ThreadTimeout, LogTime and Logfile from the conf |
... | ... |
@@ -342,7 +350,10 @@ static in_port_t tcpSocket; |
342 | 342 |
static const char *serverIP = "127.0.0.1"; |
343 | 343 |
static const char *postmaster = "postmaster"; |
344 | 344 |
|
345 |
-/* TODO: read in from a file */ |
|
345 |
+/* |
|
346 |
+ * Whitelist of e-mail addresses that we do NOT scan |
|
347 |
+ * TODO: read in from a file |
|
348 |
+ */ |
|
346 | 349 |
static const char *ignoredEmailAddresses[] = { |
347 | 350 |
/*"Mailer-Daemon@bandsman.co.uk", |
348 | 351 |
"postmaster@bandsman.co.uk",*/ |
... | ... |
@@ -363,10 +374,10 @@ help(void) |
363 | 363 |
puts("\t--local\t\t\t-l\tScan messages sent from machines on our LAN."); |
364 | 364 |
puts("\t--outgoing\t\t-o\tScan outgoing messages from this machine."); |
365 | 365 |
puts("\t--noxheader\t\t-n\tSuppress X-Virus-Scanned header."); |
366 |
- puts("\t--postmaster\t\t-p\tPostmaster address [default=postmaster]."); |
|
366 |
+ puts("\t--postmaster\t\t-p EMAIL\tPostmaster address [default=postmaster]."); |
|
367 | 367 |
puts("\t--postmaster-only\t-P\tSend warnings only to the postmaster."); |
368 |
- puts("\t--quarantine=USER\t-Q USER\tQuanrantine e-mail account."); |
|
369 | 368 |
puts("\t--quiet\t\t\t-q\tDon't send e-mail notifications of interceptions."); |
369 |
+ puts("\t--quarantine=USER\t-Q EMAIL\tQuanrantine e-mail account."); |
|
370 | 370 |
puts("\t--server=ADDRESS\t-s ADDR\tIP address of server running clamd (when using TCPsocket)."); |
371 | 371 |
puts("\t--version\t\t-V\tPrint the version number of this software."); |
372 | 372 |
#ifdef CL_DEBUG |
... | ... |
@@ -440,7 +451,7 @@ main(int argc, char **argv) |
440 | 440 |
"outgoing", 0, NULL, 'o' |
441 | 441 |
}, |
442 | 442 |
{ |
443 |
- "postmaster", 0, NULL, 'p' |
|
443 |
+ "postmaster", 1, NULL, 'p' |
|
444 | 444 |
}, |
445 | 445 |
{ |
446 | 446 |
"postmaster-only", 0, NULL, 'P', |
... | ... |
@@ -555,16 +566,26 @@ main(int argc, char **argv) |
555 | 555 |
return EX_CONFIG; |
556 | 556 |
} |
557 | 557 |
|
558 |
- /* drop priviledges */ |
|
559 |
- if((getuid() == 0) && (cpt = cfgopt(copt, "User"))) { |
|
560 |
- if((user = getpwnam(cpt->strarg)) == NULL) { |
|
561 |
- fprintf(stderr, "%s: Can't get information about user %s.\n", argv[0], cpt->strarg); |
|
562 |
- return EX_CONFIG; |
|
563 |
- } |
|
558 |
+ /* |
|
559 |
+ * Drop privileges |
|
560 |
+ */ |
|
561 |
+ if(getuid() == 0) { |
|
562 |
+ if((cpt = cfgopt(copt, "User")) != NULL) { |
|
563 |
+ if((user = getpwnam(cpt->strarg)) == NULL) { |
|
564 |
+ fprintf(stderr, "%s: Can't get information about user %s\n", argv[0], cpt->strarg); |
|
565 |
+ return EX_CONFIG; |
|
566 |
+ } |
|
564 | 567 |
|
565 |
- setuid(user->pw_uid); |
|
566 |
- } else |
|
567 |
- fprintf(stderr, "%s: running as root is not recommended\n", argv[0]); |
|
568 |
+ if(cfgopt(copt, "AllowSupplementaryGroups")) |
|
569 |
+ initgroups(cpt->strarg, user->pw_gid); |
|
570 |
+ else |
|
571 |
+ setgroups(1, &user->pw_gid); |
|
572 |
+ |
|
573 |
+ setgid(user->pw_gid); |
|
574 |
+ setuid(user->pw_uid); |
|
575 |
+ } else |
|
576 |
+ fprintf(stderr, "%s: running as root is not recommended\n", argv[0]); |
|
577 |
+ } |
|
568 | 578 |
|
569 | 579 |
if(!cfgopt(copt, "StreamSaveToDisk")) { |
570 | 580 |
fprintf(stderr, "%s: StreamSavetoDisk not enabled in %s\n", |
... | ... |
@@ -672,7 +693,8 @@ main(int argc, char **argv) |
672 | 672 |
* Get the incoming socket details - the way sendmail talks to |
673 | 673 |
* us |
674 | 674 |
* |
675 |
- * TODO: There's a security problem here that'll need fixing |
|
675 |
+ * TODO: There's a security problem here that'll need fixing if |
|
676 |
+ * the User entry of clamav.conf is not used |
|
676 | 677 |
*/ |
677 | 678 |
if(strncasecmp(port, "unix:", 5) == 0) { |
678 | 679 |
if(unlink(&port[5]) < 0) |