@@ -1,3 +1,7 @@

+Sat Aug 18 16:12:51 BST 2007 (njh)

+----------------------------------

+ * clamav-milter:	Black-hole-mode no longer needs to be run as root

+

 Sat Aug 18 13:25:52 BST 2007 (njh)

 ----------------------------------

   * libclamav/pdf.c:	Bug 618, --block-max not always honoured

@@ -33,7 +33,7 @@

  */

 static	char	const	rcsid[] = "$Id: clamav-milter.c,v 1.312 2007/02/12 22:24:21 njh Exp $";

-#define	CM_VERSION	"devel-130807"

+#define	CM_VERSION	"devel-180807"

 #if HAVE_CONFIG_H

 #include "clamav-config.h"

@@ -1176,12 +1176,6 @@ main(int argc, char **argv)

 #endif

 			}

-			if(black_hole_mode && (user->pw_uid != 0)) {

-				fprintf(stderr, _("%s: You cannot use black hole mode unless you are root\n"),

-					argv[0]);

-				return EX_CONFIG;

-			}

-

 			setgid(user->pw_gid);

 			if(setuid(user->pw_uid) < 0)

@@ -1190,9 +1184,52 @@ main(int argc, char **argv)

 				cli_dbgmsg(_("Running as user %s (UID %d, GID %d)\n"),

 					cpt->strarg, (int)user->pw_uid,

 					(int)user->pw_gid);

-		} else if(!black_hole_mode)

-			fprintf(stderr, _("%s: running as root is not recommended (check \"User\" in %s)\n"), argv[0], cfgfile);

+			if(black_hole_mode && (user->pw_uid != 0)) {

+				int are_trusted;

+				FILE *sendmail;

+				char cmd[128];

+

+				/*

+				 * Determine if we're a "trusted user"

+				 */

+				snprintf(cmd, sizeof(cmd) - 1, "%s -bv root</dev/null 2>&1",

+					SENDMAIL_BIN);

+

+				sendmail = popen(cmd, "r");

+

+				if(sendmail == NULL) {

+					perror(SENDMAIL_BIN);

+					are_trusted = 0;

+				} else {

+					char buf[BUFSIZ];

+

+					while(fgets(buf, sizeof(buf), sendmail) != NULL)

+						;

+					switch(WEXITSTATUS(pclose(sendmail))) {

+						case EX_NOUSER:

+							/*

+							 * No root? But at least

+							 * we're trusted enough

+							 * to find out!

+							 */

+							are_trusted = 1;

+							break;

+						default:

+							are_trusted = 0;

+							break;

+						case EX_OK:

+							are_trusted = 1;

+					}

+				}

+				if(!are_trusted) {

+					fprintf(stderr, _("%s: You cannot use black hole mode unless you are a TrustedUser\n"),

+						argv[0]);

+					return EX_CONFIG;

+				}

+			}

+		} else

+			logg(_("^%s: running as root is not recommended (check \"User\" in %s)\n"), argv[0], cfgfile);

 	} else if(iface) {

 		fprintf(stderr, _("%s: Only root can set an interface for --broadcast\n"), argv[0]);

 		return EX_USAGE;

@@ -2927,6 +2964,9 @@ clamfi_envrcpt(SMFICTX *ctx, char **argv)

 			smfi_setreply(ctx, "554", "5.7.1", _("Suspicious recipient address blocked"));

 			logg("^Suspicious recipient address blocked: '%s'", to);

 			privdata->to[privdata->numTo] = NULL;

+			/*

+			 * REJECT rejects this recipient, not the entire email

+			 */

 			return SMFIS_REJECT;

 		}

@@ -6365,10 +6405,10 @@ black_hole(const struct privdata *privdata)

 	must_scan = (*to) ? 0 : 1;

 	for(; *to; to++) {

-		char cmd[128];

 		FILE *sendmail;

+		char cmd[128];

-		snprintf(cmd, sizeof(cmd) - 1, "%s -bv \"%s\" < /dev/null 2>&1",

+		snprintf(cmd, sizeof(cmd) - 1, "%s -bv \"%s\"</dev/null 2>&1",

 			SENDMAIL_BIN, *to);

 		cli_dbgmsg("Calling %s\n", cmd);

@@ -298,12 +298,16 @@ Since \fIsendmail\fR calls its milters before it looks in its alias and virtuser

 tables, clamav-milter can spend time looking for malware that's going to be

 thrown away even if the message is clean.

 .IP

-Enable this to not scan these messages (in practice clamav\-milter will discard

+Enabling this stops these messages from being scanned

+(in practice clamav\-milter will discard

 these messages so the message doesn't go further down the milter call chain).

 .IP

-Sadly, these days sendmail \-bv only works as root,

-so this option is not compatible with the User directive in clamd.conf,

-which some may view as a security risk.

+To enable this mode clamav-milter must have certain sendmail rights:

+it needs to run as a TrustedUser as defined by \fIsendmail\fR

+(see http://www.sendmail.org/m4/tweaking_config.html)

+by the use of the User directive in clamd.conf,

+the clamav user must be able read the mail queue (often /var/spool/mqueue),

+and AllowSupplementaryGroups must be enabled in clamd.conf.

 Only enable this if your site has many addresses aliased to /dev/null.

 .SH "BUGS"

 There is no support for IPv6.

@@ -315,4 +319,4 @@ clamav\-milter \-o local:/var/run/clamav/clmilter.sock

 Nigel Horne <njh@bandsman.co.uk>

 .SH "SEE ALSO"

 .LP

-sendmail(1), clamd(8), clamscan(1), freshclam(1), sigtool(1), clamd.conf(5), hosts_access(5)

+clamd(8), clamscan(1), freshclam(1), sigtool(1), clamd.conf(5), hosts_access(5), sendmail(8)