git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@320 77e5149b-7576-45b1-b177-96237e5ba77b
Nigel Horne authored on 2004/02/21 20:05:23... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Sat Feb 21 11:09:12 GMT 2004 (njh) |
|
2 |
+---------------------------------- |
|
3 |
+ * clamav-milter: Don't run if the quarantine-dir is publically accessable |
|
4 |
+ |
|
1 | 5 |
Fri Feb 20 23:21:42 CET 2004 (tk) |
2 | 6 |
--------------------------------- |
3 | 7 |
* configure: --enable-yp-check (use ypmatch utility instead of /etc/passwd |
... | ... |
@@ -241,6 +241,7 @@ Changes |
241 | 241 |
the order of includes so some prototypes weren't getting in |
242 | 242 |
0.67f 20/2/04 Added checkClamd() - if possible attempts to see if clamd has |
243 | 243 |
died |
244 |
+0.67g 21/2/04 Don't run if the quarantine-dir is publically accessable |
|
244 | 245 |
|
245 | 246 |
BUG REPORTS |
246 | 247 |
|
... | ... |
@@ -241,9 +241,13 @@ |
241 | 241 |
* getting in |
242 | 242 |
* 0.67f 20/2/04 Added checkClamd() - if possible attempts to see |
243 | 243 |
* if clamd has died |
244 |
+ * 0.67g 21/2/04 Don't run if the quarantine-dir is publically accessable |
|
244 | 245 |
* |
245 | 246 |
* Change History: |
246 | 247 |
* $Log: clamav-milter.c,v $ |
248 |
+ * Revision 1.53 2004/02/21 11:03:23 nigelhorne |
|
249 |
+ * Error if quarantine-dir is publically accessable |
|
250 |
+ * |
|
247 | 251 |
* Revision 1.52 2004/02/20 17:07:24 nigelhorne |
248 | 252 |
* Added checkClamd |
249 | 253 |
* |
... | ... |
@@ -338,7 +342,7 @@ |
338 | 338 |
* Support AllowSupplementaryGroups |
339 | 339 |
* |
340 | 340 |
* Revision 1.21 2003/11/22 11:47:45 nigelhorne |
341 |
- * Drop root priviliges and support quanrantine |
|
341 |
+ * Drop root priviliges and support quarantine |
|
342 | 342 |
* |
343 | 343 |
* Revision 1.20 2003/11/19 16:32:22 nigelhorne |
344 | 344 |
* Close cmdSocket earlier |
... | ... |
@@ -385,9 +389,9 @@ |
385 | 385 |
* Revision 1.6 2003/09/28 16:37:23 nigelhorne |
386 | 386 |
* Added -f flag use MaxThreads if --max-children not set |
387 | 387 |
*/ |
388 |
-static char const rcsid[] = "$Id: clamav-milter.c,v 1.52 2004/02/20 17:07:24 nigelhorne Exp $"; |
|
388 |
+static char const rcsid[] = "$Id: clamav-milter.c,v 1.53 2004/02/21 11:03:23 nigelhorne Exp $"; |
|
389 | 389 |
|
390 |
-#define CM_VERSION "0.67f" |
|
390 |
+#define CM_VERSION "0.67g" |
|
391 | 391 |
|
392 | 392 |
/*#define CONFDIR "/usr/local/etc"*/ |
393 | 393 |
|
... | ... |
@@ -905,9 +909,26 @@ main(int argc, char **argv) |
905 | 905 |
} else |
906 | 906 |
fprintf(stderr, "%s: running as root is not recommended\n", argv[0]); |
907 | 907 |
} |
908 |
- if(quarantine_dir && (access(quarantine_dir, W_OK) < 0)) { |
|
909 |
- perror(quarantine_dir); |
|
910 |
- return EX_CONFIG; |
|
908 |
+ if(quarantine_dir) { |
|
909 |
+ struct stat statb; |
|
910 |
+ |
|
911 |
+ if(access(quarantine_dir, W_OK) < 0) { |
|
912 |
+ perror(quarantine_dir); |
|
913 |
+ return EX_CONFIG; |
|
914 |
+ } |
|
915 |
+ if(stat(quarantine_dir, &statb) < 0) { |
|
916 |
+ perror(quarantine_dir); |
|
917 |
+ return EX_CONFIG; |
|
918 |
+ } |
|
919 |
+ /* |
|
920 |
+ * Quit if the quarantine directory is publically readable |
|
921 |
+ * or writeable |
|
922 |
+ */ |
|
923 |
+ if(statb.st_mode & 077) { |
|
924 |
+ fprintf(stderr, "%s: unsafe quarantine directory %s\n", |
|
925 |
+ argv[0], quarantine_dir); |
|
926 |
+ return EX_CONFIG; |
|
927 |
+ } |
|
911 | 928 |
} |
912 | 929 |
|
913 | 930 |
if(sigFilename && !updateSigFile()) |
... | ... |
@@ -48,6 +48,11 @@ Send a failure message to the sender, and to the postmaster. |
48 | 48 |
fake their source address, so this option is not recommended ]. |
49 | 49 |
See also \-\-noreject. |
50 | 50 |
.TP |
51 |
+\fB-C, \-\-dont-log-clean\fR |
|
52 |
+Messages without viruses are usually logged if SysLog is set in |
|
53 |
+\fBclamav.conf\fR since it gives a feel-good factor. |
|
54 |
+This option turns that off. |
|
55 |
+.TP |
|
51 | 56 |
\fB-d, \-\-dont-scan-on-error\fR |
52 | 57 |
If a system error occurs pass messages through unscanned, |
53 | 58 |
usually when a system error occurs the milter raises a temporary failure which |
... | ... |
@@ -95,7 +100,9 @@ redirected to it. |
95 | 95 |
.TP |
96 | 96 |
\fB-U, \-\-quarantine-dir=DIR\fR |
97 | 97 |
If this option is given, infected files are left in this directory. |
98 |
-Note - this option only works when using LocalSocket. |
|
98 |
+The directory must not be publically readable or writeable, if it is, |
|
99 |
+clamav\-milter will issue an error and fail to start. |
|
100 |
+\fBNote\fR - this option only works when using LocalSocket. |
|
99 | 101 |
.TP |
100 | 102 |
\fB\-\-server=HOSTNAME/ADDRESS, \-s HOSTNAME/ADDRESS\fR |
101 | 103 |
IP address or hostname of server(s) running clamd (when using TCPsocket). |