GitList

Browse code

0.99.3 - bb11963 - ensuring users have a way to correctly exlcude UID 0 when using the onaccess scanner

Mickey Sola authored on 2017/11/28 05:01:55
Showing 3 changed files

clamd/others.c index 0ea6c4a..2a71f6b 100644
etc/clamd.conf.sample index 0a6ae84..cd1e463 100644
shared/optparser.c index f978ab3..f57aa64 100644

History View file @ a20128b

@@ -807,6 +807,7 @@ onas_fan_checkowner (int pid, const struct optstruct *opts)
 {
     char path[32];
     STATBUF sb;
+    int num_arg;
     const struct optstruct *opt;
 
     if (pid == (int) getpid()) {
@@ -821,7 +822,9 @@ onas_fan_checkowner (int pid, const struct optstruct *opts)
     {
         while (opt)
         {
-            if (opt->numarg == (long long) sb.st_uid)
+            /* We use UID 0 in place of -1 because the option would be disabled for UID 0*/
+            (opt->numarg == -1) ? (num_arg = 0) : (num_arg = opt->numarg);
+            if (num_arg == (long long) sb.st_uid)
                 return 1;
             opt = opt->nextarg;
         }

etc/clamd.conf.sample

History View file @ a20128b

@@ -610,10 +610,11 @@ Example
                      #OnAccessExcludePath /home/bofh
                      # With this option you can whitelist specific UIDs. Processes with these UIDs
                     -# will be able to access all files.
                     +# will be able to access all files. For UID 0 please use a value of -1 since
                     +# a value of 0 will disable this option.
                      # This option can be used multiple times (one per line).
                      # Default: disabled
                     -#OnAccessExcludeUID 0
                     +#OnAccessExcludeUID -1
                      # Toggles dynamic directory determination. Allows for recursively watching include paths.
                      # (On-access scan only)

shared/optparser.c

History View file @ a20128b

@@ -404,7 +404,7 @@ const struct clam_option __clam_options[] = {
                          { "OnAccessExcludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from on-access scanning. It can\nbe used multiple times. Only works with DDD system.", "/home/bofh\n/root" },
                     -    { "OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line).", "0" },
                     +    { "OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line). For a UID of 0 please use the value -1 instead, since 0 will disable this option.", "0" },
                          { "OnAccessMaxFileSize", NULL, 0, CLOPT_TYPE_SIZE, MATCH_SIZE, 5242880, NULL, 0, OPT_CLAMD, "Files larger than this value will not be scanned in on access.", "5M" },

...	...	@@ -807,6 +807,7 @@ onas_fan_checkowner (int pid, const struct optstruct *opts)
807	807	{
808	808	char path[32];
809	809	STATBUF sb;
	810	+ int num_arg;
810	811	const struct optstruct *opt;
811	812
812	813	if (pid == (int) getpid()) {
...	...	@@ -821,7 +822,9 @@ onas_fan_checkowner (int pid, const struct optstruct *opts)
821	821	{
822	822	while (opt)
823	823	{
824		- if (opt->numarg == (long long) sb.st_uid)
	824	+ /* We use UID 0 in place of -1 because the option would be disabled for UID 0*/
	825	+ (opt->numarg == -1) ? (num_arg = 0) : (num_arg = opt->numarg);
	826	+ if (num_arg == (long long) sb.st_uid)
825	827	return 1;
826	828	opt = opt->nextarg;
827	829	}