... | ... |
@@ -18,6 +18,8 @@ |
18 | 18 |
* MA 02110-1301, USA. |
19 | 19 |
*/ |
20 | 20 |
|
21 |
+#define _BSD_SOURCE |
|
22 |
+ |
|
21 | 23 |
#if HAVE_CONFIG_H |
22 | 24 |
#include "clamav-config.h" |
23 | 25 |
#endif |
... | ... |
@@ -165,8 +167,6 @@ int main(int argc, char **argv) |
165 | 165 |
return 0; |
166 | 166 |
} |
167 | 167 |
|
168 |
- umask(0); |
|
169 |
- |
|
170 | 168 |
/* drop privileges */ |
171 | 169 |
#ifndef _WIN32 |
172 | 170 |
if(geteuid() == 0 && (opt = optget(opts, "User"))->enabled) { |
... | ... |
@@ -464,10 +464,48 @@ int main(int argc, char **argv) |
464 | 464 |
} |
465 | 465 |
#ifndef _WIN32 |
466 | 466 |
if(localsock) { |
467 |
+ mode_t sock_mode, umsk = umask(0777); /* socket is created with 000 to avoid races */ |
|
467 | 468 |
if ((lsockets[nlsockets] = localserver(opts)) == -1) { |
468 | 469 |
ret = 1; |
470 |
+ umask(umsk); |
|
471 |
+ break; |
|
472 |
+ } |
|
473 |
+ umask(umsk); /* restore umask */ |
|
474 |
+ if(optget(opts, "LocalSocketGroup")->enabled) { |
|
475 |
+ char *gname = optget(opts, "LocalSocketGroup")->strarg, *end; |
|
476 |
+ gid_t sock_gid = strtol(gname, &end, 10); |
|
477 |
+ if(*end) { |
|
478 |
+ struct group *pgrp = getgrnam(gname); |
|
479 |
+ if(!pgrp) { |
|
480 |
+ logg("!Unknown group %s\n", gname); |
|
481 |
+ ret = 1; |
|
482 |
+ break; |
|
483 |
+ } |
|
484 |
+ sock_gid = pgrp->gr_gid; |
|
485 |
+ } |
|
486 |
+ if(fchown(lsockets[nlsockets], -1, sock_gid)) { |
|
487 |
+ logg("!Failed to change socket ownership to group %s\n", gname); |
|
488 |
+ ret = 1; |
|
489 |
+ break; |
|
490 |
+ } |
|
491 |
+ } |
|
492 |
+ if(optget(opts, "LocalSocketPerms")->enabled) { |
|
493 |
+ char *end; |
|
494 |
+ sock_mode = strtol(optget(opts, "LocalSocketPerms")->strarg, &end, 8); |
|
495 |
+ if(*end) { |
|
496 |
+ logg("!Invalid LocalSocketPerms %s\n", optget(opts, "LocalSocketPerms")->strarg); |
|
497 |
+ ret = 1; |
|
498 |
+ break; |
|
499 |
+ } |
|
500 |
+ } else |
|
501 |
+ sock_mode = 0777 /* & ~umsk*/; /* conservative default: umask was 0 in clamd < 0.96 */ |
|
502 |
+ |
|
503 |
+ if(fchmod(lsockets[nlsockets], sock_mode & 0666)) { |
|
504 |
+ logg("!Cannot set socket permission to %s\n", optget(opts, "LocalSocketPerms")->strarg); |
|
505 |
+ ret = 1; |
|
469 | 506 |
break; |
470 | 507 |
} |
508 |
+ |
|
471 | 509 |
nlsockets++; |
472 | 510 |
} |
473 | 511 |
|
... | ... |
@@ -184,6 +184,10 @@ const struct clam_option __clam_options[] = { |
184 | 184 |
|
185 | 185 |
{ "LocalSocket", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Path to a local socket file the daemon will listen on.", "/tmp/clamd.socket" }, |
186 | 186 |
|
187 |
+ { "LocalSocketGroup", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Sets the group ownership on the unix socket.", "virusgroup" }, |
|
188 |
+ |
|
189 |
+ { "LocalSocketPerms", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Sets the permissions on the unix socket.", "660" }, |
|
190 |
+ |
|
187 | 191 |
{ "FixStaleSocket", NULL, 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_MILTER, "Remove a stale socket after unclean shutdown", "yes" }, |
188 | 192 |
|
189 | 193 |
{ "TCPSocket", NULL, 0, TYPE_NUMBER, MATCH_NUMBER, -1, NULL, 0, OPT_CLAMD, "A TCP port number the daemon will listen on.", "3310" }, |