git-svn: trunk@3011
Nigel Horne authored on 2007/04/09 13:23:39... | ... |
@@ -371,7 +371,43 @@ Function names appear at the start of lines (I use ctags). |
371 | 371 |
Document your changes. If you add, remove, or change functionality you will |
372 | 372 |
need to update the manual page and possibly the usage message as well. |
373 | 373 |
|
374 |
-6. TODO |
|
374 |
+6. CHROOT JAIL |
|
375 |
+ |
|
376 |
+The instructions will differ for you, but these will give you an idea |
|
377 |
+ |
|
378 |
+ mkdir /var/run/clamav-root |
|
379 |
+ chown clamav:clamav /var/run/clamav-root |
|
380 |
+ chmod 750 /var/run/clamav-root |
|
381 |
+ cd /var/run/clamav-root |
|
382 |
+ mkdir var |
|
383 |
+ mkdir var/tmp |
|
384 |
+ ln -s var/tmp . |
|
385 |
+ mkdir var/log |
|
386 |
+ cd var/log |
|
387 |
+ ln -s ../../../../../var/log/clamav . |
|
388 |
+ cd .. |
|
389 |
+ mkdir run |
|
390 |
+ mkdir run/clamav |
|
391 |
+ chown clamav:clamav run/clamav |
|
392 |
+ cd .. |
|
393 |
+ mkdir usr |
|
394 |
+ mkdir usr/local |
|
395 |
+ mkdir usr/local/share |
|
396 |
+ ln -s ../../../../../../usr/local/share/clamav . |
|
397 |
+ |
|
398 |
+In sendmail.mc: |
|
399 |
+INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-root/var/run/clamav/clamav.sock, F=T, T=S:4m;R:4m;C:30s;E:10m')dnl |
|
400 |
+ |
|
401 |
+When starting clamav-milter use options such as (notice that the localation |
|
402 |
+of clamav.sock is different in sendmail.mc than the location clamav-milter |
|
403 |
+expects to see it) |
|
404 |
+ --chroot=/var/run/clamav-root --max-children=3 -P --pidfile=/var/run/clamav/clamav-milter.pid --blacklist=60 --black-hole-mode local:/var/run/clamav/clamav.sock |
|
405 |
+ |
|
406 |
+You may need to modify your shutdown script to look for clamav-milter.pid |
|
407 |
+in /var/run/clamav-root/var/run/clamav/clamav-milter.pid |
|
408 |
+ |
|
409 |
+7. TODO |
|
375 | 410 |
|
376 | 411 |
There are several ideas marked as TODO in the source code. If anyone has |
377 |
-any other suggestions please feel free to contact me. |
|
412 |
+any other suggestions please feel free to contact me. To avoid disappointment |
|
413 |
+always contact me before undertaking any work. |
... | ... |
@@ -33,7 +33,7 @@ |
33 | 33 |
*/ |
34 | 34 |
static char const rcsid[] = "$Id: clamav-milter.c,v 1.312 2007/02/12 22:24:21 njh Exp $"; |
35 | 35 |
|
36 |
-#define CM_VERSION "devel-070406" |
|
36 |
+#define CM_VERSION "devel-070409" |
|
37 | 37 |
|
38 | 38 |
#if HAVE_CONFIG_H |
39 | 39 |
#include "clamav-config.h" |
... | ... |
@@ -480,6 +480,10 @@ static long *serverIPs; /* IPv4 only */ |
480 | 480 |
#endif |
481 | 481 |
static int numServers; /* number of elements in serverIPs array */ |
482 | 482 |
|
483 |
+#ifdef CL_EXPERIMENTAL |
|
484 |
+static char *rootdir; /* for chroot */ |
|
485 |
+#endif |
|
486 |
+ |
|
483 | 487 |
#ifdef SESSION |
484 | 488 |
static struct session { |
485 | 489 |
int sock; /* fd */ |
... | ... |
@@ -572,6 +576,9 @@ help(void) |
572 | 572 |
puts(_("\t--bounce\t\t-b\tSend a failure message to the sender.")); |
573 | 573 |
#endif |
574 | 574 |
puts(_("\t--broadcast\t\t-B [IFACE]\tBroadcast to a network manager when a virus is found.")); |
575 |
+#ifdef CL_EXPERIMENTAL |
|
576 |
+ puts(_("\t--chroot=DIR\t\t-C DIR\tChroot to dir when starting.")); |
|
577 |
+#endif |
|
575 | 578 |
puts(_("\t--config-file=FILE\t-c FILE\tRead configuration from FILE.")); |
576 | 579 |
puts(_("\t--debug\t\t\t-D\tPrint debug messages.")); |
577 | 580 |
puts(_("\t--detect-forged-local-address\t-L\tReject mails that claim to be from us.")); |
... | ... |
@@ -693,15 +700,15 @@ main(int argc, char **argv) |
693 | 693 |
int opt_index = 0; |
694 | 694 |
#ifdef BOUNCE |
695 | 695 |
#ifdef CL_DEBUG |
696 |
- const char *args = "a:AbB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2"; |
|
696 |
+ const char *args = "a:AbB:c:C:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2"; |
|
697 | 697 |
#else |
698 |
- const char *args = "a:AbB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2"; |
|
698 |
+ const char *args = "a:AbB:c:C:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2"; |
|
699 | 699 |
#endif |
700 | 700 |
#else /*!BOUNCE*/ |
701 | 701 |
#ifdef CL_DEBUG |
702 |
- const char *args = "a:AB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2"; |
|
702 |
+ const char *args = "a:AB:c:C:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2"; |
|
703 | 703 |
#else |
704 |
- const char *args = "a:AB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2"; |
|
704 |
+ const char *args = "a:AB:c:C:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2"; |
|
705 | 705 |
#endif |
706 | 706 |
#endif /*BOUNCE*/ |
707 | 707 |
|
... | ... |
@@ -724,6 +731,9 @@ main(int argc, char **argv) |
724 | 724 |
"config-file", 1, NULL, 'c' |
725 | 725 |
}, |
726 | 726 |
{ |
727 |
+ "chroot", 1, NULL, 'C' |
|
728 |
+ }, |
|
729 |
+ { |
|
727 | 730 |
"detect-forged-local-address", 0, NULL, 'L' |
728 | 731 |
}, |
729 | 732 |
{ |
... | ... |
@@ -867,6 +877,11 @@ main(int argc, char **argv) |
867 | 867 |
case 'c': /* where is clamd.conf? */ |
868 | 868 |
cfgfile = optarg; |
869 | 869 |
break; |
870 |
+#ifdef CL_EXPERIMENTAL |
|
871 |
+ case 'C': /* chroot */ |
|
872 |
+ rootdir = optarg; |
|
873 |
+ break; |
|
874 |
+#endif |
|
870 | 875 |
case 'd': /* don't scan on error */ |
871 | 876 |
cl_error = SMFIS_ACCEPT; |
872 | 877 |
break; |
... | ... |
@@ -1030,10 +1045,14 @@ main(int argc, char **argv) |
1030 | 1030 |
} |
1031 | 1031 |
port = argv[optind]; |
1032 | 1032 |
|
1033 |
- if(verifyIncomingSocketName(port) < 0) { |
|
1034 |
- fprintf(stderr, _("%s: socket-addr (%s) doesn't agree with sendmail.cf\n"), argv[0], port); |
|
1035 |
- return EX_CONFIG; |
|
1036 |
- } |
|
1033 |
+#ifdef CL_EXPERIMENTAL |
|
1034 |
+ if(rootdir == NULL) /* FIXME: Handle CHROOT */ |
|
1035 |
+#endif |
|
1036 |
+ if(verifyIncomingSocketName(port) < 0) { |
|
1037 |
+ fprintf(stderr, _("%s: socket-addr (%s) doesn't agree with sendmail.cf\n"), argv[0], port); |
|
1038 |
+ return EX_CONFIG; |
|
1039 |
+ } |
|
1040 |
+ |
|
1037 | 1041 |
if(strncasecmp(port, "inet:", 5) == 0) |
1038 | 1042 |
if(!lflag) { |
1039 | 1043 |
/* |
... | ... |
@@ -1822,6 +1841,25 @@ main(int argc, char **argv) |
1822 | 1822 |
|
1823 | 1823 |
broadcast(_("Starting clamav-milter")); |
1824 | 1824 |
|
1825 |
+#ifdef CL_EXPERIMENTAL |
|
1826 |
+ if(rootdir) { |
|
1827 |
+ if(getuid() == 0) { |
|
1828 |
+ if(chdir(rootdir) < 0) { |
|
1829 |
+ perror(rootdir); |
|
1830 |
+ return EX_CONFIG; |
|
1831 |
+ } |
|
1832 |
+ if(chroot(rootdir) < 0) { |
|
1833 |
+ perror(rootdir); |
|
1834 |
+ return EX_CONFIG; |
|
1835 |
+ } |
|
1836 |
+ logg("Chrooted to %s\n", rootdir); |
|
1837 |
+ } else { |
|
1838 |
+ logg("!chroot option needs root\n"); |
|
1839 |
+ return EX_CONFIG; |
|
1840 |
+ } |
|
1841 |
+ } |
|
1842 |
+#endif |
|
1843 |
+ |
|
1825 | 1844 |
if(pidfile) { |
1826 | 1845 |
/* save the PID */ |
1827 | 1846 |
char *p, *q; |
... | ... |
@@ -1838,8 +1876,12 @@ main(int argc, char **argv) |
1838 | 1838 |
q = strrchr(p, '/'); |
1839 | 1839 |
*q = '\0'; |
1840 | 1840 |
|
1841 |
- if(chdir(p) < 0) /* safety */ |
|
1842 |
- perror(p); |
|
1841 |
+#ifdef CL_EXPERIMENTAL |
|
1842 |
+ if(rootdir == NULL) |
|
1843 |
+#endif |
|
1844 |
+ if(chdir(p) < 0) /* safety */ |
|
1845 |
+ perror(p); |
|
1846 |
+ |
|
1843 | 1847 |
free(p); |
1844 | 1848 |
|
1845 | 1849 |
if((fd = fopen(pidfile, "w")) == NULL) { |
... | ... |
@@ -1854,13 +1896,19 @@ main(int argc, char **argv) |
1854 | 1854 |
#endif |
1855 | 1855 |
fclose(fd); |
1856 | 1856 |
umask(old_umask); |
1857 |
- } else if(tmpdir) |
|
1858 |
- chdir(tmpdir); /* safety */ |
|
1859 |
- else |
|
1857 |
+ } else if(tmpdir) { |
|
1858 |
+#ifdef CL_EXPERIMENTAL |
|
1859 |
+ if(rootdir == NULL) |
|
1860 |
+#endif |
|
1861 |
+ chdir(tmpdir); /* safety */ |
|
1862 |
+ } else |
|
1863 |
+#ifdef CL_EXPERIMENTAL |
|
1864 |
+ if(rootdir == NULL) |
|
1865 |
+#endif |
|
1860 | 1866 |
#ifdef P_tmpdir |
1861 |
- chdir(P_tmpdir); |
|
1867 |
+ chdir(P_tmpdir); |
|
1862 | 1868 |
#else |
1863 |
- chdir("/tmp"); |
|
1869 |
+ chdir("/tmp"); |
|
1864 | 1870 |
#endif |
1865 | 1871 |
|
1866 | 1872 |
if(cfgopt(copt, "FixStaleSocket")->enabled) { |
... | ... |
@@ -1894,6 +1942,7 @@ main(int argc, char **argv) |
1894 | 1894 |
|
1895 | 1895 |
#if ((SENDMAIL_VERSION_A > 8) || ((SENDMAIL_VERSION_A == 8) && (SENDMAIL_VERSION_B >= 13))) |
1896 | 1896 |
if(smfi_opensocket(1) == MI_FAILURE) { |
1897 |
+ perror(port); |
|
1897 | 1898 |
cli_errmsg("Can't open/create %s\n", port); |
1898 | 1899 |
return EX_CONFIG; |
1899 | 1900 |
} |
... | ... |
@@ -49,6 +49,9 @@ to check if any of their machines are infected. |
49 | 49 |
\fB\-V, \-\-version\fR |
50 | 50 |
Print the version number and exit. |
51 | 51 |
.TP |
52 |
+\fB-C DIR, \-\-chroot=DIR\fR |
|
53 |
+Run in chroot jail DIR. |
|
54 |
+.TP |
|
52 | 55 |
\fB\-c FILE, \-\-config\-file=FILE\fR |
53 | 56 |
By default clamav\-milter uses a default configuration file, this option allows you to specify another one. |
54 | 57 |
.TP |