git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@546 77e5149b-7576-45b1-b177-96237e5ba77b
Nigel Horne authored on 2004/05/10 02:39:05... | ... |
@@ -380,6 +380,16 @@ Changes |
380 | 380 |
Warn if a clean file can't be removed from the quarantine |
381 | 381 |
When streamMaxLength is exceeded add a header where possible, |
382 | 382 |
unless --noxheader is given |
383 |
+0.70x 7/5/04 Only report that we've dropped privilege if the setuid |
|
384 |
+ succeeded, fix by Jens Elkner |
|
385 |
+ <elkner@linofee.org> |
|
386 |
+ If logVerbose is set state both starting and started messages |
|
387 |
+ (based on an idea by "Sergey Y. Afonin" |
|
388 |
+ <asy@kraft-s.ru> |
|
389 |
+ Also added X-Infected-Received-From: header by Sergey |
|
390 |
+ Fix from Damian Menscher <menscher@uiuc.edu> ensures that when |
|
391 |
+ a child dies we continue when max children is hit |
|
392 |
+ Report an error if inet_ntop fails in tcp_wrappers |
|
383 | 393 |
|
384 | 394 |
BUG REPORTS |
385 | 395 |
|
... | ... |
@@ -383,9 +383,23 @@ |
383 | 383 |
* quarantine |
384 | 384 |
* When streamMaxLength is exceeded add a header where |
385 | 385 |
* possible, unless --noxheader is given |
386 |
+ * 0.70x 9/5/04 Only report that we've dropped privilege if the setuid |
|
387 |
+ * succeeded, fix by Jens Elkner |
|
388 |
+ * <elkner@linofee.org> |
|
389 |
+ * If logVerbose is set state both starting and started |
|
390 |
+ * messages (based on an idea by "Sergey Y. |
|
391 |
+ * Afonin" <asy@kraft-s.ru> |
|
392 |
+ * Also added X-Infected-Received-From: header by Sergey |
|
393 |
+ * Fix from Damian Menscher <menscher@uiuc.edu> ensures |
|
394 |
+ * that when a child dies we continue when max |
|
395 |
+ * children is hit |
|
396 |
+ * Report an error if inet_ntop fails in tcp_wrappers |
|
386 | 397 |
* |
387 | 398 |
* Change History: |
388 | 399 |
* $Log: clamav-milter.c,v $ |
400 |
+ * Revision 1.87 2004/05/09 17:39:04 nigelhorne |
|
401 |
+ * Waiting threads weren't being woken up |
|
402 |
+ * |
|
389 | 403 |
* Revision 1.86 2004/05/06 11:25:20 nigelhorne |
390 | 404 |
* Some work on maxStreamLength |
391 | 405 |
* |
... | ... |
@@ -629,9 +643,9 @@ |
629 | 629 |
* Revision 1.6 2003/09/28 16:37:23 nigelhorne |
630 | 630 |
* Added -f flag use MaxThreads if --max-children not set |
631 | 631 |
*/ |
632 |
-static char const rcsid[] = "$Id: clamav-milter.c,v 1.86 2004/05/06 11:25:20 nigelhorne Exp $"; |
|
632 |
+static char const rcsid[] = "$Id: clamav-milter.c,v 1.87 2004/05/09 17:39:04 nigelhorne Exp $"; |
|
633 | 633 |
|
634 |
-#define CM_VERSION "0.70v" |
|
634 |
+#define CM_VERSION "0.70x" |
|
635 | 635 |
|
636 | 636 |
/*#define CONFDIR "/usr/local/etc"*/ |
637 | 637 |
|
... | ... |
@@ -746,6 +760,7 @@ struct privdata { |
746 | 746 |
long numBytes; /* Number of bytes sent so far */ |
747 | 747 |
char *received; /* keep track of received from */ |
748 | 748 |
const char *rejectCode; /* 550 or 554? */ |
749 |
+ char *messageID; /* sendmailID */ |
|
749 | 750 |
int discard; /* |
750 | 751 |
* looks like the remote end is playing ping |
751 | 752 |
* pong with us |
... | ... |
@@ -1179,10 +1194,11 @@ main(int argc, char **argv) |
1179 | 1179 |
setgroups(1, &user->pw_gid); |
1180 | 1180 |
|
1181 | 1181 |
setgid(user->pw_gid); |
1182 |
- setuid(user->pw_uid); |
|
1183 |
- |
|
1184 |
- cli_dbgmsg("Running as user %s (UID %d, GID %d)\n", |
|
1185 |
- cpt->strarg, user->pw_uid, user->pw_gid); |
|
1182 |
+ if(setuid(user->pw_uid) < 0) |
|
1183 |
+ perror(cpt->strarg); |
|
1184 |
+ else |
|
1185 |
+ cli_dbgmsg("Running as user %s (UID %d, GID %d)\n", |
|
1186 |
+ cpt->strarg, user->pw_uid, user->pw_gid); |
|
1186 | 1187 |
} else |
1187 | 1188 |
fprintf(stderr, "%s: running as root is not recommended\n", argv[0]); |
1188 | 1189 |
} |
... | ... |
@@ -1403,19 +1419,22 @@ main(int argc, char **argv) |
1403 | 1403 |
pidFile = cpt->strarg; |
1404 | 1404 |
|
1405 | 1405 |
if(cfgopt(copt, "LogSyslog")) { |
1406 |
+ if(cfgopt(copt, "LogVerbose")) |
|
1407 |
+ logVerbose = 1; |
|
1408 |
+ use_syslog = 1; |
|
1409 |
+ |
|
1406 | 1410 |
openlog("clamav-milter", LOG_CONS|LOG_PID, LOG_MAIL); |
1407 |
- syslog(LOG_INFO, clamav_version); |
|
1411 |
+ if(logVerbose) |
|
1412 |
+ syslog(LOG_INFO, "Starting: %s", clamav_version); |
|
1413 |
+ else |
|
1414 |
+ syslog(LOG_INFO, clamav_version); |
|
1408 | 1415 |
#ifdef CL_DEBUG |
1409 | 1416 |
if(debug_level > 0) |
1410 | 1417 |
syslog(LOG_DEBUG, "Debugging is on"); |
1411 | 1418 |
#endif |
1412 |
- use_syslog = 1; |
|
1413 |
- |
|
1414 |
- if(cfgopt(copt, "LogVerbose")) |
|
1415 |
- logVerbose = 1; |
|
1416 | 1419 |
} else { |
1417 | 1420 |
if(qflag) |
1418 |
- fprintf(stderr, "%s: (-q && !LogSysLog): warning - all interception message methods are off\n", |
|
1421 |
+ fprintf(stderr, "%s: (-q && !LogSyslog): warning - all interception message methods are off\n", |
|
1419 | 1422 |
argv[0]); |
1420 | 1423 |
use_syslog = 0; |
1421 | 1424 |
} |
... | ... |
@@ -1469,6 +1488,9 @@ main(int argc, char **argv) |
1469 | 1469 |
|
1470 | 1470 |
signal(SIGPIPE, SIG_IGN); |
1471 | 1471 |
|
1472 |
+ if(logVerbose) |
|
1473 |
+ syslog(LOG_INFO, "Started: %s", clamav_version); |
|
1474 |
+ |
|
1472 | 1475 |
return smfi_main(); |
1473 | 1476 |
} |
1474 | 1477 |
|
... | ... |
@@ -1705,7 +1727,7 @@ clamfi_connect(SMFICTX *ctx, char *hostname, _SOCK_ADDR *hostaddr) |
1705 | 1705 |
* "the type is not supported in the current version". What |
1706 | 1706 |
* the documentation doesn't say is the type of what? |
1707 | 1707 |
* |
1708 |
- * Possibly the input is not a TCP/IP socket? |
|
1708 |
+ * Possibly the input is not a TCP/IP socket e.g. stdin? |
|
1709 | 1709 |
*/ |
1710 | 1710 |
remoteIP = "127.0.0.1"; |
1711 | 1711 |
else { |
... | ... |
@@ -1754,7 +1776,15 @@ clamfi_connect(SMFICTX *ctx, char *hostname, _SOCK_ADDR *hostaddr) |
1754 | 1754 |
} |
1755 | 1755 |
|
1756 | 1756 |
#ifdef HAVE_INET_NTOP |
1757 |
- (void)inet_ntop(AF_INET, &((struct sockaddr_in *)(hp->h_addr))->sin_addr, ip, sizeof(ip)); |
|
1757 |
+ if(inet_ntop(AF_INET, &((struct sockaddr_in *)(hp->h_addr))->sin_addr, ip, sizeof(ip)) == NULL) { |
|
1758 |
+ perror(hp->h_name); |
|
1759 |
+ /*if(use_syslog) |
|
1760 |
+ syslog(LOG_WARNING, "Can't get IP address for (%s)", hp->h_name); |
|
1761 |
+ strcpy(ip, (char *)inet_ntoa(*(struct in_addr *)hp->h_addr));*/ |
|
1762 |
+ if(use_syslog) |
|
1763 |
+ syslog(LOG_WARNING, "Access Denied: Can't get IP address for (%s)", hp->h_name); |
|
1764 |
+ return cl_error; |
|
1765 |
+ } |
|
1758 | 1766 |
#else |
1759 | 1767 |
strcpy(ip, (char *)inet_ntoa(*(struct in_addr *)hp->h_addr)); |
1760 | 1768 |
#endif |
... | ... |
@@ -1855,6 +1885,11 @@ clamfi_envfrom(SMFICTX *ctx, char **argv) |
1855 | 1855 |
struct timespec timeout; |
1856 | 1856 |
struct timezone tz; |
1857 | 1857 |
|
1858 |
+ if(use_syslog) |
|
1859 |
+ syslog(LOG_NOTICE, |
|
1860 |
+ "hit max-children limit (%u >= %u): waiting for some to exit", |
|
1861 |
+ n_children, max_children); |
|
1862 |
+ |
|
1858 | 1863 |
/* |
1859 | 1864 |
* Use pthread_cond_timedwait rather than |
1860 | 1865 |
* pthread_cond_wait since the sendmail which calls |
... | ... |
@@ -1863,19 +1898,19 @@ clamfi_envfrom(SMFICTX *ctx, char **argv) |
1863 | 1863 |
* Wait for a maximum of 1 minute. |
1864 | 1864 |
* |
1865 | 1865 |
* TODO: this timeout should be configurable |
1866 |
+ * |
|
1866 | 1867 |
* It stops sendmail getting fidgety. |
1868 |
+ * |
|
1869 |
+ * Patch from Damian Menscher <menscher@uiuc.edu> to |
|
1870 |
+ * ensure it wakes up when a child goes away |
|
1867 | 1871 |
*/ |
1868 | 1872 |
gettimeofday(&now, &tz); |
1869 | 1873 |
timeout.tv_sec = now.tv_sec + 60; |
1870 | 1874 |
timeout.tv_nsec = 0; |
1871 | 1875 |
|
1872 |
- if(use_syslog) |
|
1873 |
- syslog(LOG_NOTICE, |
|
1874 |
- "hit max-children limit (%u >= %u): waiting for some to exit", |
|
1875 |
- n_children, max_children); |
|
1876 | 1876 |
do |
1877 | 1877 |
rc = pthread_cond_timedwait(&n_children_cond, &n_children_mutex, &timeout); |
1878 |
- while(rc != ETIMEDOUT); |
|
1878 |
+ while((n_children >= max_children) && (rc != ETIMEDOUT)); |
|
1879 | 1879 |
} |
1880 | 1880 |
n_children++; |
1881 | 1881 |
|
... | ... |
@@ -2374,10 +2409,15 @@ clamfi_eom(SMFICTX *ctx) |
2374 | 2374 |
for(to = privdata->to; *to; to++) |
2375 | 2375 |
fprintf(sendmail, "Cc: %s\n", *to); |
2376 | 2376 |
/* |
2377 |
- * Auto-submittied is still a draft, keep an |
|
2377 |
+ * Auto-submitted is still a draft, keep an |
|
2378 | 2378 |
* eye on its format |
2379 | 2379 |
*/ |
2380 | 2380 |
fputs("Auto-Submitted: auto-submitted (antivirus notify)\n", sendmail); |
2381 |
+ /* "Sergey Y. Afonin" <asy@kraft-s.ru> */ |
|
2382 |
+ if((ptr = smfi_getsymval(ctx, "{_}")) != NULL) |
|
2383 |
+ fprintf(sendmail, |
|
2384 |
+ "X-Infected-Received-From: %s\n", |
|
2385 |
+ ptr); |
|
2381 | 2386 |
fputs("Subject: Virus intercepted\n\n", sendmail); |
2382 | 2387 |
|
2383 | 2388 |
if((templatefile == NULL) || |
... | ... |
@@ -2498,9 +2538,9 @@ clamfi_abort(SMFICTX *ctx) |
2498 | 2498 |
/* |
2499 | 2499 |
* Unlock incase we're called during a cond_timedwait in envfrom |
2500 | 2500 |
* |
2501 |
- * TODO: There *must* be a tidier way of doing this! |
|
2501 |
+ * TODO: There *must* be a tidier a safer way of doing this! |
|
2502 | 2502 |
*/ |
2503 |
- if(max_children > 0) |
|
2503 |
+ if((max_children > 0) && (n_children >= max_children)) |
|
2504 | 2504 |
(void)pthread_mutex_unlock(&n_children_mutex); |
2505 | 2505 |
|
2506 | 2506 |
clamfi_cleanup(ctx); |