@@ -52,6 +52,7 @@ int main(int argc, char **argv) {

     const struct optstruct *opt;

     struct optstruct *opts;

     time_t currtime;

+    mode_t umsk;

     int ret;

     memset(&descr, 0, sizeof(struct smfiDesc));

@@ -280,6 +281,7 @@ int main(int argc, char **argv) {

 	return 1;

     }

     opt = optget(opts, "FixStaleSocket");

+    umsk = umask(0777); /* socket is created with 000 to avoid races */ 

     if(smfi_opensocket(opt->enabled) == MI_FAILURE) {

 	logg("!Failed to create socket %s\n", my_socket);

 	localnets_free();

@@ -288,6 +290,65 @@ int main(int argc, char **argv) {

 	optfree(opts);

 	return 1;

     }

+    umask(umsk); /* restore umask */

+    if(strncmp(my_socket, "inet:", 5) && strncmp(my_socket, "inet6:", 6)) {

+	/* set group ownership and perms on the local socket */

+	char *sock_name = my_socket;

+	mode_t sock_mode;

+	if(!strncmp(my_socket, "unix:", 5))

+	    sock_name += 5;

+	if(!strncmp(my_socket, "local:", 6))

+	    sock_name += 6;

+	if(*my_socket == ':')

+	    sock_name ++;

+

+	if(optget(opts, "MilterSocketGroup")->enabled) {

+	    char *gname = optget(opts, "MilterSocketGroup")->strarg, *end;

+	    gid_t sock_gid = strtol(gname, &end, 10);

+	    if(*end) {

+		struct group *pgrp = getgrnam(gname);

+		if(!pgrp) {

+		    logg("!Unknown group %s\n", gname);

+		    localnets_free();

+		    whitelist_free();

+		    logg_close();

+		    optfree(opts);

+		    return 1;

+		}

+		sock_gid = pgrp->gr_gid;

+	    }

+	    if(chown(sock_name, -1, sock_gid)) {

+		logg("!Failed to change socket ownership to group %s\n", gname);

+		localnets_free();

+		whitelist_free();

+		logg_close();

+		optfree(opts);

+		return 1;

+	    }

+	}

+	if(optget(opts, "MilterSocketMode")->enabled) {

+	    char *end;

+	    sock_mode = strtol(optget(opts, "MilterSocketMode")->strarg, &end, 8);

+	    if(*end) {

+		logg("!Invalid MilterSocketMode %s\n", optget(opts, "MilterSocketMode")->strarg);

+		localnets_free();

+		whitelist_free();

+		logg_close();

+		optfree(opts);

+		return 1;

+	    }

+	} else

+	    sock_mode = 0777 & ~umsk;

+

+	if(chmod(sock_name, sock_mode & 0666)) {

+	    logg("!Cannot set milter socket permission to %s\n", optget(opts, "MilterSocketMode")->strarg);

+	    localnets_free();

+	    whitelist_free();

+	    logg_close();

+	    optfree(opts);

+	    return 1;

+	}

+    }

     maxfilesize = optget(opts, "MaxFileSize")->numarg;

     readtimeout = optget(opts, "ReadTimeout")->numarg;

@@ -487,11 +487,11 @@ int main(int argc, char **argv)

 		break;

 	    }

 	}

-	if(optget(opts, "LocalSocketPerms")->enabled) {

+	if(optget(opts, "LocalSocketMode")->enabled) {

 	    char *end;

-	    sock_mode = strtol(optget(opts, "LocalSocketPerms")->strarg, &end, 8);

+	    sock_mode = strtol(optget(opts, "LocalSocketMode")->strarg, &end, 8);

 	    if(*end) {

-		logg("!Invalid LocalSocketPerms %s\n", optget(opts, "LocalSocketPerms")->strarg);

+		logg("!Invalid LocalSocketMode %s\n", optget(opts, "LocalSocketMode")->strarg);

 		ret = 1;

 		break;

 	    }

@@ -499,7 +499,7 @@ int main(int argc, char **argv)

 	    sock_mode = 0777 /* & ~umsk*/; /* conservative default: umask was 0 in clamd < 0.96 */

 	if(chmod(optget(opts, "LocalSocket")->strarg, sock_mode & 0666)) {

-	    logg("!Cannot set socket permission to %s\n", optget(opts, "LocalSocketPerms")->strarg);

+	    logg("!Cannot set socket permission to %s\n", optget(opts, "LocalSocketMode")->strarg);

 	    ret = 1;

 	    break;

 	}

@@ -186,7 +186,7 @@ const struct clam_option __clam_options[] = {

     { "LocalSocketGroup", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Sets the group ownership on the unix socket.", "virusgroup" },

-    { "LocalSocketPerms", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Sets the permissions on the unix socket.", "660" },

+    { "LocalSocketMode", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Sets the permissions on the unix socket to the specified mode.", "660" },

     { "FixStaleSocket", NULL, 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_MILTER, "Remove a stale socket after unclean shutdown", "yes" },

@@ -395,6 +395,10 @@ const struct clam_option __clam_options[] = {

     { "MilterSocket",NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Define the interface through which we communicate with sendmail.\nThis option is mandatory! Possible formats are:\n[[unix|local]:]/path/to/file - to specify a unix domain socket;\ninet:port@[hostname|ip-address] - to specify an ipv4 socket;\ninet6:port@[hostname|ip-address] - to specify an ipv6 socket.", "/tmp/clamav-milter.socket\ninet:7357" },

+    { "MilterSocketGroup", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Define the group ownership for the (unix) milter socket.", "virusgroup" },

+

+    { "MilterSocketMode", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Sets the permissions on the (unix) milter socket to the specified mode.", "660" },

+

     { "LocalNet", NULL, 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_MILTER, "Messages originating from these hosts/networks will not be scanned\nThis option takes a host(name)/mask pair in CIRD notation and can be\nrepeated several times. If \"/mask\" is omitted, a host is assumed.\nTo specify a locally orignated, non-smtp, email use the keyword \"local\".", "local\n192.168.0.0/24\n1111:2222:3333::/48" },

     { "OnClean", NULL, 0, TYPE_STRING, "^(Accept|Reject|Defer|Blackhole|Quarantine)$", -1, "Accept", 0, OPT_MILTER, "Action to be performed on clean messages (mostly useful for testing).\nThe following actions are available:\nAccept: the message is accepted for delievery\nReject: immediately refuse delievery (a 5xx error is returned to the peer)\nDefer: return a temporary failure message (4xx) to the peer\nBlackhole: like Accept but the message is sent to oblivion\nQuarantine: like Accept but message is quarantined instead of being delivered", "Accept" },