[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b
aCaB
acab at clamav.net
Sun Apr 4 01:19:00 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit e394c51305bf5657263f951aa7ca924037f14cf1
Author: aCaB <acab at clamav.net>
Date: Thu Feb 4 22:01:05 2010 +0100
bb#1789 - part two
diff --git a/clamav-milter/clamav-milter.c b/clamav-milter/clamav-milter.c
index 7f3df2f..4bc54e7 100644
--- a/clamav-milter/clamav-milter.c
+++ b/clamav-milter/clamav-milter.c
@@ -52,6 +52,7 @@ int main(int argc, char **argv) {
const struct optstruct *opt;
struct optstruct *opts;
time_t currtime;
+ mode_t umsk;
int ret;
memset(&descr, 0, sizeof(struct smfiDesc));
@@ -280,6 +281,7 @@ int main(int argc, char **argv) {
return 1;
}
opt = optget(opts, "FixStaleSocket");
+ umsk = umask(0777); /* socket is created with 000 to avoid races */
if(smfi_opensocket(opt->enabled) == MI_FAILURE) {
logg("!Failed to create socket %s\n", my_socket);
localnets_free();
@@ -288,6 +290,65 @@ int main(int argc, char **argv) {
optfree(opts);
return 1;
}
+ umask(umsk); /* restore umask */
+ if(strncmp(my_socket, "inet:", 5) && strncmp(my_socket, "inet6:", 6)) {
+ /* set group ownership and perms on the local socket */
+ char *sock_name = my_socket;
+ mode_t sock_mode;
+ if(!strncmp(my_socket, "unix:", 5))
+ sock_name += 5;
+ if(!strncmp(my_socket, "local:", 6))
+ sock_name += 6;
+ if(*my_socket == ':')
+ sock_name ++;
+
+ if(optget(opts, "MilterSocketGroup")->enabled) {
+ char *gname = optget(opts, "MilterSocketGroup")->strarg, *end;
+ gid_t sock_gid = strtol(gname, &end, 10);
+ if(*end) {
+ struct group *pgrp = getgrnam(gname);
+ if(!pgrp) {
+ logg("!Unknown group %s\n", gname);
+ localnets_free();
+ whitelist_free();
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ sock_gid = pgrp->gr_gid;
+ }
+ if(chown(sock_name, -1, sock_gid)) {
+ logg("!Failed to change socket ownership to group %s\n", gname);
+ localnets_free();
+ whitelist_free();
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ }
+ if(optget(opts, "MilterSocketMode")->enabled) {
+ char *end;
+ sock_mode = strtol(optget(opts, "MilterSocketMode")->strarg, &end, 8);
+ if(*end) {
+ logg("!Invalid MilterSocketMode %s\n", optget(opts, "MilterSocketMode")->strarg);
+ localnets_free();
+ whitelist_free();
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ } else
+ sock_mode = 0777 & ~umsk;
+
+ if(chmod(sock_name, sock_mode & 0666)) {
+ logg("!Cannot set milter socket permission to %s\n", optget(opts, "MilterSocketMode")->strarg);
+ localnets_free();
+ whitelist_free();
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ }
maxfilesize = optget(opts, "MaxFileSize")->numarg;
readtimeout = optget(opts, "ReadTimeout")->numarg;
diff --git a/clamd/clamd.c b/clamd/clamd.c
index d2533e1..07fb9fe 100644
--- a/clamd/clamd.c
+++ b/clamd/clamd.c
@@ -487,11 +487,11 @@ int main(int argc, char **argv)
break;
}
}
- if(optget(opts, "LocalSocketPerms")->enabled) {
+ if(optget(opts, "LocalSocketMode")->enabled) {
char *end;
- sock_mode = strtol(optget(opts, "LocalSocketPerms")->strarg, &end, 8);
+ sock_mode = strtol(optget(opts, "LocalSocketMode")->strarg, &end, 8);
if(*end) {
- logg("!Invalid LocalSocketPerms %s\n", optget(opts, "LocalSocketPerms")->strarg);
+ logg("!Invalid LocalSocketMode %s\n", optget(opts, "LocalSocketMode")->strarg);
ret = 1;
break;
}
@@ -499,7 +499,7 @@ int main(int argc, char **argv)
sock_mode = 0777 /* & ~umsk*/; /* conservative default: umask was 0 in clamd < 0.96 */
if(chmod(optget(opts, "LocalSocket")->strarg, sock_mode & 0666)) {
- logg("!Cannot set socket permission to %s\n", optget(opts, "LocalSocketPerms")->strarg);
+ logg("!Cannot set socket permission to %s\n", optget(opts, "LocalSocketMode")->strarg);
ret = 1;
break;
}
diff --git a/shared/optparser.c b/shared/optparser.c
index fc40bc1..f29cd94 100644
--- a/shared/optparser.c
+++ b/shared/optparser.c
@@ -186,7 +186,7 @@ const struct clam_option __clam_options[] = {
{ "LocalSocketGroup", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Sets the group ownership on the unix socket.", "virusgroup" },
- { "LocalSocketPerms", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Sets the permissions on the unix socket.", "660" },
+ { "LocalSocketMode", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Sets the permissions on the unix socket to the specified mode.", "660" },
{ "FixStaleSocket", NULL, 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_MILTER, "Remove a stale socket after unclean shutdown", "yes" },
@@ -395,6 +395,10 @@ const struct clam_option __clam_options[] = {
{ "MilterSocket",NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Define the interface through which we communicate with sendmail.\nThis option is mandatory! Possible formats are:\n[[unix|local]:]/path/to/file - to specify a unix domain socket;\ninet:port@[hostname|ip-address] - to specify an ipv4 socket;\ninet6:port@[hostname|ip-address] - to specify an ipv6 socket.", "/tmp/clamav-milter.socket\ninet:7357" },
+ { "MilterSocketGroup", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Define the group ownership for the (unix) milter socket.", "virusgroup" },
+
+ { "MilterSocketMode", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Sets the permissions on the (unix) milter socket to the specified mode.", "660" },
+
{ "LocalNet", NULL, 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_MILTER, "Messages originating from these hosts/networks will not be scanned\nThis option takes a host(name)/mask pair in CIRD notation and can be\nrepeated several times. If \"/mask\" is omitted, a host is assumed.\nTo specify a locally orignated, non-smtp, email use the keyword \"local\".", "local\n192.168.0.0/24\n1111:2222:3333::/48" },
{ "OnClean", NULL, 0, TYPE_STRING, "^(Accept|Reject|Defer|Blackhole|Quarantine)$", -1, "Accept", 0, OPT_MILTER, "Action to be performed on clean messages (mostly useful for testing).\nThe following actions are available:\nAccept: the message is accepted for delievery\nReject: immediately refuse delievery (a 5xx error is returned to the peer)\nDefer: return a temporary failure message (4xx) to the peer\nBlackhole: like Accept but the message is sent to oblivion\nQuarantine: like Accept but message is quarantined instead of being delivered", "Accept" },
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list