Things to be aware of when writing auto-updates

[Jonathan B. Bayer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Nick,

NP> For the benefit of anyone who ends up writing auto-update scripts,
NP> you may want to think about using the locking that mailscanner does
NP> when starting up a scanner. Otherwise you may be halfway through
NP> updating your signatures when a scan starts, which could be a bad idea.

NP> Essentially, mailscanner creates and locks a file in /tmp (e.g.
NP> /tmp/SophosBusy.lock for sophos) to indicate that the scanner is being used,
NP> and updates should not be made.

But if the autoupdate script is replacing the file with a "mv" command,
it shouldn't cause a problem.  If it is currently opened by the scanner
program original file will stick around until it is closed.  So the most
that can happen is that a scan is made using the old virus signature file.

NP> If you have a look at Julian's auto-update script for sophos, you'll see
NP> how it works.

It's wrong, or rather, sweep.pl is wrong.  Sweep.pl uses the lock file
in /tmp, when it should really be in /var/lock (under most Linux
distributions that I know of).


JBB

NP> Thinking about it, I guess there may be a slight security risk the first
NP> time mailscanner uses a particular scanner (symlink attack could cause it
NP> to truncate any file that mailscanner can write). So far as I remember,
NP> the lock files are never removed, so this should only be a problem once.


NP> Cheers,


NP> Nick
NP> --
NP> Nick Phillips -- nwp at lemon-computing.com
NP> A long-forgotten loved one will appear soon.

NP> Buy the negatives at any price.



- --
Best regards,
 Jonathan                            mailto:jbayer at bayerfamily.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjxC4RcACgkQLWek1tt+K52M8wCeP1VswquiiCiXIXy8a/7rKgoB
inMAoId8BUtvTYyn4E0GVILzqjVpCJVD
=pEVS
-----END PGP SIGNATURE-----