weird mailscanner clamd error
Curu Wong
prinbra at gmail.com
Fri Apr 15 05:53:43 IST 2011
I have installed Mailscanner v4.83.4 this days. and find the following lines
in change log:
---------------------------------------------------------------------------------------------------
4 Fixed permissions of ClamAV temp files to use workperms instead of 0600.
Thanks to Rick Cooper for this fix!
-------------------------------------------------------
However, my test shows that this has not been fixed as it should. I
have pointed out that in my previous mail,
the argument of unixFileAttributes() should be octal number, which I
have verified.
So, the correct patch should be:
mailscanner_zip_permission.patch
===================================================================
--- MailScanner/Message.pm 2010-09-06 19:10:28.000000000 +0800
+++ ms/Message.pm 2011-01-07 10:41:19.107764413 +0800
@@ -3346,7 +3346,12 @@
next if $onlycheckencryption;
# Untaint member's attributes.
- $member->unixFileAttributes(0600);
+ #$member->unixFileAttributes(0600);
+ my $workperms = MailScanner::Config::Value('workperms') || '0600';
+ #Make it octal with a leading zero if necessary
+ $workperms = sprintf "0%lo", $workperms unless $workperms =~ /^0/;
+ $workperms = oct($workperms); # and back to decimal for chmod
+ $member->unixFileAttributes($workperms);
$name = $member->fileName();
# Trim off any leading directory path
====================================================================
For anynone who use ms v4.83.4, please apply this patch:
mailscanner4.83.4_zip_permission.patch
===================================================================
--- Message.pm.bak 2011-04-15 12:27:29.089987794 +0800
+++ Message.pm 2011-04-15 12:27:42.910018604 +0800
@@ -3350,6 +3350,9 @@
# Untaint member's attributes.
# Fix to use workperms in preference by Rick Cooper rcooper at dwford.com
my $workperms = MailScanner::Config::Value('workperms') || '0600';
+ #Make it octal with a leading zero if necessary
+ $workperms = sprintf "0%lo", $workperms unless $workperms =~ /^0/;
+ $workperms = oct($workperms); # and back to decimal for chmod
$member->unixFileAttributes($workperms);
$name = $member->fileName();
====================================================================
2011/1/7 Rick Cooper <rcooper at dwford.com>
>
>
> ------------------------------
> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Curu Wong
> *Sent:* Thursday, January 06, 2011 10:15 PM
>
> *To:* MailScanner discussion
> *Subject:* Re: weird mailscanner clamd error
>
> Thank you Rick, the code you provided works. but I think the argument of
> unixFileAttributes() should be octal number, instead of string. so I
> modified the code a little.
> This finally works for my MailScanner version 4.81.4-1.
> [Rick Cooper]
>
> I just looked at the Archive::Zip documentation and it appears it that
> should have worked as is. The documentation states:
> unixFileAttributes( [$newAttributes] )
>
> In any event that might explain the issues on other systems and hopefully
> Julian will make the changes for the next release. The person to thank is
> you, you are the one who caught the unexplained permission change on the
> extracted files, I just looked at the code that performs the action and
> unixFileAttributes(600) kind of stuck out like a sore thumb
>
> Rick
>
> after apply this patch, the permission is OK:
>
> Send an email with zip attachment
> ==============================
> ===============================
> /var/spool/MailScanner/incoming/18174/8E435803B9.AB3BB:
> total 3376
> -rw-r----- 1 postfix www-data 4 2011-01-07 10:49 nmsg-18174-1.txt
> -rw-r----- 1 postfix www-data 1665916 2011-01-07 10:49 ntest.zip
> -rw-r----- 1 postfix www-data 238 2010-10-15 18:58 zall-wcprops
> -rw-r----- 1 postfix www-data 23100 2010-10-15 18:58 zbeyond3g.jpg
> -rw-r----- 1 postfix www-data 26180 2010-10-15 18:58 zchi_button-02.jpg
> -rw-r----- 1 postfix www-data 2472 2010-10-15 23:33
> zchi_button-reset.jpg
> -rw-r----- 1 postfix www-data 2478 2010-10-15 23:33
> zchi_button-submit.jpg
> -rw-r----- 1 postfix www-data 6042 2010-10-18 15:34 zchi_edm.html
> -rw-r----- 1 postfix www-data 4345 2010-10-18 15:35 zchi_web.html
> -rw-r----- 1 postfix www-data 890 2010-10-15 18:58 zcw.jpeg
> ==============================================================
> and there's no error message in maillog any more.
>
> mailscanner_zip_permission.patch
> ===================================================================
> --- MailScanner/Message.pm 2010-09-06 19:10:28.000000000 +0800
> +++ ms/Message.pm 2011-01-07 10:41:19.107764413 +0800
> @@ -3346,7 +3346,12 @@
> next if $onlycheckencryption;
>
> # Untaint member's attributes.
> - $member->unixFileAttributes(0600);
> + #$member->unixFileAttributes(0600);
> + my $workperms = MailScanner::Config::Value('workperms') || '0600';
> + #Make it octal with a leading zero if necessary
> + $workperms = sprintf "0%lo", $workperms unless $workperms =~ /^0/;
> + $workperms = oct($workperms); # and back to decimal for chmod
> + $member->unixFileAttributes($workperms);
>
> $name = $member->fileName();
> # Trim off any leading directory path
> ====================================================================
>
> 2011/1/7 Rick Cooper <rcooper at dwford.com>
>
>> Naz Snidanko wrote:
>> > I just checked:
>> >
>> > /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm
>> >
>> > I am using 4.82.3-1 and this modification is there. It does not solve
>> > the problem. I haven't tried running clamd under root since it would
>> > violate our security principles.
>> >
>> > Are you guys sure it is not a problem with clamd itself? Clamav
>> > doesn't get this error.
>>
>> Actually the more I looked at this, I believe the code in Message.pm
>> beginning at line 3348 that reads
>>
>> # Untaint member's attributes.
>> $member->unixFileAttributes(0600);
>>
>> Should be
>>
>> # Untaint member's attributes.
>> my $workperms = MailScanner::Config::Value('workperms') || '0600';
>> $member->unixFileAttributes($workperms);
>> For some reason it appears Julian forced the extracted files to 0600 in
>> the
>> original code. The change I have listed above would set them to what ever
>> the mailscanner config has for the work permissions or 600 if no value
>> exists.
>>
>> Julian any comment?
>>
>>
>> Rick
>>
>> >
>> > Regards,
>> >
>> > Naz Snidanko
>> > Desktop & Network Support
>> > Harper Power Products Inc.
>> > (p) 416 201- 7506
>> > nsnidanko at harperpowerproducts.com
>> >
>> > -----Original Message-----
>> > From: mailscanner-bounces at lists.mailscanner.info
>> > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>> > Iulian L Dragomir
>> > Sent: January 6, 2011 6:05 AM
>> > To: MailScanner discussion
>> > Subject: Re: weird mailscanner clamd error
>> >
>> > On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil
>> > <prandal at herefordshire.gov.uk> wrote:
>> >> The only workaround I've found is to run clamd as root.
>> >>
>> >>
>> >>
>> >> I've seen the same issue with MailScanner / sendmail on CentOS.
>> >
>> > If it is the same problem then try this:
>> >
>> >
>> http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht
>> > ml
>> > --
>> > MailScanner mailing list
>> > mailscanner at lists.mailscanner.info
>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> > Before posting, read http://wiki.mailscanner.info/posting
>> >
>> > Support MailScanner development - buy the book off the website!
>> > --
>> > MailScanner mailing list
>> > mailscanner at lists.mailscanner.info
>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> > Before posting, read http://wiki.mailscanner.info/posting
>> >
>> > Support MailScanner development - buy the book off the website!
>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110415/5a1b28df/attachment.html
More information about the MailScanner
mailing list