I have installed Mailscanner v4.83.4 this days. and find the following lines in change log:<br>---------------------------------------------------------------------------------------------------<br><pre>4 Fixed permissions of ClamAV temp files to use workperms instead of 0600.
Thanks to Rick Cooper for this fix!<br>-------------------------------------------------------<br>However, my test shows that this has not been fixed as it should. I have pointed out that in my previous mail, <br>the argument of unixFileAttributes() should be octal number, which I have verified.<br>
<br>So, the correct patch should be:<br><br>mailscanner_zip_permission.patch<br></pre><div id=":64">===================================================================<br>--- <span class="il">MailScanner</span>/Message.pm 2010-09-06 19:10:28.000000000 +0800<br>
+++ ms/Message.pm 2011-01-07 10:41:19.107764413 +0800<br>@@ -3346,7 +3346,12 @@<br> next if $onlycheckencryption;<div class="im"><br><br> # Untaint member's attributes.<br>- $member->unixFileAttributes(0600);<br>
</div>
+ #$member->unixFileAttributes(0600);<br>
+ my $workperms = <span class="il">MailScanner</span>::Config::Value('workperms') || '0600';<br>+ #Make it octal with a leading zero if necessary<br>+ $workperms = sprintf "0%lo", $workperms unless $workperms =~ /^0/;<br>
+ $workperms = oct($workperms); # and back to decimal for chmod<br>+ $member->unixFileAttributes($workperms);<br><br> $name = $member->fileName();<br> # Trim off any leading directory path<br>====================================================================</div>
<pre><br>For anynone who use ms v4.83.4, please apply this patch:<br><br></pre><br><pre>mailscanner4.83.4_zip_permission.patch<br></pre>
<div id=":64">===================================================================<br>--- Message.pm.bak 2011-04-15 12:27:29.089987794 +0800<br>+++ Message.pm 2011-04-15 12:27:42.910018604 +0800<br>@@ -3350,6 +3350,9 @@<br>
# Untaint member's attributes.<br> # Fix to use workperms in preference by Rick Cooper <a href="mailto:rcooper@dwford.com">rcooper@dwford.com</a><br> my $workperms = MailScanner::Config::Value('workperms') || '0600';<br>
+ #Make it octal with a leading zero if necessary<br>+ $workperms = sprintf "0%lo", $workperms unless $workperms =~ /^0/;<br>+ $workperms = oct($workperms); # and back to decimal for chmod<br> $member->unixFileAttributes($workperms);<br>
<br> $name = $member->fileName();<br><br>====================================================================</div>
<div class="gmail_quote">2011/1/7 Rick Cooper <span dir="ltr"><<a href="mailto:rcooper@dwford.com">rcooper@dwford.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"></font> </div><br>
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><div class="im"><b>From:</b> <a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a>
[mailto:<a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a>] <b>On Behalf Of </b>Curu
Wong<br></div><b>Sent:</b> Thursday, January 06, 2011 10:15 PM<div class="im"><br><b>To:</b>
MailScanner discussion<br><b>Subject:</b> Re: weird mailscanner clamd
error<br></div></font><br></div>
<div></div>
<div><div class="im">Thank you Rick, the code you provided works. but I think the argument
of unixFileAttributes() should be octal number, instead of string. so I modified
the code a little.<br>This finally works for my MailScanner version
4.81.4-1.<br></div><span><font color="#0000ff" face="Arial" size="2">[Rick Cooper] </font></span></div>
<div><span></span> </div>
<div><span><font color="#0000ff" face="Arial" size="2">I just
looked at the Archive::Zip documentation and it appears it that should have
worked as is. The documentation states:</font></span></div>
<div><span><font face="Arial" size="2"><font color="#0000ff"> </font><a name="12d60d060578b029_unixFileAttributes(_[$newAttributes]_)"><font color="#0000ff" face="Times New Roman" size="3">unixFileAttributes( [$newAttributes]
)</font></a></font></span></div>
<div><font color="#0000ff"><span> </span></font></div>
<div><font color="#0000ff"><span><font face="Arial" size="2">In any event that might explain the issues on other systems and
hopefully Julian will make the changes for the next release. The person to thank
is you, you are the one who caught the unexplained permission change on the
extracted files, I just looked at the code that performs the action and
unixFileAttributes(600) kind of stuck out like a sore
thumb</font></span></font></div>
<div><font color="#0000ff"><span></span></font> </div>
<div><font color="#0000ff"><span><font face="Arial" size="2">Rick</font> </span><br><br></font><div><div></div><div class="h5">after apply this patch, the
permission is OK:<br></div></div></div><div><div></div><div class="h5">
<div><br>Send an email with zip
attachment<br></div>==============================
<div>===============================<br>/var/spool/MailScanner/incoming/18174/8E435803B9.AB3BB:<br>total
3376<br>-rw-r----- 1 postfix www-data 4
2011-01-07 10:49 nmsg-18174-1.txt<br>-rw-r----- 1 postfix www-data 1665916
2011-01-07 10:49 ntest.zip<br>-rw-r----- 1 postfix
www-data 238 2010-10-15 18:58 zall-wcprops<br>-rw-r-----
1 postfix www-data 23100 2010-10-15 18:58
zbeyond3g.jpg<br>-rw-r----- 1 postfix www-data 26180 2010-10-15
18:58 zchi_button-02.jpg<br>-rw-r----- 1 postfix www-data 2472
2010-10-15 23:33 zchi_button-reset.jpg<br>-rw-r----- 1 postfix
www-data 2478 2010-10-15 23:33
zchi_button-submit.jpg<br>-rw-r----- 1 postfix www-data 6042
2010-10-18 15:34 zchi_edm.html<br>-rw-r----- 1 postfix
www-data 4345 2010-10-18 15:35 zchi_web.html<br>-rw-r----- 1
postfix www-data 890 2010-10-15 18:58
zcw.jpeg<br>==============================================================<br>and
there's no error message in maillog any
more.</div><br>mailscanner_zip_permission.patch<br>===================================================================<br>---
MailScanner/Message.pm 2010-09-06
19:10:28.000000000 +0800<br>+++
ms/Message.pm 2011-01-07 10:41:19.107764413
+0800<br>@@ -3346,7 +3346,12 @@<br> next if
$onlycheckencryption;<br><br> # Untaint member's
attributes.<br>-
$member->unixFileAttributes(0600);<br>+
#$member->unixFileAttributes(0600);<br>+ my $workperms =
MailScanner::Config::Value('workperms') || '0600';<br>+ #Make
it octal with a leading zero if necessary<br>+ $workperms =
sprintf "0%lo", $workperms unless $workperms =~ /^0/;<br>+
$workperms = oct($workperms); # and back to decimal for
chmod<br>+
$member->unixFileAttributes($workperms);<br><br>
$name = $member->fileName();<br> # Trim off any
leading directory
path<br>====================================================================<br><br>
<div class="gmail_quote">2011/1/7 Rick Cooper <span dir="ltr"><<a href="mailto:rcooper@dwford.com" target="_blank">rcooper@dwford.com</a>></span><br>
<blockquote style="border-left:rgb(204,204,204) 1px solid;margin:0pt 0pt 0pt 0.8ex;padding-left:1ex" class="gmail_quote">
<div>Naz Snidanko wrote:<br>> I just checked:<br>><br>>
/opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm<br>><br>> I am
using 4.82.3-1 and this modification is there. It does not solve<br>> the
problem. I haven't tried running clamd under root since it would<br>>
violate our security principles.<br>><br>> Are you guys sure it is not a
problem with clamd itself? Clamav<br>> doesn't get this
error.<br><br></div>Actually the more I looked at this, I believe the code in
Message.pm<br>beginning at line 3348 that reads<br><br> # Untaint
member's attributes.<br>
$member->unixFileAttributes(0600);<br><br>Should be<br><br>
# Untaint member's attributes.<br> my
$workperms = MailScanner::Config::Value('workperms') || '0600';<br>
$member->unixFileAttributes($workperms);<br>For some reason it
appears Julian forced the extracted files to 0600 in the<br>original code. The
change I have listed above would set them to what ever<br>the mailscanner
config has for the work permissions or 600 if no
value<br>exists.<br><br>Julian any comment?<br><font color="#888888"><br><br>Rick<br></font>
<div>
<div></div>
<div><br>><br>> Regards,<br>><br>> Naz Snidanko<br>> Desktop
& Network Support<br>> Harper Power Products Inc.<br>> (p) 416 201-
7506<br>> <a href="mailto:nsnidanko@harperpowerproducts.com" target="_blank">nsnidanko@harperpowerproducts.com</a><br>><br>>
-----Original Message-----<br>> From: <a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a><br>>
[mailto:<a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a>] On Behalf
Of<br>> Iulian L Dragomir<br>> Sent: January 6, 2011 6:05 AM<br>> To:
MailScanner discussion<br>> Subject: Re: weird mailscanner clamd
error<br>><br>> On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil<br>>
<<a href="mailto:prandal@herefordshire.gov.uk" target="_blank">prandal@herefordshire.gov.uk</a>> wrote:<br>>> The only
workaround I've found is to run clamd as
root.<br>>><br>>><br>>><br>>> I've seen the same issue
with MailScanner / sendmail on CentOS.<br>><br>> If it is the same
problem then try this:<br>><br>> <a href="http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht" target="_blank">http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht</a><br>
>
ml<br>> --<br>> MailScanner mailing list<br>> <a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>> <a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
><br>>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>><br>> Support
MailScanner development - buy the book off the website!<br>> --<br>>
MailScanner mailing list<br>> <a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>> <a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
><br>>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>><br>> Support
MailScanner development - buy the book off the
website!<br><br><br><br></div></div>
<div>--<br>This message has been scanned for viruses and<br>dangerous content
by MailScanner, and is<br>believed to be clean.<br><br><br>--<br></div>
<div>
<div></div>
<div>MailScanner mailing list<br><a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br><a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>Before
posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br><br>Support
MailScanner development - buy the book off the
website!<br></div></div></blockquote></div><br><br></div></div>-- <br><div class="im">This message has been
scanned for viruses and <br>dangerous content by <a href="http://www.mailscanner.info/" target="_blank"><b>MailScanner</b></a>, and is <br>believed
to be clean. </div></div><div><div></div><div class="h5"><br>--
<br>This message has been scanned for viruses and
<br>dangerous content by
<a href="http://www.mailscanner.info/" target="_blank"><b>MailScanner</b></a>, and is
<br>believed to be clean.
</div></div><br>--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br></blockquote></div><br>