Black-hole-mode no longer needs to be run as root

git-svn: trunk@3174

ChangeLog

@@ -1,3 +1,7 @@
+Sat Aug 18 16:12:51 BST 2007 (njh)
+----------------------------------
+ * clamav-milter:	Black-hole-mode no longer needs to be run as root
+
 Sat Aug 18 13:25:52 BST 2007 (njh)
 ----------------------------------
   * libclamav/pdf.c:	Bug 618, --block-max not always honoured

clamav-milter/clamav-milter.c

@@ -33,7 +33,7 @@
  */
 static	char	const	rcsid[] = "$Id: clamav-milter.c,v 1.312 2007/02/12 22:24:21 njh Exp $";
 
-#define	CM_VERSION	"devel-130807"
+#define	CM_VERSION	"devel-180807"
 
 #if HAVE_CONFIG_H
 #include "clamav-config.h"
@@ -1176,12 +1176,6 @@ main(int argc, char **argv)
 #endif
 			}
 
-			if(black_hole_mode && (user->pw_uid != 0)) {
-				fprintf(stderr, _("%s: You cannot use black hole mode unless you are root\n"),
-					argv[0]);
-				return EX_CONFIG;
-			}
-
 			setgid(user->pw_gid);
 
 			if(setuid(user->pw_uid) < 0)
@@ -1190,9 +1184,52 @@ main(int argc, char **argv)
 				cli_dbgmsg(_("Running as user %s (UID %d, GID %d)\n"),
 					cpt->strarg, (int)user->pw_uid,
 					(int)user->pw_gid);
-		} else if(!black_hole_mode)
-			fprintf(stderr, _("%s: running as root is not recommended (check \"User\" in %s)\n"), argv[0], cfgfile);
 
+			if(black_hole_mode && (user->pw_uid != 0)) {
+				int are_trusted;
+				FILE *sendmail;
+				char cmd[128];
+
+				/*
+				 * Determine if we're a "trusted user"
+				 */
+				snprintf(cmd, sizeof(cmd) - 1, "%s -bv root</dev/null 2>&1",
+					SENDMAIL_BIN);
+
+				sendmail = popen(cmd, "r");
+
+				if(sendmail == NULL) {
+					perror(SENDMAIL_BIN);
+					are_trusted = 0;
+				} else {
+					char buf[BUFSIZ];
+
+					while(fgets(buf, sizeof(buf), sendmail) != NULL)
+						;
+					switch(WEXITSTATUS(pclose(sendmail))) {
+						case EX_NOUSER:
+							/*
+							 * No root? But at least
+							 * we're trusted enough
+							 * to find out!
+							 */
+							are_trusted = 1;
+							break;
+						default:
+							are_trusted = 0;
+							break;
+						case EX_OK:
+							are_trusted = 1;
+					}
+				}
+				if(!are_trusted) {
+					fprintf(stderr, _("%s: You cannot use black hole mode unless you are a TrustedUser\n"),
+						argv[0]);
+					return EX_CONFIG;
+				}
+			}
+		} else
+			logg(_("^%s: running as root is not recommended (check \"User\" in %s)\n"), argv[0], cfgfile);
 	} else if(iface) {
 		fprintf(stderr, _("%s: Only root can set an interface for --broadcast\n"), argv[0]);
 		return EX_USAGE;
@@ -2927,6 +2964,9 @@ clamfi_envrcpt(SMFICTX *ctx, char **argv)
 			smfi_setreply(ctx, "554", "5.7.1", _("Suspicious recipient address blocked"));
 			logg("^Suspicious recipient address blocked: '%s'", to);
 			privdata->to[privdata->numTo] = NULL;
+			/*
+			 * REJECT rejects this recipient, not the entire email
+			 */
 			return SMFIS_REJECT;
 		}
 
@@ -6365,10 +6405,10 @@ black_hole(const struct privdata *privdata)
 	must_scan = (*to) ? 0 : 1;
 
 	for(; *to; to++) {
-		char cmd[128];
 		FILE *sendmail;
+		char cmd[128];
 
-		snprintf(cmd, sizeof(cmd) - 1, "%s -bv \"%s\" < /dev/null 2>&1",
+		snprintf(cmd, sizeof(cmd) - 1, "%s -bv \"%s\"</dev/null 2>&1",
 			SENDMAIL_BIN, *to);
 
 		cli_dbgmsg("Calling %s\n", cmd);

docs/man/clamav-milter.8.in

@@ -298,12 +298,16 @@ Since \fIsendmail\fR calls its milters before it looks in its alias and virtuser
 tables, clamav-milter can spend time looking for malware that's going to be
 thrown away even if the message is clean.
 .IP
-Enable this to not scan these messages (in practice clamav\-milter will discard
+Enabling this stops these messages from being scanned
+(in practice clamav\-milter will discard
 these messages so the message doesn't go further down the milter call chain).
 .IP
-Sadly, these days sendmail \-bv only works as root,
-so this option is not compatible with the User directive in clamd.conf,
-which some may view as a security risk.
+To enable this mode clamav-milter must have certain sendmail rights:
+it needs to run as a TrustedUser as defined by \fIsendmail\fR
+(see http://www.sendmail.org/m4/tweaking_config.html)
+by the use of the User directive in clamd.conf,
+the clamav user must be able read the mail queue (often /var/spool/mqueue),
+and AllowSupplementaryGroups must be enabled in clamd.conf.
 Only enable this if your site has many addresses aliased to /dev/null.
 .SH "BUGS"
 There is no support for IPv6.
@@ -315,4 +319,4 @@ clamav\-milter \-o local:/var/run/clamav/clmilter.sock
 Nigel Horne <njh@bandsman.co.uk>
 .SH "SEE ALSO"
 .LP
-sendmail(1), clamd(8), clamscan(1), freshclam(1), sigtool(1), clamd.conf(5), hosts_access(5)
+clamd(8), clamscan(1), freshclam(1), sigtool(1), clamd.conf(5), hosts_access(5), sendmail(8)