limits: defaults and conf files

git-svn: trunk@3624
18 years ago · a5d91be788
parent a5afcb6772
commit a5d91be788
6 changed files with 64 additions and 56 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+Wed Feb 13 02:49:38 CET 2008 (acab)
+-----------------------------------
+  * limits: Set new defaults, updated sample config files
+  	    More to come (documents update and final tweaks)
+
 Tue Feb 12 11:19:22 GMT 2008 (njh)
 ----------------------------------
  * libclamav/pdf.c:	Fix some warning messages and compilation error on
--- a/clamav-milter/clamav-milter.c
+++ b/clamav-milter/clamav-milter.c
@ -1890,8 +1890,6 @@ main(int argc, char **argv)
 			options |= CL_SCAN_DISABLERAR;*/
 		if(cfgopt(copt, "ArchiveBlockEncrypted")->enabled)
 			options |= CL_SCAN_BLOCKENCRYPTED;
-		if(cfgopt(copt, "ArchiveBlockMax")->enabled)
-			options |= CL_SCAN_BLOCKMAX;
 		if(cfgopt(copt, "ScanPE")->enabled)
 			options |= CL_SCAN_PE;
 		if(cfgopt(copt, "DetectBrokenExecutables")->enabled)
@ -1905,31 +1903,27 @@ main(int argc, char **argv)

 		memset(&limits, '\0', sizeof(struct cl_limits));

-		if(((cpt = cfgopt(copt, "MailMaxRecursion")) != NULL) && cpt->enabled)
-			limits.maxmailrec = cpt->numarg;
-
-		if(cfgopt(copt, "ScanArchive")->enabled) {
-			options |= CL_SCAN_ARCHIVE;
-			if(((cpt = cfgopt(copt, "ArchiveMaxFileSize")) != NULL) && cpt->enabled)
-				limits.maxfilesize = cpt->numarg;
-			else
-				limits.maxfilesize = 10485760;
-
-			if(((cpt = cfgopt(copt, "ArchiveMaxRecursion")) != NULL) && cpt->enabled)
-				limits.maxreclevel = cpt->numarg;
-			else
-				limits.maxreclevel = 8;
+		if(((cpt = cfgopt(copt, "MaxScanSize")) != NULL) && cpt->enabled)
+			limits.maxscansize = cpt->numarg;
+		else
+			limits.maxscansize = 104857600;
+		if(((cpt = cfgopt(copt, "MaxFileSize")) != NULL) && cpt->enabled)
+			limits.maxfilesize = cpt->numarg;
+		else
+			limits.maxfilesize = 10485760;

-			if(((cpt = cfgopt(copt, "ArchiveMaxFiles")) != NULL) && cpt->enabled)
-				limits.maxfiles = cpt->numarg;
-			else
-				limits.maxfiles = 1000;
+		if(((cpt = cfgopt(copt, "MaxRecursion")) != NULL) && cpt->enabled)
+			limits.maxreclevel = cpt->numarg;
+		else
+			limits.maxreclevel = 8;

-			if(((cpt = cfgopt(copt, "ArchiveMaxCompressionRatio")) != NULL) && cpt->enabled)
-				limits.maxratio = cpt->numarg;
-			else
-				limits.maxratio = 250;
+		if(((cpt = cfgopt(copt, "MaxFiles")) != NULL) && cpt->enabled)
+			limits.maxfiles = cpt->numarg;
+		else
+			limits.maxfiles = 1000;

+		if(cfgopt(copt, "ScanArchive")->enabled) {
+			options |= CL_SCAN_ARCHIVE;
 			if(cfgopt(copt, "ArchiveLimitMemoryUsage")->enabled)
 				limits.archivememlim = 1;
 			else
--- a/clamscan/clamscan.c
+++ b/clamscan/clamscan.c
@ -321,13 +321,12 @@ void help(void)
    mprintf("    --no-archive                         Disable libclamav archive support\n");
    mprintf("    --detect-broken                      Try to detect broken executable files\n");
    mprintf("    --block-encrypted                    Block encrypted archives\n");
-    mprintf("    --block-max                          Block archives that exceed limits\n");
    mprintf("    --mail-follow-urls                   Download and scan URLs\n");
    mprintf("\n");
-    mprintf("    --max-scansize=#n                    FIXMELIMITS\n");
-    mprintf("    --max-filesize=#n                    FIXMELIMITS\n");
-    mprintf("    --max-files=#n                       FIXMELIMITS\n");
-    mprintf("    --max-recursion=#n                   Maximum archive recursion level\n");
+    mprintf("    --max-filesize=#n                    Files larger than this will be skipped and assumed clean\n");
+    mprintf("    --max-scansize=#n                    The maximum amount of data to scan for each container file (*)\n");
+    mprintf("    --max-files=#n                       The maximum number of files to scan for each container file (*)\n");
+    mprintf("    --max-recursion=#n                   Maximum archive recursion level for container file (*)\n");
    mprintf("    --max-dir-recursion=#n               Maximum directory recursion level\n");
    mprintf("    --unzip[=FULLPATH]                   Enable support for .zip files\n");
    mprintf("    --unrar[=FULLPATH]                   Enable support for .rar files\n");
@ -338,4 +337,6 @@ void help(void)
    mprintf("    --tar[=FULLPATH]                     Enable support for .tar files\n");
    mprintf("    --deb[=FULLPATH to ar]               Enable support for .deb files\n");
    mprintf("    --tgz[=FULLPATH]                     Enable support for .tar.gz, .tgz files\n\n");
+    mprintf("(*) Certain files (e.g. documents, archives, etc.) may in turn contain other files inside.\n");
+    mprintf("    The above options ensure safe processing of this kind of data.\n\n");
 }
--- a/clamscan/manager.c
+++ b/clamscan/manager.c
@ -231,7 +231,7 @@ int scanmanager(const struct optstruct *opt)
 	} else
 	    limits.maxscansize = atoi(ptr) * 1024;
    } else
-	limits.maxscansize = 104857600;  /* FIXMELIMITS */
+	limits.maxscansize = 104857600;

    if(opt_check(opt, "max-filesize")) {
 	char *cpy, *ptr;
@ -244,17 +244,17 @@ int scanmanager(const struct optstruct *opt)
 	} else
 	    limits.maxfilesize = atoi(ptr) * 1024;
    } else
-	limits.maxfilesize = 10485760;  /* FIXMELIMITS */
+	limits.maxfilesize = 26214400;

    if(opt_check(opt, "max-files"))
 	limits.maxfiles = atoi(opt_arg(opt, "max-files"));
    else
-        limits.maxfiles = 500;
+        limits.maxfiles = 10000;

    if(opt_check(opt, "max-recursion"))
        limits.maxreclevel = atoi(opt_arg(opt, "max-recursion"));
    else
-        limits.maxreclevel = 8;
+        limits.maxreclevel = 16;

    /* set options */

@ -416,29 +416,27 @@ static int clamav_unpack(const char *prog, const char **args, const char *tmpdir
 {
 	pid_t pid;
 	int status, wret, fdevnull;
-	unsigned int maxfiles, maxspace;
+	unsigned int maxfiles, maxscansize;
 	struct s_du n;


    if(opt_check(opt, "max-files"))
 	maxfiles = atoi(opt_arg(opt, "max-files"));
    else
-	maxfiles = 0;
+	maxfiles = 10000;

-    /* FIXMELIMITS */
-    if(opt_check(opt, "max-filesize")) {
+    if(opt_check(opt, "max-scansize")) {
 	    char *cpy, *ptr;
-	ptr = opt_arg(opt, "max-filesize");
+	ptr = opt_arg(opt, "max-scansize");
 	if(tolower(ptr[strlen(ptr) - 1]) == 'm') { /* megabytes */
 	    cpy = calloc(strlen(ptr), 1);
 	    strncpy(cpy, ptr, strlen(ptr) - 1);
-	    maxspace = atoi(cpy) * 1024;
+	    maxscansize = atoi(cpy) * 1024;
 	    free(cpy);
 	} else /* default - kilobytes */
-	    maxspace = atoi(ptr);
+	    maxscansize = atoi(ptr);
    } else
-	maxspace = 0;
-
+	maxscansize = 104857600;

    switch(pid = fork()) {
 	case -1:
@ -490,12 +488,12 @@ static int clamav_unpack(const char *prog, const char **args, const char *tmpdir
 	    break;
 	default:

-	    if(maxfiles || maxspace) {
+	    if(maxscansize || maxfiles) {
 		while(!(wret = waitpid(pid, &status, WNOHANG))) {
 		    memset(&n, 0, sizeof(struct s_du));

 		    if(!du(tmpdir, &n))
-			if((maxfiles && n.files > maxfiles) || (maxspace && n.space > maxspace)) {
+			if((maxfiles && n.files > maxfiles) || (maxscansize && n.space > maxscansize)) {
 			    logg("*n.files: %u, n.space: %lu\n", n.files, n.space);
 			    kill(pid, 9); /* stop it immediately */
 			}
--- a/etc/clamd.conf
+++ b/etc/clamd.conf
@ -266,26 +266,36 @@ LocalSocket /tmp/clamd.socket
 # The options below protect your system against Denial of Service attacks
 # using archive bombs.

-# FIXMELIMITS
-# Value of 0 disables the limit.
-# Default: FIXMELIMITS
+# This option sets the maximum amount of data to be scanned for each input file.
+# Archives and other containers are recursively extracted and scanned up to this
+# value.
+# Value of 0 disables the limit
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 100M
 #MaxScanSize 15M

-# Files in archives larger than this limit won't be scanned.
+# Files larger than this limit won't be scanned.
 # Value of 0 disables the limit.
-# Default: 10M
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 25M
 #MaxFileSize 15M

 # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
 # file, all files within it will also be scanned. This options specifies how
 # deeply the process should be continued.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
 # Value of 0 disables the limit.
-# Default: 8
+# Default: 16
 #MaxRecursion 10

-# Number of files to be scanned within an archive.
+# Number of files to be scanned within an archive, a document, ecc.
 # Value of 0 disables the limit.
-# Default: 1000
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 10000
 #MaxFiles 1500

 # Use slower but memory efficient decompression algorithm.
--- a/shared/cfgparser.c
+++ b/shared/cfgparser.c
@ -60,10 +60,10 @@ struct cfgoption cfg_options[] = {
    {"ScanOLE2", OPT_BOOL, 1, NULL, 0, OPT_CLAMD},
    {"ScanPDF", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},
    {"ScanArchive", OPT_BOOL, 1, NULL, 0, OPT_CLAMD},
-    {"MaxScanSize", OPT_COMPSIZE, 104857600, NULL, 0, OPT_CLAMD}, /* FIXMELIMITS */
-    {"MaxFileSize", OPT_COMPSIZE, 10485760, NULL, 0, OPT_CLAMD},
-    {"MaxRecursion", OPT_NUM, 8, NULL, 0, OPT_CLAMD},
-    {"MaxFiles", OPT_NUM, 1000, NULL, 0, OPT_CLAMD},
+    {"MaxScanSize", OPT_COMPSIZE, 104857600, NULL, 0, OPT_CLAMD},
+    {"MaxFileSize", OPT_COMPSIZE, 26214400, NULL, 0, OPT_CLAMD},
+    {"MaxRecursion", OPT_NUM, 16, NULL, 0, OPT_CLAMD},
+    {"MaxFiles", OPT_NUM, 10000, NULL, 0, OPT_CLAMD},
    {"ArchiveLimitMemoryUsage", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},
    {"ArchiveBlockEncrypted", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},
    {"DatabaseDirectory", OPT_QUOTESTR, -1, DATADIR, 0, OPT_CLAMD | OPT_FRESHCLAM},