First draft of chroot

git-svn: trunk@3011
18 years ago · b76fc9856f
parent af76dfbd91
commit b76fc9856f
4 changed files with 110 additions and 18 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+Mon Apr  9 04:26:56 BST 2007 (njh)
+----------------------------------
+  * clamav-milter:	EXPERIMENAL: added --chroot
+
 Fri Apr  6 18:02:02 BST 2007 (njh)
 ----------------------------------
  * clamav-milter/clamav-milter.c:	Bug 433
--- a/clamav-milter/INSTALL
+++ b/clamav-milter/INSTALL
@ -371,7 +371,43 @@ Function names appear at the start of lines (I use ctags).
 Document your changes. If you add, remove, or change functionality you will
 need to update the manual page and possibly the usage message as well.

-6. TODO
+6. CHROOT JAIL
+
+The instructions will differ for you, but these will give you an idea
+
+	mkdir /var/run/clamav-root
+	chown clamav:clamav /var/run/clamav-root
+	chmod 750 /var/run/clamav-root
+	cd /var/run/clamav-root
+	mkdir var
+	mkdir var/tmp
+	ln -s var/tmp .
+	mkdir var/log
+	cd var/log
+	ln -s ../../../../../var/log/clamav .
+	cd ..
+	mkdir run
+	mkdir run/clamav
+	chown clamav:clamav run/clamav
+	cd ..
+	mkdir usr
+	mkdir usr/local
+	mkdir usr/local/share
+	ln -s ../../../../../../usr/local/share/clamav .
+
+In sendmail.mc:
+INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-root/var/run/clamav/clamav.sock, F=T, T=S:4m;R:4m;C:30s;E:10m')dnl
+
+When starting clamav-milter use options such as (notice that the localation
+of clamav.sock is different in sendmail.mc than the location clamav-milter
+expects to see it)
+	--chroot=/var/run/clamav-root --max-children=3 -P --pidfile=/var/run/clamav/clamav-milter.pid --blacklist=60 --black-hole-mode local:/var/run/clamav/clamav.sock
+
+You may need to modify your shutdown script to look for clamav-milter.pid
+in /var/run/clamav-root/var/run/clamav/clamav-milter.pid
+
+7. TODO

 There are several ideas marked as TODO in the source code. If anyone has
-any other suggestions please feel free to contact me.
+any other suggestions please feel free to contact me. To avoid disappointment
+always contact me before undertaking any work.
--- a/clamav-milter/clamav-milter.c
+++ b/clamav-milter/clamav-milter.c
@ -33,7 +33,7 @@
 */
 static	char	const	rcsid[] = "$Id: clamav-milter.c,v 1.312 2007/02/12 22:24:21 njh Exp $";

-#define	CM_VERSION	"devel-070406"
+#define	CM_VERSION	"devel-070409"

 #if HAVE_CONFIG_H
 #include "clamav-config.h"
@ -480,6 +480,10 @@ static	long	*serverIPs;	/* IPv4 only */
 #endif
 static	int	numServers;	/* number of elements in serverIPs array */

+#ifdef	CL_EXPERIMENTAL
+static	char	*rootdir;	/* for chroot */
+#endif
+
 #ifdef	SESSION
 static	struct	session {
 	int	sock;	/* fd */
@ -572,6 +576,9 @@ help(void)
 	puts(_("\t--bounce\t\t-b\tSend a failure message to the sender."));
 #endif
 	puts(_("\t--broadcast\t\t-B [IFACE]\tBroadcast to a network manager when a virus is found."));
+#ifdef	CL_EXPERIMENTAL
+	puts(_("\t--chroot=DIR\t\t-C DIR\tChroot to dir when starting."));
+#endif
 	puts(_("\t--config-file=FILE\t-c FILE\tRead configuration from FILE."));
 	puts(_("\t--debug\t\t\t-D\tPrint debug messages."));
 	puts(_("\t--detect-forged-local-address\t-L\tReject mails that claim to be from us."));
@ -693,15 +700,15 @@ main(int argc, char **argv)
 		int opt_index = 0;
 #ifdef	BOUNCE
 #ifdef	CL_DEBUG
-		const char *args = "a:AbB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2";
+		const char *args = "a:AbB:c:C:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2";
 #else
-		const char *args = "a:AbB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2";
+		const char *args = "a:AbB:c:C:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2";
 #endif
 #else	/*!BOUNCE*/
 #ifdef	CL_DEBUG
-		const char *args = "a:AB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2";
+		const char *args = "a:AB:c:C:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2";
 #else
-		const char *args = "a:AB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2";
+		const char *args = "a:AB:c:C:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2";
 #endif
 #endif	/*BOUNCE*/

@ -723,6 +730,9 @@ main(int argc, char **argv)
 			{
 				"config-file", 1, NULL, 'c'
 			},
+			{
+				"chroot", 1, NULL, 'C'
+			},
 			{
 				"detect-forged-local-address", 0, NULL, 'L'
 			},
@ -867,6 +877,11 @@ main(int argc, char **argv)
 			case 'c':	/* where is clamd.conf? */
 				cfgfile = optarg;
 				break;
+#ifdef	CL_EXPERIMENTAL
+			case 'C':	/* chroot */
+				rootdir = optarg;
+				break;
+#endif
 			case 'd':	/* don't scan on error */
 				cl_error = SMFIS_ACCEPT;
 				break;
@ -1030,10 +1045,14 @@ main(int argc, char **argv)
 	}
 	port = argv[optind];

-	if(verifyIncomingSocketName(port) < 0) {
-		fprintf(stderr, _("%s: socket-addr (%s) doesn't agree with sendmail.cf\n"), argv[0], port);
-		return EX_CONFIG;
-	}
+#ifdef	CL_EXPERIMENTAL
+	if(rootdir == NULL)	/* FIXME: Handle CHROOT */
+#endif
+		if(verifyIncomingSocketName(port) < 0) {
+			fprintf(stderr, _("%s: socket-addr (%s) doesn't agree with sendmail.cf\n"), argv[0], port);
+			return EX_CONFIG;
+		}
+
 	if(strncasecmp(port, "inet:", 5) == 0)
 		if(!lflag) {
 			/*
@ -1822,6 +1841,25 @@ main(int argc, char **argv)

 	broadcast(_("Starting clamav-milter"));

+#ifdef	CL_EXPERIMENTAL
+	if(rootdir) {
+		if(getuid() == 0) {
+			if(chdir(rootdir) < 0) {
+				perror(rootdir);
+				return EX_CONFIG;
+			}
+			if(chroot(rootdir) < 0) {
+				perror(rootdir);
+				return EX_CONFIG;
+			}
+			logg("Chrooted to %s\n", rootdir);
+		} else {
+			logg("!chroot option needs root\n");
+			return EX_CONFIG;
+		}
+	}
+#endif
+
 	if(pidfile) {
 		/* save the PID */
 		char *p, *q;
@ -1838,8 +1876,12 @@ main(int argc, char **argv)
 		q = strrchr(p, '/');
 		*q = '\0';

-		if(chdir(p) < 0)	/* safety */
-			perror(p);
+#ifdef	CL_EXPERIMENTAL
+		if(rootdir == NULL)
+#endif
+			if(chdir(p) < 0)	/* safety */
+				perror(p);
+
 		free(p);

 		if((fd = fopen(pidfile, "w")) == NULL) {
@ -1854,13 +1896,19 @@ main(int argc, char **argv)
 #endif
 		fclose(fd);
 		umask(old_umask);
-	} else if(tmpdir)
-		chdir(tmpdir);	/* safety */
-	else
+	} else if(tmpdir) {
+#ifdef	CL_EXPERIMENTAL
+		if(rootdir == NULL)
+#endif
+			chdir(tmpdir);	/* safety */
+	} else
+#ifdef	CL_EXPERIMENTAL
+		if(rootdir == NULL)
+#endif
 #ifdef	P_tmpdir
-		chdir(P_tmpdir);
+			chdir(P_tmpdir);
 #else
-		chdir("/tmp");
+			chdir("/tmp");
 #endif

 	if(cfgopt(copt, "FixStaleSocket")->enabled) {
@ -1894,6 +1942,7 @@ main(int argc, char **argv)

 #if	((SENDMAIL_VERSION_A > 8) || ((SENDMAIL_VERSION_A == 8) && (SENDMAIL_VERSION_B >= 13)))
 	if(smfi_opensocket(1) == MI_FAILURE) {
+		perror(port);
 		cli_errmsg("Can't open/create %s\n", port);
 		return EX_CONFIG;
 	}
--- a/docs/man/clamav-milter.8.in
+++ b/docs/man/clamav-milter.8.in
@ -49,6 +49,9 @@ to check if any of their machines are infected.
 \fB\-V, \-\-version\fR
 Print the version number and exit.
 .TP
+\fB-C DIR, \-\-chroot=DIR\fR
+Run in chroot jail DIR.
+.TP
 \fB\-c FILE, \-\-config\-file=FILE\fR
 By default clamav\-milter uses a default configuration file, this option allows you to specify another one.
 .TP