|
From: Steve W. <swh...@ge...> - 2008-01-19 21:29:29
|
Hello mod-security-users,
I've got mod_security2 installed and working. Thank you to the developers.
I'm mostly using the rules files shipped in the source package. It's
working good, I think, except I don't know what to do to allow clamdscan
(the daemon, not the command-line client) to access uploaded files via
the modsec-clamscan.pl script. It works using the command-line client,
but that's too slow.
My question is: What must I do to properly configure file permissions so
that I can use mod_security2 and clamdscan to scan uploaded files?
Information
-----------
* clamav, clamd, etc. are installed and running correctly as per the
clamav installation instructions.
* The modsec-clamscan.pl script I'm using is the one shipped in the
mod_security version 1.9.5 source package.
* When using clamscan instead of clamdscan, that is:
'$CLAMSCAN = "/usr/local/bin/clamscan";'
it works fine. However, when using clamdscan, that is:
'$CLAMSCAN = "/usr/local/bin/clamdscan";'
in the modsec_audit.log, I always get a message similar to the
following:
*******
Message: Warning. File \
"/tmp/webfiles/20080119-130031-tgz@An8AAAEAAAvcXIUAAAAH-file-KH1j8W" \
rejected by the approver script \
"/usr/local/apache2/bin/modsec-clamscan.pl":0 clamscan: Access denied.
[. . .]
Producer: ModSecurity v2.1.3 (Apache 2.x)
[. . .]
*********
* The uploaded files are written to disk with the following permissions:
-rw------- 1 httpd_user httpd_group
* The clamd daemon runs as the user:
clamav
* The relevant SecRule in use is:
SecRule FILES_TMPNAMES "@inspectFile \
/usr/local/apache2/bin/modsec-clamscan.pl" "t:none"
* I've read the relevant portions of the 1.9.x ModSecurity for Apache
User Guide, sections "Interacting with other daemons" and
"Integration with ClamAV". The tmp directory and its permissions
are created accordingly, that is:
# mkdir /tmp/webfiles
# chown httpd_user:clamav /tmp/webfiles
# chmod 2750 /tmp/webfiles
and I am using:
SecUploadDir /tmp/webfiles
SecDataDir /tmp/webfiles
SecTmpDir /tmp/webfiles
-----------
Thoughts
--------
Previous versions of the ModSecurity for Apache User Guide discuss the
permissions issue and state:
"To allow for interaction with other daemons (for example ClamAV, as
described later), as of 1.9dev1 files are created with relaxed permissions
allowing group read. To do this assuming Apache runs as httpd and daemon
as clamav [. . .]
But that appears to no longer be the case. Upon inspection, mod_security is
creating the files with the following permissions:
-rw------- 1 httpd_user httpd_group
So, no group read. And if the files were to be written with group read,
there is the issue of which group that would be. It is currently not
clamav. And even if the group were clamav, there is the issue of Apache
needing to run with its group being something other than clamav.
Solutions? Suggestions? If anyone actually has mod_security2 scanning
uploads with clamdscan (the daemon, not "clamscan", the command-line
client), please share how you did that.
Thanks,
Steve Whitlatch
|
