Re: [mod-security-users] clamav, clamdscan, clamscan, file permissions, and modsec-clamscan.pl
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iva...@gm...> - 2008-01-23 15:58:13
|
Hi Steve, Thank you for your in-depth analysis of the problem. I am sorry we didn't meet your expectations when it comes to response speed. It's possible that this feature (relaxed permissions) had been broken somewhere down the line. I've looked at the code briefly and it looks to me we again need to relax file permissions for the files extracted from requests. I (or Brian) will look into it and get back to you (here, on the list). On Jan 19, 2008 9:27 PM, Steve Whitlatch <swh...@ge...> wrote: > Hello mod-security-users, > > I've got mod_security2 installed and working. Thank you to the developers. > > I'm mostly using the rules files shipped in the source package. It's > working good, I think, except I don't know what to do to allow clamdscan > (the daemon, not the command-line client) to access uploaded files via > the modsec-clamscan.pl script. It works using the command-line client, > but that's too slow. > > My question is: What must I do to properly configure file permissions so > that I can use mod_security2 and clamdscan to scan uploaded files? > > Information > ----------- > * clamav, clamd, etc. are installed and running correctly as per the > clamav installation instructions. > > * The modsec-clamscan.pl script I'm using is the one shipped in the > mod_security version 1.9.5 source package. > > * When using clamscan instead of clamdscan, that is: > > '$CLAMSCAN = "/usr/local/bin/clamscan";' > > it works fine. However, when using clamdscan, that is: > > '$CLAMSCAN = "/usr/local/bin/clamdscan";' > > in the modsec_audit.log, I always get a message similar to the > following: > > ******* > Message: Warning. File \ > "/tmp/webfiles/20080119-130031-tgz@An8AAAEAAAvcXIUAAAAH-file-KH1j8W" \ > rejected by the approver script \ > "/usr/local/apache2/bin/modsec-clamscan.pl":0 clamscan: Access denied. > [. . .] > Producer: ModSecurity v2.1.3 (Apache 2.x) > [. . .] > ********* > > * The uploaded files are written to disk with the following permissions: > -rw------- 1 httpd_user httpd_group > > * The clamd daemon runs as the user: > clamav > > * The relevant SecRule in use is: > > SecRule FILES_TMPNAMES "@inspectFile \ > /usr/local/apache2/bin/modsec-clamscan.pl" "t:none" > > * I've read the relevant portions of the 1.9.x ModSecurity for Apache > User Guide, sections "Interacting with other daemons" and > "Integration with ClamAV". The tmp directory and its permissions > are created accordingly, that is: > > # mkdir /tmp/webfiles > # chown httpd_user:clamav /tmp/webfiles > # chmod 2750 /tmp/webfiles > > and I am using: > > SecUploadDir /tmp/webfiles > SecDataDir /tmp/webfiles > SecTmpDir /tmp/webfiles > > ----------- > > Thoughts > -------- > Previous versions of the ModSecurity for Apache User Guide discuss the > permissions issue and state: > > "To allow for interaction with other daemons (for example ClamAV, as > described later), as of 1.9dev1 files are created with relaxed permissions > allowing group read. To do this assuming Apache runs as httpd and daemon > as clamav [. . .] > > But that appears to no longer be the case. Upon inspection, mod_security is > creating the files with the following permissions: > > -rw------- 1 httpd_user httpd_group > > So, no group read. And if the files were to be written with group read, > there is the issue of which group that would be. It is currently not > clamav. And even if the group were clamav, there is the issue of Apache > needing to run with its group being something other than clamav. > > Solutions? Suggestions? If anyone actually has mod_security2 scanning > uploads with clamdscan (the daemon, not "clamscan", the command-line > client), please share how you did that. > > Thanks, > > Steve Whitlatch > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > -- Ivan Ristic |