1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
|
From 9ba0bd8840f8be4cccaf8134b65a012dffdd8ae0 Mon Sep 17 00:00:00 2001
From: Shawn Webb <swebb@sourcefire.com>
Date: Thu, 31 Jul 2014 11:50:23 -0400
Subject: bb#10731 - Allow to specificy a group for the socket of which the
user is not a member
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
clamav-milter/clamav-milter.c | 193 +++++++++++++++++++++---------------------
1 file changed, 98 insertions(+), 95 deletions(-)
diff --git a/clamav-milter/clamav-milter.c b/clamav-milter/clamav-milter.c
index 2c7a4d7d3414..99e7fe7fac04 100644
--- a/clamav-milter/clamav-milter.c
+++ b/clamav-milter/clamav-milter.c
@@ -116,6 +116,104 @@ int main(int argc, char **argv) {
}
}
+ if(!(my_socket = optget(opts, "MilterSocket")->strarg)) {
+ logg("!Please configure the MilterSocket directive\n");
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+
+ if(smfi_setconn(my_socket) == MI_FAILURE) {
+ logg("!smfi_setconn failed\n");
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ if(smfi_register(descr) == MI_FAILURE) {
+ logg("!smfi_register failed\n");
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ opt = optget(opts, "FixStaleSocket");
+ umsk = umask(0777); /* socket is created with 000 to avoid races */
+ if(smfi_opensocket(opt->enabled) == MI_FAILURE) {
+ logg("!Failed to create socket %s\n", my_socket);
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ umask(umsk); /* restore umask */
+ if(strncmp(my_socket, "inet:", 5) && strncmp(my_socket, "inet6:", 6)) {
+ /* set group ownership and perms on the local socket */
+ char *sock_name = my_socket;
+ mode_t sock_mode;
+ if(!strncmp(my_socket, "unix:", 5))
+ sock_name += 5;
+ if(!strncmp(my_socket, "local:", 6))
+ sock_name += 6;
+ if(*my_socket == ':')
+ sock_name ++;
+
+ if(optget(opts, "MilterSocketGroup")->enabled) {
+ char *gname = optget(opts, "MilterSocketGroup")->strarg, *end;
+ gid_t sock_gid = strtol(gname, &end, 10);
+ if(*end) {
+ struct group *pgrp = getgrnam(gname);
+ if(!pgrp) {
+ logg("!Unknown group %s\n", gname);
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ sock_gid = pgrp->gr_gid;
+ }
+ if(chown(sock_name, -1, sock_gid)) {
+ logg("!Failed to change socket ownership to group %s\n", gname);
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ }
+
+ if ((opt = optget(opts, "User"))->enabled) {
+ struct passwd *user;
+ if ((user = getpwnam(opt->strarg)) == NULL) {
+ logg("ERROR: Can't get information about user %s.\n",
+ opt->strarg);
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+
+ if(chown(sock_name, user->pw_uid, -1)) {
+ logg("!Failed to change socket ownership to user %s\n", user->pw_name);
+ optfree(opts);
+ logg_close();
+ return 1;
+ }
+ }
+
+ if(optget(opts, "MilterSocketMode")->enabled) {
+ char *end;
+ sock_mode = strtol(optget(opts, "MilterSocketMode")->strarg, &end, 8);
+ if(*end) {
+ logg("!Invalid MilterSocketMode %s\n", optget(opts, "MilterSocketMode")->strarg);
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ } else
+ sock_mode = 0777 & ~umsk;
+
+ if(chmod(sock_name, sock_mode & 0666)) {
+ logg("!Cannot set milter socket permission to %s\n", optget(opts, "MilterSocketMode")->strarg);
+ logg_close();
+ optfree(opts);
+ return 1;
+ }
+ }
+
if(geteuid() == 0 && (opt = optget(opts, "User"))->enabled) {
struct passwd *user = NULL;
if((user = getpwnam(opt->strarg)) == NULL) {
@@ -248,15 +346,6 @@ int main(int argc, char **argv) {
multircpt = optget(opts, "SupportMultipleRecipients")->enabled;
- if(!(my_socket = optget(opts, "MilterSocket")->strarg)) {
- logg("!Please configure the MilterSocket directive\n");
- localnets_free();
- whitelist_free();
- logg_close();
- optfree(opts);
- return 1;
- }
-
if(!optget(opts, "Foreground")->enabled) {
if(daemonize() == -1) {
logg("!daemonize() failed\n");
@@ -271,92 +360,6 @@ int main(int argc, char **argv) {
logg("^Can't change current working directory to root\n");
}
- if(smfi_setconn(my_socket) == MI_FAILURE) {
- logg("!smfi_setconn failed\n");
- localnets_free();
- whitelist_free();
- logg_close();
- optfree(opts);
- return 1;
- }
- if(smfi_register(descr) == MI_FAILURE) {
- logg("!smfi_register failed\n");
- localnets_free();
- whitelist_free();
- logg_close();
- optfree(opts);
- return 1;
- }
- opt = optget(opts, "FixStaleSocket");
- umsk = umask(0777); /* socket is created with 000 to avoid races */
- if(smfi_opensocket(opt->enabled) == MI_FAILURE) {
- logg("!Failed to create socket %s\n", my_socket);
- localnets_free();
- whitelist_free();
- logg_close();
- optfree(opts);
- return 1;
- }
- umask(umsk); /* restore umask */
- if(strncmp(my_socket, "inet:", 5) && strncmp(my_socket, "inet6:", 6)) {
- /* set group ownership and perms on the local socket */
- char *sock_name = my_socket;
- mode_t sock_mode;
- if(!strncmp(my_socket, "unix:", 5))
- sock_name += 5;
- if(!strncmp(my_socket, "local:", 6))
- sock_name += 6;
- if(*my_socket == ':')
- sock_name ++;
-
- if(optget(opts, "MilterSocketGroup")->enabled) {
- char *gname = optget(opts, "MilterSocketGroup")->strarg, *end;
- gid_t sock_gid = strtol(gname, &end, 10);
- if(*end) {
- struct group *pgrp = getgrnam(gname);
- if(!pgrp) {
- logg("!Unknown group %s\n", gname);
- localnets_free();
- whitelist_free();
- logg_close();
- optfree(opts);
- return 1;
- }
- sock_gid = pgrp->gr_gid;
- }
- if(chown(sock_name, -1, sock_gid)) {
- logg("!Failed to change socket ownership to group %s\n", gname);
- localnets_free();
- whitelist_free();
- logg_close();
- optfree(opts);
- return 1;
- }
- }
- if(optget(opts, "MilterSocketMode")->enabled) {
- char *end;
- sock_mode = strtol(optget(opts, "MilterSocketMode")->strarg, &end, 8);
- if(*end) {
- logg("!Invalid MilterSocketMode %s\n", optget(opts, "MilterSocketMode")->strarg);
- localnets_free();
- whitelist_free();
- logg_close();
- optfree(opts);
- return 1;
- }
- } else
- sock_mode = 0777 & ~umsk;
-
- if(chmod(sock_name, sock_mode & 0666)) {
- logg("!Cannot set milter socket permission to %s\n", optget(opts, "MilterSocketMode")->strarg);
- localnets_free();
- whitelist_free();
- logg_close();
- optfree(opts);
- return 1;
- }
- }
-
maxfilesize = optget(opts, "MaxFileSize")->numarg;
if(!maxfilesize) {
logg("^Invalid MaxFileSize, using default (%d)\n", CLI_DEFAULT_MAXFILESIZE);
|
