Rev 1 | Rev 3 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
1 | madcat | 1 | Add support for scanning uploaded files with clamav. Not all features are |
2 | implemented (ex. file inclusion/exclusion for scanning). Every uploaded file is |
||
3 | saved in random named file, and moved to destination file after scanning. Side |
||
4 | effects: when uploaded *new* file was infected, 0-size file left. |
||
5 | |||
6 | Written by Marek Marczykowski <m.marczykowski@fiok.pl> |
||
7 | |||
8 | Downloaded from: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/vsftpd/vsftpd-clamav.patch |
||
9 | |||
10 | diff -Naru vsftpd-2.2.2.orig/Makefile vsftpd-2.2.2/Makefile |
||
11 | --- vsftpd-2.2.2.orig/Makefile 2009-05-22 21:44:52.000000000 +0200 |
||
12 | +++ vsftpd-2.2.2/Makefile 2010-04-29 19:46:54.435448038 +0200 |
||
13 | @@ -14,7 +14,7 @@ |
||
14 | banner.o filestr.o parseconf.o secutil.o \ |
||
15 | ascii.o oneprocess.o twoprocess.o privops.o standalone.o hash.o \ |
||
16 | tcpwrap.o ipaddrparse.o access.o features.o readwrite.o opts.o \ |
||
17 | - ssl.o sslslave.o ptracesandbox.o ftppolicy.o sysutil.o sysdeputil.o |
||
18 | + ssl.o sslslave.o ptracesandbox.o ftppolicy.o sysutil.o sysdeputil.o clamav.o |
||
19 | |||
20 | |||
21 | .c.o: |
||
22 | diff -Naru vsftpd-2.2.2.orig/clamav.c vsftpd-2.2.2/clamav.c |
||
23 | --- vsftpd-2.2.2.orig/clamav.c 1970-01-01 01:00:00.000000000 +0100 |
||
24 | +++ vsftpd-2.2.2/clamav.c 2010-04-29 19:46:54.435448038 +0200 |
||
25 | @@ -0,0 +1,221 @@ |
||
26 | +#include <sys/types.h> |
||
27 | +#include <regex.h> |
||
28 | +#include <sys/socket.h> |
||
29 | +#include <linux/un.h> |
||
30 | +#include <arpa/inet.h> |
||
31 | +#include <netdb.h> |
||
32 | +#include <sys/socket.h> |
||
33 | +#include <stdio.h> |
||
34 | +#include "clamav.h" |
||
35 | +#include "tunables.h" |
||
36 | +#include "utility.h" |
||
37 | +#include "sysutil.h" |
||
38 | +#include "logging.h" |
||
39 | +#include "sysstr.h" |
||
40 | + |
||
41 | +regex_t av_include_files_regex, av_exclude_files_regex; |
||
42 | + |
||
43 | +int av_init() { |
||
44 | + int ret; |
||
45 | + |
||
46 | + if (tunable_av_enable) { |
||
47 | + if (tunable_av_include_files) { |
||
48 | + if ((ret=regcomp(&av_include_files_regex, tunable_av_include_files, REG_NOSUB)) != 0) |
||
49 | + die("regex compilation failed for AvIncludeFiles"); |
||
50 | + } |
||
51 | + if (tunable_av_exclude_files) { |
||
52 | + if ((ret=regcomp(&av_exclude_files_regex, tunable_av_exclude_files, REG_NOSUB)) != 0) |
||
53 | + die("regex compilation failed for AvExcludeFiles"); |
||
54 | + } |
||
55 | + } |
||
56 | + return 0; |
||
57 | +} |
||
58 | + |
||
59 | +int av_will_scan(const char *filename) { |
||
60 | + if (!tunable_av_enable) |
||
61 | + return 0; |
||
62 | + if (tunable_av_include_files && (regexec(&av_include_files_regex, filename, 0, 0, 0)!=0)) |
||
63 | + return 0; |
||
64 | + if (tunable_av_exclude_files && (regexec(&av_exclude_files_regex, filename, 0, 0, 0)==0)) |
||
65 | + return 0; |
||
66 | + return 1; |
||
67 | +} |
||
68 | + |
||
69 | +int av_init_scanner (struct vsf_session* p_sess) { |
||
70 | + struct mystr debug_str = INIT_MYSTR; |
||
71 | + |
||
72 | + if (p_sess->clamd_sock < 0) { |
||
73 | + |
||
74 | + /* connect to clamd through local unix socket */ |
||
75 | + if (tunable_av_clamd_socket) { |
||
76 | + struct sockaddr_un server_local; |
||
77 | + |
||
78 | + vsf_sysutil_memclr((char*)&server_local, sizeof(server_local)); |
||
79 | + |
||
80 | + server_local.sun_family = AF_UNIX; |
||
81 | + vsf_sysutil_strcpy(server_local.sun_path, tunable_av_clamd_socket, sizeof(server_local.sun_path)); |
||
82 | + if ((p_sess->clamd_sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { |
||
83 | + str_alloc_text(&debug_str, "av: error opening unix socket"); |
||
84 | + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); |
||
85 | + p_sess->clamd_sock = -2; |
||
86 | + return 0; |
||
87 | + } |
||
88 | + |
||
89 | + if (connect(p_sess->clamd_sock, (struct sockaddr *)&server_local, sizeof(struct sockaddr_un)) < 0) { |
||
90 | + str_alloc_text(&debug_str, "av: error connecting to clamd"); |
||
91 | + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); |
||
92 | + p_sess->clamd_sock = -2; |
||
93 | + return 0; |
||
94 | + } |
||
95 | + |
||
96 | + } else if (tunable_av_clamd_host) { |
||
97 | + struct sockaddr_in server_inet; |
||
98 | + struct hostent *he; |
||
99 | + |
||
100 | + vsf_sysutil_memclr((char*)&server_inet, sizeof(server_inet)); |
||
101 | + |
||
102 | + /* Remote Socket */ |
||
103 | + server_inet.sin_family = AF_INET; |
||
104 | + server_inet.sin_port = htons(tunable_av_clamd_port); |
||
105 | + |
||
106 | + if ((p_sess->clamd_sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { |
||
107 | + str_alloc_text(&debug_str, "av: error opening inet socket"); |
||
108 | + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); |
||
109 | + p_sess->clamd_sock = -2; |
||
110 | + return 0; |
||
111 | + } |
||
112 | + |
||
113 | + if ((he = gethostbyname(tunable_av_clamd_host)) == 0) { |
||
114 | + str_alloc_text(&debug_str, "av: unable to locate clamd host"); |
||
115 | + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); |
||
116 | + vsf_sysutil_close_failok(p_sess->clamd_sock); |
||
117 | + p_sess->clamd_sock = -2; |
||
118 | + return 0; |
||
119 | + } |
||
120 | + |
||
121 | + server_inet.sin_addr = *(struct in_addr *) he->h_addr_list[0]; |
||
122 | + |
||
123 | + if (connect(p_sess->clamd_sock, (struct sockaddr *)&server_inet, sizeof(struct sockaddr_in)) < 0) { |
||
124 | + str_alloc_text(&debug_str, "av: error connecting to clamd host"); |
||
125 | + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); |
||
126 | + vsf_sysutil_close_failok(p_sess->clamd_sock); |
||
127 | + p_sess->clamd_sock = -2; |
||
128 | + return 0; |
||
129 | + } |
||
130 | + } |
||
131 | + |
||
132 | + if (vsf_sysutil_write(p_sess->clamd_sock, "nIDSESSION\n", 11) <= 0) { |
||
133 | + str_alloc_text(&debug_str, "av: error starting clamd session"); |
||
134 | + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); |
||
135 | + vsf_sysutil_close_failok(p_sess->clamd_sock); |
||
136 | + p_sess->clamd_sock = -2; |
||
137 | + return 0; |
||
138 | + } |
||
139 | + } |
||
140 | + |
||
141 | + return 1; |
||
142 | +} |
||
143 | + |
||
144 | +int av_scan_file(struct vsf_session* p_sess, struct mystr *filename, struct mystr *virname) { |
||
145 | + struct mystr cwd = INIT_MYSTR; |
||
146 | + struct mystr clamcmd = INIT_MYSTR; |
||
147 | + struct mystr response = INIT_MYSTR; |
||
148 | + char recv_buff[4096]; |
||
149 | + int recv_count; |
||
150 | + struct str_locate_result locate_res; |
||
151 | + struct mystr debug_str = INIT_MYSTR; |
||
152 | + int retry = 0; |
||
153 | + |
||
154 | +init_scan: |
||
155 | + if (av_init_scanner(p_sess)) { |
||
156 | + |
||
157 | + str_alloc_text(&clamcmd, "nSCAN "); |
||
158 | + if (!str_isempty(&p_sess->chroot_str)) { |
||
159 | + str_append_str(&clamcmd, &p_sess->chroot_str); |
||
160 | + } |
||
161 | + if (str_get_char_at(filename, 0) != '/') { |
||
162 | + str_getcwd(&cwd); |
||
163 | + str_append_str(&clamcmd, &cwd); |
||
164 | + } |
||
165 | + if (str_get_char_at(&clamcmd, str_getlen(&clamcmd) - 1) != '/') { |
||
166 | + str_append_char(&clamcmd, '/'); |
||
167 | + } |
||
168 | + str_append_str(&clamcmd, filename); |
||
169 | + str_append_char(&clamcmd, '\n'); |
||
170 | + |
||
171 | +// sprintf(recv_buff, "sockfd: %d", p_sess->clamd_sock); |
||
172 | +// str_alloc_text(&debug_str, recv_buff); |
||
173 | +// vsf_log_line(p_sess, kVSFLogEntryDebug, &p_sess->chroot_str); |
||
174 | +// vsf_log_line(p_sess, kVSFLogEntryDebug, &clamcmd); |
||
175 | + |
||
176 | + if (vsf_sysutil_write(p_sess->clamd_sock, str_getbuf(&clamcmd), str_getlen(&clamcmd)) <= 0) { |
||
177 | + str_alloc_text(&debug_str, "av: failed to scan file"); |
||
178 | + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); |
||
179 | + vsf_sysutil_close_failok(p_sess->clamd_sock); |
||
180 | + p_sess->clamd_sock = -2; |
||
181 | + return 2; |
||
182 | + } |
||
183 | + |
||
184 | + str_free(&clamcmd); |
||
185 | + |
||
186 | + /* receive and interpret answer */ |
||
187 | + while ((recv_count=vsf_sysutil_read(p_sess->clamd_sock, recv_buff, 4095)) > 0) { |
||
188 | + recv_buff[recv_count]=0; |
||
189 | + str_append_text(&response, recv_buff); |
||
190 | + if (recv_buff[recv_count-1] == '\n') |
||
191 | + break; |
||
192 | + } |
||
193 | + if (recv_count < 0 || str_getlen(&response) == 0) { |
||
194 | + if (!retry) { |
||
195 | + retry = 1; |
||
196 | + vsf_sysutil_close_failok(p_sess->clamd_sock); |
||
197 | + p_sess->clamd_sock = -2; |
||
198 | + goto init_scan; |
||
199 | + } else { |
||
200 | + str_alloc_text(&debug_str, "av: failed to scan file (read failed)"); |
||
201 | + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); |
||
202 | + vsf_sysutil_close(p_sess->clamd_sock); |
||
203 | + p_sess->clamd_sock = -2; |
||
204 | + return 2; |
||
205 | + } |
||
206 | + } |
||
207 | + |
||
208 | + if (str_equal_text(&response, "COMMAND READ TIMED OUT\n")) { |
||
209 | + if (!retry) { |
||
210 | + retry = 1; |
||
211 | + vsf_sysutil_close_failok(p_sess->clamd_sock); |
||
212 | + p_sess->clamd_sock = -2; |
||
213 | + goto init_scan; |
||
214 | + } else { |
||
215 | + str_alloc_text(&debug_str, "av: got: "); |
||
216 | + str_append_str(&debug_str, &response); |
||
217 | + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); |
||
218 | + return 2; |
||
219 | + } |
||
220 | + } |
||
221 | + |
||
222 | + |
||
223 | + |
||
224 | + locate_res = str_locate_text(&response, " FOUND\n"); |
||
225 | + /* virus found */ |
||
226 | + if (locate_res.found) { |
||
227 | + str_trunc(&response, locate_res.index); |
||
228 | + str_split_text_reverse(&response, virname, ": "); |
||
229 | + return 1; |
||
230 | + } |
||
231 | + locate_res = str_locate_text(&response, " ERROR\n"); |
||
232 | + if (locate_res.found) { |
||
233 | + str_alloc_text(&debug_str, "av: got: "); |
||
234 | + str_append_str(&debug_str, &response); |
||
235 | + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); |
||
236 | + return 2; |
||
237 | + } |
||
238 | + return 0; |
||
239 | + } |
||
240 | + |
||
241 | + return 2; |
||
242 | +} |
||
243 | + |
||
244 | + |
||
245 | + |
||
246 | + |
||
247 | diff -Naru vsftpd-2.2.2.orig/clamav.h vsftpd-2.2.2/clamav.h |
||
248 | --- vsftpd-2.2.2.orig/clamav.h 1970-01-01 01:00:00.000000000 +0100 |
||
249 | +++ vsftpd-2.2.2/clamav.h 2010-04-29 19:46:54.435448038 +0200 |
||
250 | @@ -0,0 +1,12 @@ |
||
251 | +#ifndef _CLAMAV_H |
||
252 | +#define _CLAMAV_H |
||
253 | + |
||
254 | +#include "str.h" |
||
255 | +#include "session.h" |
||
256 | + |
||
257 | +extern int av_init(); |
||
258 | +extern int av_will_scan(const char *filename); |
||
259 | +extern int av_init_scanner (struct vsf_session* p_sess); |
||
260 | +extern int av_scan_file(struct vsf_session* p_sess, struct mystr *filename, struct mystr *virname); |
||
261 | + |
||
262 | +#endif |
||
263 | diff -Naru vsftpd-2.2.2.orig/main.c vsftpd-2.2.2/main.c |
||
264 | --- vsftpd-2.2.2.orig/main.c 2009-07-18 07:55:53.000000000 +0200 |
||
265 | +++ vsftpd-2.2.2/main.c 2010-04-29 19:46:54.435448038 +0200 |
||
2 | madcat | 266 | @@ -66,7 +66,9 @@ |
1 | madcat | 267 | /* Secure connection state */ |
268 | 0, 0, 0, 0, 0, INIT_MYSTR, 0, -1, -1, |
||
269 | /* Login fails */ |
||
270 | - 0 |
||
271 | + 0, |
||
272 | + /* av */ |
||
273 | + -1, INIT_MYSTR |
||
274 | }; |
||
275 | int config_loaded = 0; |
||
276 | int i; |
||
277 | diff -Naru vsftpd-2.2.2.orig/parseconf.c vsftpd-2.2.2/parseconf.c |
||
278 | --- vsftpd-2.2.2.orig/parseconf.c 2009-08-07 20:46:40.000000000 +0200 |
||
279 | +++ vsftpd-2.2.2/parseconf.c 2010-04-29 19:46:54.435448038 +0200 |
||
2 | madcat | 280 | @@ -101,6 +101,7 @@ |
1 | madcat | 281 | { "delete_failed_uploads", &tunable_delete_failed_uploads }, |
282 | { "implicit_ssl", &tunable_implicit_ssl }, |
||
283 | { "sandbox", &tunable_sandbox }, |
||
284 | + { "av_enable", &tunable_av_enable }, |
||
285 | { "require_ssl_reuse", &tunable_require_ssl_reuse }, |
||
286 | { "isolate", &tunable_isolate }, |
||
287 | { "isolate_network", &tunable_isolate_network }, |
||
2 | madcat | 288 | @@ -136,6 +137,7 @@ |
1 | madcat | 289 | { "delay_successful_login", &tunable_delay_successful_login }, |
290 | { "max_login_fails", &tunable_max_login_fails }, |
||
291 | { "chown_upload_mode", &tunable_chown_upload_mode }, |
||
292 | + { "av_clamd_port", &tunable_av_clamd_port }, |
||
293 | { 0, 0 } |
||
294 | }; |
||
295 | |||
2 | madcat | 296 | @@ -178,6 +180,10 @@ |
1 | madcat | 297 | { "dsa_private_key_file", &tunable_dsa_private_key_file }, |
298 | { "ca_certs_file", &tunable_ca_certs_file }, |
||
299 | { "cmds_denied", &tunable_cmds_denied }, |
||
300 | + { "av_clamd_socket", &tunable_av_clamd_socket }, |
||
301 | + { "av_clamd_host", &tunable_av_clamd_host }, |
||
302 | + { "av_include_files", &tunable_av_include_files }, |
||
303 | + { "av_exclude_files", &tunable_av_exclude_files }, |
||
304 | { 0, 0 } |
||
305 | }; |
||
306 | |||
307 | diff -Naru vsftpd-2.2.2.orig/postlogin.c vsftpd-2.2.2/postlogin.c |
||
308 | --- vsftpd-2.2.2.orig/postlogin.c 2009-11-07 05:55:12.000000000 +0100 |
||
309 | +++ vsftpd-2.2.2/postlogin.c 2010-04-29 19:46:54.438781445 +0200 |
||
310 | @@ -27,6 +27,7 @@ |
||
311 | #include "ssl.h" |
||
312 | #include "vsftpver.h" |
||
313 | #include "opts.h" |
||
314 | +#include "clamav.h" |
||
315 | |||
316 | /* Private local functions */ |
||
317 | static void handle_pwd(struct vsf_session* p_sess); |
||
2 | madcat | 318 | @@ -993,12 +994,15 @@ |
1 | madcat | 319 | static struct vsf_sysutil_statbuf* s_p_statbuf; |
320 | static struct mystr s_filename; |
||
321 | struct mystr* p_filename; |
||
322 | + struct mystr tmp_filename = INIT_MYSTR; |
||
323 | struct vsf_transfer_ret trans_ret; |
||
324 | int new_file_fd; |
||
325 | + int av_orig_file_fd = -1; |
||
326 | int remote_fd; |
||
327 | int success = 0; |
||
328 | int created = 0; |
||
329 | int do_truncate = 0; |
||
330 | + int do_av = 0; |
||
331 | filesize_t offset = p_sess->restart_pos; |
||
332 | p_sess->restart_pos = 0; |
||
333 | if (!data_transfer_checks_ok(p_sess)) |
||
2 | madcat | 334 | @@ -1012,6 +1016,7 @@ |
1 | madcat | 335 | get_unique_filename(&s_filename, p_filename); |
336 | p_filename = &s_filename; |
||
337 | } |
||
338 | + |
||
339 | vsf_log_start_entry(p_sess, kVSFLogEntryUpload); |
||
340 | str_copy(&p_sess->log_str, &p_sess->ftp_arg_str); |
||
341 | prepend_path_to_filename(&p_sess->log_str); |
||
2 | madcat | 342 | @@ -1043,6 +1048,24 @@ |
1 | madcat | 343 | return; |
344 | } |
||
345 | created = 1; |
||
346 | + |
||
347 | + if (av_will_scan(str_getbuf(p_filename))) { |
||
348 | + do_av = 1; |
||
349 | + str_copy(&tmp_filename, p_filename); |
||
350 | + str_append_text(&tmp_filename, ".XXXXXX"); |
||
351 | + av_orig_file_fd = new_file_fd; |
||
352 | + /* FIXME: various permissions issues... ex. writable file in non-writable directory */ |
||
353 | + new_file_fd = mkstemp(str_getbuf(&tmp_filename)); |
||
354 | + if (vsf_sysutil_retval_is_error(new_file_fd)) |
||
355 | + { |
||
356 | + vsf_sysutil_close(av_orig_file_fd); |
||
357 | + vsf_cmdio_write(p_sess, FTP_UPLOADFAIL, "Could not create temp file."); |
||
358 | + return; |
||
359 | + } |
||
360 | + /* mkstemp creates file with 0600 */ |
||
361 | + vsf_sysutil_fchmod(new_file_fd, 0666 &(~vsf_sysutil_get_umask())); |
||
362 | + } |
||
363 | + |
||
364 | vsf_sysutil_fstat(new_file_fd, &s_p_statbuf); |
||
365 | if (vsf_sysutil_statbuf_is_regfile(s_p_statbuf)) |
||
366 | { |
||
2 | madcat | 367 | @@ -1068,6 +1091,8 @@ |
1 | madcat | 368 | if (tunable_lock_upload_files) |
369 | { |
||
370 | vsf_sysutil_lock_file_write(new_file_fd); |
||
371 | + if (do_av) |
||
372 | + vsf_sysutil_lock_file_write(av_orig_file_fd); |
||
373 | } |
||
374 | /* Must truncate the file AFTER locking it! */ |
||
375 | if (do_truncate) |
||
2 | madcat | 376 | @@ -1075,6 +1100,22 @@ |
1 | madcat | 377 | vsf_sysutil_ftruncate(new_file_fd); |
378 | vsf_sysutil_lseek_to(new_file_fd, 0); |
||
379 | } |
||
380 | + if (do_av && (is_append || offset != 0)) { |
||
381 | + char buf[4096]; |
||
382 | + int count; |
||
383 | + |
||
384 | + /* copy original file */ |
||
385 | + vsf_sysutil_lseek_to(av_orig_file_fd, 0); |
||
386 | + while ((count=vsf_sysutil_read(av_orig_file_fd, buf, 4096)) > 0) { |
||
387 | + if (vsf_sysutil_write_loop(new_file_fd, buf, count) < 0) { |
||
388 | + vsf_cmdio_write(p_sess, FTP_UPLOADFAIL, "Could not copy temp file."); |
||
389 | + vsf_sysutil_close(new_file_fd); |
||
390 | + vsf_sysutil_close(av_orig_file_fd); |
||
391 | + vsf_sysutil_unlink(str_getbuf(&tmp_filename)); |
||
392 | + return; |
||
393 | + } |
||
394 | + } |
||
395 | + } |
||
396 | if (!is_append && offset != 0) |
||
397 | { |
||
398 | /* XXX - warning, allows seek past end of file! Check for seek > size? */ |
||
2 | madcat | 399 | @@ -1098,6 +1139,7 @@ |
1 | madcat | 400 | } |
401 | if (vsf_sysutil_retval_is_error(remote_fd)) |
||
402 | { |
||
403 | + vsf_sysutil_unlink(str_getbuf(&tmp_filename)); |
||
404 | goto port_pasv_cleanup_out; |
||
405 | } |
||
406 | if (tunable_ascii_upload_enable && p_sess->is_ascii) |
||
2 | madcat | 407 | @@ -1118,7 +1160,6 @@ |
1 | madcat | 408 | if (trans_ret.retval == 0) |
409 | { |
||
410 | success = 1; |
||
411 | - vsf_log_do_log(p_sess, 1); |
||
412 | } |
||
413 | if (trans_ret.retval == -1) |
||
414 | { |
||
2 | madcat | 415 | @@ -1130,7 +1171,43 @@ |
1 | madcat | 416 | } |
417 | else |
||
418 | { |
||
419 | - vsf_cmdio_write(p_sess, FTP_TRANSFEROK, "Transfer complete."); |
||
420 | + if (do_av) { |
||
421 | + struct mystr virname = INIT_MYSTR; |
||
422 | + struct mystr resp_str = INIT_MYSTR; |
||
423 | + |
||
424 | + switch (av_scan_file(p_sess, &tmp_filename, &virname)) { |
||
425 | + case 1: |
||
426 | + str_alloc_text(&resp_str, "Virus found: "); |
||
427 | + str_append_str(&resp_str, &virname); |
||
428 | + vsf_log_line(p_sess, kVSFLogEntryUpload, &resp_str); |
||
429 | + vsf_cmdio_write(p_sess, FTP_UPLOADFAIL, str_getbuf(&resp_str)); |
||
430 | + str_free(&resp_str); |
||
431 | + |
||
432 | + str_unlink(&tmp_filename); |
||
433 | + break; |
||
434 | + case 2: |
||
435 | + vsf_cmdio_write(p_sess, FTP_BADSENDFILE, "Failure scanning file."); |
||
436 | + str_unlink(&tmp_filename); |
||
437 | + break; |
||
438 | + default: |
||
439 | + /* FIXME: race condition */ |
||
440 | + if (vsf_sysutil_rename(str_getbuf(&tmp_filename), str_getbuf(p_filename)) < 0) { |
||
441 | + vsf_cmdio_write(p_sess, FTP_BADSENDFILE, "Failure writing to local file ."); |
||
442 | + str_unlink(&tmp_filename); |
||
443 | + } |
||
444 | + else |
||
445 | + { |
||
446 | + vsf_log_do_log(p_sess, 1); |
||
447 | + vsf_cmdio_write(p_sess, FTP_TRANSFEROK, "File receive OK."); |
||
448 | + } |
||
449 | + break; |
||
450 | + } |
||
451 | + } |
||
452 | + else |
||
453 | + { |
||
454 | + vsf_log_do_log(p_sess, 1); |
||
455 | + vsf_cmdio_write(p_sess, FTP_TRANSFEROK, "File receive OK."); |
||
456 | + } |
||
457 | } |
||
458 | check_abor(p_sess); |
||
459 | port_pasv_cleanup_out: |
||
2 | madcat | 460 | @@ -1138,9 +1215,15 @@ |
1 | madcat | 461 | pasv_cleanup(p_sess); |
462 | if (tunable_delete_failed_uploads && created && !success) |
||
463 | { |
||
464 | - str_unlink(p_filename); |
||
465 | + if (do_av) { |
||
466 | + str_unlink(&tmp_filename); |
||
467 | + } else { |
||
468 | + str_unlink(p_filename); |
||
469 | + } |
||
470 | } |
||
471 | vsf_sysutil_close(new_file_fd); |
||
472 | + if (do_av) |
||
473 | + vsf_sysutil_close(av_orig_file_fd); |
||
474 | } |
||
475 | |||
476 | static void |
||
477 | diff -Naru vsftpd-2.2.2.orig/secutil.c vsftpd-2.2.2/secutil.c |
||
478 | --- vsftpd-2.2.2.orig/secutil.c 2009-05-27 08:20:36.000000000 +0200 |
||
479 | +++ vsftpd-2.2.2/secutil.c 2010-04-29 19:46:54.438781445 +0200 |
||
480 | @@ -34,6 +34,7 @@ |
||
481 | if (p_dir_str == 0 || str_isempty(p_dir_str)) |
||
482 | { |
||
483 | str_alloc_text(&dir_str, vsf_sysutil_user_get_homedir(p_user)); |
||
484 | + str_copy(p_dir_str, &dir_str); |
||
485 | } |
||
486 | else |
||
487 | { |
||
488 | diff -Naru vsftpd-2.2.2.orig/session.h vsftpd-2.2.2/session.h |
||
489 | --- vsftpd-2.2.2.orig/session.h 2008-02-12 03:39:38.000000000 +0100 |
||
490 | +++ vsftpd-2.2.2/session.h 2010-04-29 19:46:54.438781445 +0200 |
||
2 | madcat | 491 | @@ -97,6 +97,10 @@ |
1 | madcat | 492 | int ssl_slave_fd; |
493 | int ssl_consumer_fd; |
||
494 | unsigned int login_fails; |
||
495 | + |
||
496 | + /* data for av scanner */ |
||
497 | + int clamd_sock; |
||
498 | + struct mystr chroot_str; |
||
499 | }; |
||
500 | |||
501 | #endif /* VSF_SESSION_H */ |
||
502 | diff -Naru vsftpd-2.2.2.orig/tunables.c vsftpd-2.2.2/tunables.c |
||
503 | --- vsftpd-2.2.2.orig/tunables.c 2009-07-15 22:08:27.000000000 +0200 |
||
504 | +++ vsftpd-2.2.2/tunables.c 2010-04-29 19:48:44.265437093 +0200 |
||
2 | madcat | 505 | @@ -88,6 +88,8 @@ |
506 | int tunable_ftp_enable; |
||
507 | int tunable_http_enable; |
||
1 | madcat | 508 | |
509 | +int tunable_av_enable; |
||
510 | + |
||
511 | unsigned int tunable_accept_timeout; |
||
512 | unsigned int tunable_connect_timeout; |
||
513 | unsigned int tunable_local_umask; |
||
2 | madcat | 514 | @@ -108,6 +110,7 @@ |
1 | madcat | 515 | unsigned int tunable_delay_successful_login; |
516 | unsigned int tunable_max_login_fails; |
||
517 | unsigned int tunable_chown_upload_mode; |
||
518 | +unsigned int tunable_av_clamd_port; |
||
519 | |||
520 | const char* tunable_secure_chroot_dir; |
||
521 | const char* tunable_ftp_username; |
||
2 | madcat | 522 | @@ -142,6 +145,11 @@ |
1 | madcat | 523 | const char* tunable_dsa_private_key_file; |
524 | const char* tunable_ca_certs_file; |
||
525 | |||
526 | +const char* tunable_av_clamd_socket; |
||
527 | +const char* tunable_av_clamd_host; |
||
528 | +const char* tunable_av_include_files; |
||
529 | +const char* tunable_av_exclude_files; |
||
530 | + |
||
531 | static void install_str_setting(const char* p_value, const char** p_storage); |
||
532 | |||
533 | void |
||
2 | madcat | 534 | @@ -223,9 +231,10 @@ |
1 | madcat | 535 | tunable_sandbox = 0; |
536 | tunable_require_ssl_reuse = 1; |
||
537 | tunable_isolate = 1; |
||
538 | - tunable_isolate_network = 1; |
||
539 | + tunable_isolate_network = 0; |
||
540 | tunable_ftp_enable = 1; |
||
541 | tunable_http_enable = 0; |
||
542 | + tunable_av_enable = 0; |
||
543 | |||
544 | tunable_accept_timeout = 60; |
||
545 | tunable_connect_timeout = 60; |
||
2 | madcat | 546 | @@ -251,6 +260,7 @@ |
1 | madcat | 547 | tunable_max_login_fails = 3; |
548 | /* -rw------- */ |
||
549 | tunable_chown_upload_mode = 0600; |
||
550 | + tunable_av_clamd_port = 3310; |
||
551 | |||
2 | madcat | 552 | install_str_setting("/var/run/vsftpd/empty", &tunable_secure_chroot_dir); |
1 | madcat | 553 | install_str_setting("ftp", &tunable_ftp_username); |
2 | madcat | 554 | @@ -286,6 +296,11 @@ |
1 | madcat | 555 | install_str_setting(0, &tunable_rsa_private_key_file); |
556 | install_str_setting(0, &tunable_dsa_private_key_file); |
||
557 | install_str_setting(0, &tunable_ca_certs_file); |
||
558 | + |
||
559 | + install_str_setting(0, &tunable_av_clamd_socket); |
||
560 | + install_str_setting("127.0.0.1", &tunable_av_clamd_host); |
||
561 | + install_str_setting(0, &tunable_av_include_files); |
||
562 | + install_str_setting(0, &tunable_av_exclude_files); |
||
563 | } |
||
564 | |||
565 | void |
||
566 | diff -Naru vsftpd-2.2.2.orig/tunables.h vsftpd-2.2.2/tunables.h |
||
567 | --- vsftpd-2.2.2.orig/tunables.h 2009-07-07 03:37:28.000000000 +0200 |
||
568 | +++ vsftpd-2.2.2/tunables.h 2010-04-29 19:46:54.438781445 +0200 |
||
2 | madcat | 569 | @@ -84,6 +84,7 @@ |
1 | madcat | 570 | extern int tunable_implicit_ssl; /* Use implicit SSL protocol */ |
571 | extern int tunable_sandbox; /* Deploy ptrace sandbox */ |
||
572 | extern int tunable_require_ssl_reuse; /* Require re-used data conn */ |
||
573 | +extern int tunable_av_enable; /* Scan av incomming files */ |
||
574 | extern int tunable_isolate; /* Use container clone() flags */ |
||
575 | extern int tunable_isolate_network; /* Use CLONE_NEWNET */ |
||
2 | madcat | 576 | extern int tunable_ftp_enable; /* Allow FTP protocol */ |
577 | @@ -110,6 +111,7 @@ |
||
1 | madcat | 578 | extern unsigned int tunable_delay_successful_login; |
579 | extern unsigned int tunable_max_login_fails; |
||
580 | extern unsigned int tunable_chown_upload_mode; |
||
581 | +extern unsigned int tunable_av_clamd_port; |
||
582 | |||
583 | /* String defines */ |
||
584 | extern const char* tunable_secure_chroot_dir; |
||
2 | madcat | 585 | @@ -144,6 +146,10 @@ |
1 | madcat | 586 | extern const char* tunable_dsa_private_key_file; |
587 | extern const char* tunable_ca_certs_file; |
||
588 | extern const char* tunable_cmds_denied; |
||
589 | +extern const char* tunable_av_clamd_socket; |
||
590 | +extern const char* tunable_av_clamd_host; |
||
591 | +extern const char* tunable_av_include_files; |
||
592 | +extern const char* tunable_av_exclude_files; |
||
593 | |||
594 | #endif /* VSF_TUNABLES_H */ |
||
595 | |||
596 | diff -Naru vsftpd-2.2.2.orig/twoprocess.c vsftpd-2.2.2/twoprocess.c |
||
597 | --- vsftpd-2.2.2.orig/twoprocess.c 2009-07-18 07:56:44.000000000 +0200 |
||
598 | +++ vsftpd-2.2.2/twoprocess.c 2010-04-29 19:46:54.438781445 +0200 |
||
2 | madcat | 599 | @@ -430,6 +430,13 @@ |
1 | madcat | 600 | p_user_str, p_orig_user_str); |
601 | vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str, |
||
602 | 0, secutil_option); |
||
603 | + |
||
604 | + if (do_chroot) { |
||
605 | + str_copy(&p_sess->chroot_str, &userdir_str); |
||
606 | + } else { |
||
607 | + str_empty(&p_sess->chroot_str); |
||
608 | + } |
||
609 | + |
||
610 | if (!str_isempty(&chdir_str)) |
||
611 | { |
||
612 | (void) str_chdir(&chdir_str); |
||
613 | diff -Naru vsftpd-2.2.2.orig/vsftpd.conf.5 vsftpd-2.2.2/vsftpd.conf.5 |
||
614 | --- vsftpd-2.2.2.orig/vsftpd.conf.5 2009-10-19 04:46:30.000000000 +0200 |
||
615 | +++ vsftpd-2.2.2/vsftpd.conf.5 2010-04-29 19:46:54.438781445 +0200 |
||
616 | @@ -105,6 +105,11 @@ |
||
617 | |||
618 | Default: NO |
||
619 | .TP |
||
620 | +.B av_enable |
||
621 | +If enabled, all uploaded files are scanned with clamav (through clamd). |
||
622 | + |
||
623 | +Default: NO |
||
624 | +.TP |
||
625 | .B background |
||
626 | When enabled, and vsftpd is started in "listen" mode, vsftpd will background |
||
627 | the listener process. i.e. control will immediately be returned to the shell |
||
628 | @@ -643,6 +648,11 @@ |
||
629 | |||
630 | Default: 077 |
||
631 | .TP |
||
632 | +.B av_clamd_port |
||
633 | +Port number where clamd listen on. |
||
634 | + |
||
635 | +Default: 3310 |
||
636 | +.TP |
||
637 | .B chown_upload_mode |
||
638 | The file mode to force for chown()ed anonymous uploads. (Added in v2.0.6). |
||
639 | |||
640 | @@ -758,6 +768,18 @@ |
||
641 | |||
642 | Default: (none) |
||
643 | .TP |
||
644 | +.B av_clamd_host |
||
645 | +IP where clamd listen. It must be on the same host (or have access to same |
||
646 | +filesystem). |
||
647 | + |
||
648 | +Default: 127.0.0.1 |
||
649 | +.TP |
||
650 | +.B av_clamd_socket |
||
651 | +UNIX socket of clamd. Warning: When using chroot you should use TCP instead of |
||
652 | +UNIX socket. |
||
653 | + |
||
654 | +Default: (none) |
||
655 | +.TP |
||
656 | .B banned_email_file |
||
657 | This option is the name of a file containing a list of anonymous e-mail |
||
658 | passwords which are not permitted. This file is consulted if the option |