Hi all,
The attached patch against Clamav-0.96.2 adds a ClamukoIgnoreSuperuser
option to Clamukofs. If set to "yes", files that are opened by processes
running as root will be ignored. They will not be scanned, and access is
always allowed. Regular processes are still denied access to the files.
Rationale: this gives the administrator more options for dealing with
infected files, such as copying them, gzipping them, or moving them to a
different partition.
Possible issues: the name of the option is a bit long, but using the
word "root" felt too ambiguous for something at the filesystem level.
Also, the code checks the ownership of /proc/<pid> to determine the uid
of the process, which may not be the most elegant or portable way to do it.
If someone finds this sort of thing useful, it should be relatively
simple to modify the patch so that Clamuko can accept a list of ignored
uid's, instead of just uid 0.
Kind regards,
--Alfred Klomp
--
Bokxing IT
Elektronicaweg 14a
2628 XG Delft
T: 088-00 164 00
F: 015-25 609 77
supp...@bokxing.nl
www.bokxing.nl
KvK: 27194486
diff -ruN ../clamav-0.96.2-orig/clamd/clamuko.c ./clamd/clamuko.c
--- ../clamav-0.96.2-orig/clamd/clamuko.c 2010-07-30 14:25:16.000000000
+0200
+++ ./clamd/clamuko.c 2010-09-09 13:53:42.000000000 +0200
@@ -78,6 +78,8 @@
struct stat sb;
char virhash[33];
unsigned int virsize;
+ int ignore_superuser;
+ char procdir[20];
clamuko_scanning = 0;
@@ -171,6 +173,12 @@
extinfo = optget(tharg->opts, "ExtendedDetectionInfo")->enabled;
+ ignore_superuser = optget(tharg->opts, "ClamukoIgnoreSuperuser")->enabled;
+ if(ignore_superuser)
+ logg("Clamuko: Ignoring files opened by the superuser (root).\n");
+ else
+ logg("Clamuko: Not ignoring files opened by the superuser (root).\n");
+
while(1) {
if(dazukoGetAccess(&acc) == 0) {
@@ -185,6 +193,13 @@
}
}
+ /* if requested, don't scan any files opened by a process run as
root */
+ if (scan && ignore_superuser
+ && (snprintf(procdir, sizeof(procdir), "/proc/%u", acc->pid) >
0)
+ && (stat(procdir, &sb) == 0)
+ && (sb.st_uid == 0))
+ scan = 0;
+
if(scan && cli_scanfile_stats(acc->filename, &virname, virhash,
&virsize, NULL, tharg->engine, tharg->options) == CL_VIRUS) {
if(extinfo && virsize)
logg("Clamuko: %s: %s(%s:%u) FOUND\n", acc->filename,
virname, virhash, virsize);
diff -ruN ../clamav-0.96.2-orig/clamd/clamukofs.c ./clamd/clamukofs.c
--- ../clamav-0.96.2-orig/clamd/clamukofs.c 2010-07-30 14:25:16.000000000
+0200
+++ ./clamd/clamukofs.c 2010-09-09 13:49:41.000000000 +0200
@@ -91,6 +91,8 @@
int skip_scan = 0, extinfo;
const char *virname;
char filename[4096], virhash[33];
+ int ignore_superuser;
+ char procdir[20];
/* ignore all signals */
sigfillset(&sigset);
@@ -133,6 +135,12 @@
extinfo = optget(tharg->opts, "ExtendedDetectionInfo")->enabled;
+ ignore_superuser = optget(tharg->opts, "ClamukoIgnoreSuperuser")->enabled;
+ if(ignore_superuser)
+ logg("Clamuko: Ignoring files opened by the superuser (root).\n");
+ else
+ logg("Clamuko: Not ignoring files opened by the superuser (root).\n");
+
while(1) {
if(dazukofs_get_access(scan_hndl, &acc)) {
if(!shutdown_hndl)
@@ -151,6 +159,13 @@
}
}
+ /* if requested, don't scan any files opened by a process run as root */
+ if (!skip_scan && ignore_superuser
+ && (snprintf(procdir, sizeof(procdir), "/proc/%u", acc.pid) > 0)
+ && (stat(procdir, &sb) == 0)
+ && (sb.st_uid == 0))
+ skip_scan = 1;
+
if(skip_scan) {
acc.deny = 0;
/* reset skip flag */
diff -ruN ../clamav-0.96.2-orig/docs/man/clamd.conf.5.in
./docs/man/clamd.conf.5.in
--- ../clamav-0.96.2-orig/docs/man/clamd.conf.5.in 2010-07-30
14:25:16.000000000 +0200
+++ ./docs/man/clamd.conf.5.in 2010-09-09 13:44:37.000000000 +0200
@@ -461,6 +461,11 @@
Ignore files larger than SIZE.
.br
Default: 5M
+.TP
+\fBClamukoIgnoreSuperuser BOOL\fR
+Ignore (do not scan) files that are opened by a process running as the
superuser (root).
+.br
+Default: no
.SH "NOTES"
.LP
All options expressing a size are limited to max 4GB. Values in excess will be
resetted to the maximum.
diff -ruN ../clamav-0.96.2-orig/etc/clamd.conf ./etc/clamd.conf
--- ../clamav-0.96.2-orig/etc/clamd.conf 2010-07-30 14:25:16.000000000
+0200
+++ ./etc/clamd.conf 2010-09-09 13:44:37.000000000 +0200
@@ -454,6 +454,11 @@
# Default: disabled
#ClamukoExcludePath /home/bofh
+# Ignore (do not scan) files opened by processes running as the superuser
(root).
+# This lets root copy infected files, move them to a different partition, etc.
+# Default: no
+#ClamukoIgnoreSuperuser yes
+
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss
detections for many new viruses.
# Default: yes
diff -ruN ../clamav-0.96.2-orig/shared/optparser.c ./shared/optparser.c
--- ../clamav-0.96.2-orig/shared/optparser.c 2010-08-03 10:43:30.000000000
+0200
+++ ./shared/optparser.c 2010-09-09 13:44:37.000000000 +0200
@@ -328,6 +328,8 @@
{ "ClamukoMaxFileSize", NULL, 0, TYPE_SIZE, MATCH_SIZE, 5242880, NULL, 0,
OPT_CLAMD, "Files larger than this value will not be scanned.", "5M" },
+ { "ClamukoIgnoreSuperuser", NULL, 0, TYPE_BOOL, MATCH_BOOL, -1, NULL, 0,
OPT_CLAMD, "Ignore (do not scan) files opened by processes run as root.", "no"
},
+
/* FIXME: mark these as private and don't output into clamd.conf/man */
{ "DevACOnly", "dev-ac-only", 0, TYPE_BOOL, MATCH_BOOL, -1, NULL,
FLAG_HIDDEN, OPT_CLAMD | OPT_CLAMSCAN, "", "" },
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
