Udv / Greetings! Hi all! I've a debian linux system, with my own compiled apache jail. I'm running a moodle site, wich scans the uploads. Till last week, I've used clamscan to scan the uploads inside the jail (installed inside tha jail, and this was not an ideal solution). Since the site got more and more traffic, it has became a nightmare managing it. I decided to go on with clamdscan to reduce the traffic.
On upload, I receive the following message: /web/tmp/phpKve61p: lstat() failed. ERROR all access rights were ok. For simplicity I have 777 in the test environment. After this, I've tested my config with the following: I changed to the chroot with those rights that the apache, - that runs clamscand - uses. chrootuid /jails/apache2-portal/ apache2-p /web/usr/bin/clamdscan /web/tmp/du (du was a test elf file only, no importance) I got the same result. After digging the mailing lists, I read a similar problem under WIN32, where I have to give the clamdscan a full path. Since the full path of the above file is /jails/apache2-portal/web/tmp/du, I tried this: elearning:/jails/apache2-portal/web/tmp# chrootuid /jails/apache2-portal/ apache2-p /web/usr/bin/clamdscan /jails/apache2-portal/web/tmp/du WARNING: Can't access file /jails/apache2-portal/web/tmp/du /jails/apache2-portal/web/tmp/du: No such file or directory then i tried again with the short form (injail) path, but I've created the similar direcotry structure in the / on the real root. Now I got: elearning:/jails/apache2-portal/web/tmp# chrootuid /jails/apache2-portal/ apache2-p /web/usr/bin/clamdscan /web/tmp/du /web/tmp/du: OK If I delete the injail version of the file, and leave only the real, I got this: elearning:/jails/apache2-portal/web/tmp# chrootuid /jails/apache2-portal/ apache2-p /web/usr/bin/clamdscan /web/tmp/du WARNING: Can't access file /web/tmp/du /web/tmp/du: No such file or directory For me, it seems, that before clamdscan would pass the filepath to clamd, it checks it existence, and hence it is running inside a jail, it checks it inside the jail. But when clamd receives the parameters, it is running OUTSIDE the jail (the socket listens inside the jail with a --bind mount) and wants to check that. I can force moodle to put the "/jails/apache2-portal/" path before every scanned file, but this would require clamdscan not to check for file existence (since this file could not be found from the jail). how to achieve this? Are there any similar options? Or are there any other solutions? I'd like to minimize the libs and programs put in the jail, so I'd prefer using clamdscan, but without starting clamd inside the jail (since all updates and virus definitions would have to be kept inside the jail as before.). Is this possible? Thank you in advance! -- Éliás Tamás / Thomas Elias *NIX System administrator, Certified Cisco Network Engineer, Pascal/Bash/C++ programmer, Certified IBM UDB DB2 Database Administrator mailto: [EMAIL PROTECTED] Tel.: +3630/4971626 ; ICQ UIN: 206-714-459 ; SKYPE: "elias.tamas" OpenPGP public key: http://pszinfo.hu/elias.tamas.asc Quote: "Too many people making too many problems!"
pgpNmPmwwlAK8.pgp
Description: PGP signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
