Ok, for all those to come, the answer to antivirus not working with a chrooted 
apache can be found at http://de.php.net/manual/en/function.passthru.php#84773: 
you need a shell program inside the chroot too (duh!).  Mediawiki's function 
wfShellExec (line 2392 in GlobalFunctions.php) calls the php command 'passthru' 
which tries to execute a shell command.  Php tries to open a shell to execute 
clamdscan or clamscan so when it gives you a 127 (command not found) it's not 
necessarily saying that clamd(d)scan is not found, in this case it doesn't find 
a shell to use to execute clamd(d)scan and the 127 says 'shell not found'.

Recap: make sure that.......
the clamd(d)scan executable is inside the chroot and executable by the user 
that will call the program (so you can scan)
there is a shell program is executable inside the chroot (so you can execute 
the scanner)
there is hardlinked clamav.sock (or equivalent) socket for communicating with 
clamd outside of the chroot
there is a clamd.conf file to direct clam(d)scan to the right socket 
your $wgAntivirusSetup['command'] reads something like 
"/usr/local/bin/clamdscan --fdpass --no-summary" (otherwise scan's will fail 
with an error 2)
...... now all the messages from clamav work like they should!  Thanks 
Platonides.

-------- Original Message --------
From: Platonides <[email protected]>
Apparently from: [email protected]
To: [email protected]
Subject: Re: [Mediawiki-l] Setting up clamav for chrooted apache
Date: Mon, 06 Sep 2010 00:25:24 +0200

> [email protected] wrote:
> > Passing --fdpass or --stream to clamdscan works for calling up a scan on 
> > the command prompt however calling it through mediawiki (via the chrooted 
> > web user www) still fails with an error 127.  If I make a file called 
> > test.php containing:
> > <?php
> > define("MEDIAWIKI", "mediawiki");
> > require_once("/htdocs/w/includes/GlobalFunctions.php" );
> > $output = wfShellExec( "command=/usr/local/bin/clamdscan --fdpass 
> > --no-summary '/htdocs/file.txt' 2>&1, $exitCode );
> > echo "exitcode is $exitCode";
> > ?>
> > 
> > Executing "chroot -u www /var/www /usr/local/bin/clamdscan --fdpass 
> > --no-summary '/htdocs/file.txt' 2>&1" will work just fine but running the 
> > script will always fail with error 127.  Even substituting in the $output 
> > line something like wfShellExec( "/bin/echo 'hello world' > world.txt" ); 
> > will always fail with error 127 as well, despite echo being at 
> > /var/www/bin/echo and permissions readable and executable by the proper www 
> > user.  Appears that there may be something up with how mediawiki is 
> > executing shell commands, maybe I'm going about testing this the wrong way.
> > 
> > Thanks for the insight.
> 
> Exit code 127 is usually the shell not finding out the executable.
> Try removing command= from the beginning (you also miss the closing of
> the double quotes, by that seems an overlook on copying).
> 
> 
> _______________________________________________
> MediaWiki-l mailing list
> [email protected]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Reply via email to