John Peacock wrote:
Hanno Hecker wrote:
Just one thought: I'm using the clamav plugin to scan mails, but changed it to use the faster clamdscan instead of clamscan. That required two changes: - put the clamav daemon user in the smtpd group. - add a 'chmod 0640, $filename;' in plugins/virus/clamav before executing clamdscan.
Hmmm, allowing another app to tread in our private space... ;-)
What would happen if the patch looked like
+ # Make sure the spool dir has appropriate rights
+ if (-e $spool_dir) {
+ my ($mode,$gid) = (stat($spool_dir))[2,5];
+ die "Permissions on spool_dir $spool_dir are not 0750" if $mode &
07027; + die "Group of spool_dir $spool_dir is not $)" unless ( $gid ==
$) );
+ }
hmm... $) and $( are both "$qgid $qgid" ... but it works anyway
No, the smiley version $) is _effective_ GID whereas the frowny version $( is _real_ GID. I think this only matters on OS's where the security model supports setting a different GID for a specific task (Solaris???).
I suppose we could allow a slightly wider umask for existing spool directories, but the behavior in the default case (creation) should always be minimal.
[...snip...] +sub temp_dir { + my $self = shift; + my $dirname = $self->temp_file(); + -d $dirname or mkdir($dirname, 0750) + or die "Could not create temporary directory $dirname: $!"; + return $dirname; +}
...and let the admin be responsible for just putting the right (virus scanner) users into the smtpd group.
I'd be much more likely to parametize that sub call (pass in the mask). No reason to poison everyone's well just because you want to violate the privacy of our temporary files. ;-)
John
I'm not sure changing permissions is what's needed. spamd would seem to be in the same situation, why is clamd different, or the client side caller clamdscan different?
I'm running clamd as smtpd user, its socket is now /var/qpsmtpd/tmp/clamd, but mta can't suck a single piece of spam in to clamscan it(no legitimate users yet). It seems my Christmas gift is wrapped in Tyvek, can't tear it open.
Since I went googling for blacklists, greylisting seems to delay spam long enough for it to get listed in the realtime blacklists, so after greylisting it's blacklisted. Guess I could email myself to see if I still get the no clam access logged or not.
-Bob
