The branch, master has been updated via cbf743d Samba-VirusFilter: clamav VFS and man page. via 5970d68 Samba-VirusFilter: F-Secure AntiVirus (fsav) VFS and man page. via 0b25089 Samba-VirusFilter: Sophos VFS backend. via b1e69ed Samba-VirusFilter: common headers and sources. via 70d7f7d Samba-VirusFilter: memcache changes. from 8b82d10 ctdb-tests: Fix a typo
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit cbf743d329730387ede92a9d329893d1c651e97a Author: Trever L. Adams <trever.ad...@gmail.com> Date: Tue Oct 18 13:40:01 2016 -0600 Samba-VirusFilter: clamav VFS and man page. Signed-off-by: Trever L. Adams <trever.ad...@gmail.com> Signed-off-by: SATOH Fumiyasu <fumi...@osstech.co.jp> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Wed Jan 24 15:08:59 CET 2018 on sn-devel-144 commit 5970d68bf651fb8dbf1ac4e79d8f2e9467154870 Author: Trever L. Adams <trever.ad...@gmail.com> Date: Tue Oct 18 13:39:20 2016 -0600 Samba-VirusFilter: F-Secure AntiVirus (fsav) VFS and man page. Signed-off-by: Trever L. Adams <trever.ad...@gmail.com> Signed-off-by: SATOH Fumiyasu <fumi...@osstech.co.jp> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 0b25089edd453270e52f2d8e6858a9996bb29a0d Author: Trever L. Adams <trever.ad...@gmail.com> Date: Tue Oct 18 13:38:14 2016 -0600 Samba-VirusFilter: Sophos VFS backend. Signed-off-by: Trever L. Adams <trever.ad...@gmail.com> Signed-off-by: SATOH Fumiyasu <fumi...@osstech.co.jp> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit b1e69edd0592d3b4b0f958792826a236dd3466e1 Author: Trever L. Adams <trever.ad...@gmail.com> Date: Tue Oct 18 13:34:53 2016 -0600 Samba-VirusFilter: common headers and sources. Samba-VirusFilter Contributors: SATOH Fumiyasu @ OSS Technology Corp., Japan Module creator/maintainer Luke Dixon luke.di...@zynstra.com Samba 4 support Trever L. Adams Documentation Code contributions Samba-master merge work With many thanks to the Samba Team. Signed-off-by: Trever L. Adams <trever.ad...@gmail.com> Signed-off-by: SATOH Fumiyasu <fumi...@osstech.co.jp> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 70d7f7d03c46c8727833f322bdc03da1b2aad720 Author: Trever L. Adams <trever.ad...@gmail.com> Date: Tue Oct 18 13:37:19 2016 -0600 Samba-VirusFilter: memcache changes. Signed-off-by: Trever L. Adams <trever.ad...@gmail.com> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/vfs_virusfilter.8.xml | 369 +++++ docs-xml/wscript_build | 1 + .../scripts/vfs/virusfilter/virusfilter-notify.ksh | 284 ++++ lib/util/memcache.c | 1 + lib/util/memcache.h | 3 +- source3/modules/vfs_virusfilter.c | 1521 ++++++++++++++++++++ source3/modules/vfs_virusfilter_clamav.c | 195 +++ source3/modules/vfs_virusfilter_common.h | 153 ++ source3/modules/vfs_virusfilter_fsav.c | 451 ++++++ source3/modules/vfs_virusfilter_sophos.c | 391 +++++ source3/modules/vfs_virusfilter_utils.c | 1025 +++++++++++++ source3/modules/vfs_virusfilter_utils.h | 177 +++ source3/modules/wscript_build | 18 + source3/wscript | 2 +- 14 files changed, 4589 insertions(+), 2 deletions(-) create mode 100644 docs-xml/manpages/vfs_virusfilter.8.xml create mode 100644 examples/scripts/vfs/virusfilter/virusfilter-notify.ksh create mode 100644 source3/modules/vfs_virusfilter.c create mode 100644 source3/modules/vfs_virusfilter_clamav.c create mode 100644 source3/modules/vfs_virusfilter_common.h create mode 100644 source3/modules/vfs_virusfilter_fsav.c create mode 100644 source3/modules/vfs_virusfilter_sophos.c create mode 100644 source3/modules/vfs_virusfilter_utils.c create mode 100644 source3/modules/vfs_virusfilter_utils.h Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml new file mode 100644 index 0000000..ee49df1 --- /dev/null +++ b/docs-xml/manpages/vfs_virusfilter.8.xml @@ -0,0 +1,369 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<refentry id="vfs_virusfilter.8"> + +<refmeta> + <refentrytitle>vfs_virusfilter</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Samba</refmiscinfo> + <refmiscinfo class="manual">System Administration tools</refmiscinfo> + <refmiscinfo class="version">4.8</refmiscinfo> +</refmeta> + + +<refnamediv> + <refname>vfs_virusfilter</refname> + <refpurpose>On access virus scanner</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>vfs objects = virusfilter</command> + </cmdsynopsis> +</refsynopsisdiv> + +<refsect1> + <title>DESCRIPTION</title> + + <para>This is a set of various Samba VFS modules to scan and filter + virus files on Samba file services with an anti-virus scanner.</para> + + <para>This module is stackable.</para> + +</refsect1> + +<refsect1> + <title>OPTIONS</title> + + <variablelist> + + <varlistentry> + <term>virusfilter:scanner</term> + <listitem> + <para>The antivirus scan-engine.</para> + <itemizedlist> + <listitem><para><emphasis>sophos</emphasis>, the Sophos AV + scanner</para></listitem> + <listitem><para><emphasis>fsav</emphasis>, the F-Secure AV + scanner</para></listitem> + <listitem><para><emphasis>clamav</emphasis>, the ClamAV + scanner</para></listitem> + </itemizedlist> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:socket path = PATH</term> + <listitem> + <para>Path of local socket for the virus scanner. + </para> + <para>If this option is not set, the default path depends on the + configured AV scanning engine. + </para> + <para>For the <emphasis>sophos</emphasis>backend the default is + <emphasis>/var/run/savdi/sssp.sock</emphasis>.</para> + <para>For the <emphasis>fsav</emphasis> backend the default is + <emphasis>/tmp/.fsav-0</emphasis>.</para> + <para>For the <emphasis>fsav</emphasis> backend the default is + <emphasis>/var/run/clamav/clamd.ctl</emphasis>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:connect timeout = 30000</term> + <listitem> + <para>Controls how long to wait on connecting to the virus + scanning process before timing out. Value is in milliseconds. + </para> + <para>If this option is not set, the default is 30000.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:io timeout = 60000</term> + <listitem> + <para>Controls how long to wait on communications with the virus + scanning process before timing out. Value is in milliseconds. + </para> + <para>If this option is not set, the default is 60000.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:scan on open = yes</term> + <listitem> + <para>This option controls whether files are scanned on open. + </para> + <para>If this option is not set, the default is yes.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:scan on close = no</term> + <listitem> + <para>This option controls whether files are scanned on close. + </para> + <para>If this option is not set, the default is no.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:max file size = 100000000</term> + <listitem> + <para>This is the largest sized file, in bytes, which will be scanned. + </para> + <para>If this option is not set, the default is 100MB.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:min file size = 10</term> + <listitem> + <para>This is the smallest sized file, in bytes, which will be scanned. + </para> + <para>If this option is not set, the default is 10.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:infected file action = nothing</term> + <listitem> + <para>What to do with an infected file. The options are + nothing, quarantine, rename, delete.</para> + <para>If this option is not set, the default is nothing.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:infected file errno on open = EACCES</term> + <listitem> + <para>What errno to return on open if the file is infected. + </para> + <para>If this option is not set, the default is EACCES.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:infected file errno on close = 0</term> + <listitem> + <para>What errno to return on close if the file is infected. + </para> + <para>If this option is not set, the default is 0.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:quarantine directory = PATH</term> + <listitem> + <para>Where to move infected files. This path must be an + absolute path.</para> + <para>If this option is not set, the default is ".quarantine" + relative to the share path. </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:quarantine prefix = virusfilter.</term> + <listitem> + <para>Prefix for quarantined files.</para> + <para>If this option is not set, the default is "virusfilter.".</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:quarantine suffix = .infected</term> + <listitem> + <para>Suffix for quarantined files. + This option is only used if keep name is true. Otherwise it is ignored.</para> + <para>If this option is not set, the default is ".infected".</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:rename prefix = virusfilter.</term> + <listitem> + <para>Prefix for infected files.</para> + <para>If this option is not set, the default is "virusfilter.".</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:rename suffix = .infected</term> + <listitem> + <para>Suffix for infected files.</para> + <para>If this option is not set, the default is ".infected".</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:quarantine keep tree = yes</term> + <listitem> + <para>If keep tree is set, the directory structure relative + to the share is maintained in the quarantine directory. + </para> + <para>If this option is not set, the default is yes.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:quarantine keep name = yes</term> + <listitem> + <para>Should the file name be left unmodified other than adding a suffix + and/or prefix and a random suffix name as defined in virusfilter:rename prefix + and virusfilter:rename suffix.</para> + <para>If this option is not set, the default is yes.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:infected file command = @SAMBA_DATADIR@/bin/virusfilter-notify --mail-to virusmas...@example.com --cc "%u...@example.com" --from sa...@example.com --subject-prefix "Samba: Infected File: "</term> + <listitem> + <para>External command to run on an infected file is found.</para> + <para>If this option is not set, the default is none.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:scan archive = true</term> + <listitem> + <para>This defines whether or not to scan archives.</para> + <para>Sophos and F-Secure support this and it defaults to false.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:max nested scan archive = 1</term> + <listitem> + <para>This defines the maximum depth to search nested archives.</para> + <para>The Sophos and F-Secure support this and it defaults to 1.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:scan mime = true</term> + <listitem> + <para>This defines whether or not to scan mime files.</para> + <para>Only the <emphasis>fsav</emphasis>scanner supports this + option and defaults to false.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:scan error command = @SAMBA_DATADIR@/bin/virusfilter-notify --mail-to virusmas...@example.com --from sa...@example.com --subject-prefix "Samba: Scan Error: "</term> + <listitem> + <para>External command to run on scan error.</para> + <para>If this option is not set, the default is none.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:exclude files = empty</term> + <listitem> + <para>Files to exclude from scanning.</para> + <para>If this option is not set, the default is empty.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:block access on error = false</term> + <listitem> + <para>Controls whether or not access should be blocked on + a scanning error.</para> + <para>If this option is not set, the default is false.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:scan error errno on open = EACCES</term> + <listitem> + <para>What errno to return on open if there is an error in + scanning the file and block access on error is true. + </para> + <para>If this option is not set, the default is EACCES.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:scan error errno on close = 0</term> + <listitem> + <para>What errno to return on close if there is an error in + scanning the file and block access on error is true. + </para> + <para>If this option is not set, the default is 0.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:cache entry limit = 100</term> + <listitem> + <para>The maximum number of entries in the scanning results + cache. Due to how Samba's memcache works, this is approximate.</para> + <para>If this option is not set, the default is 100.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:cache time limit = 10</term> + <listitem> + <para>The maximum number of seconds that a scanning result + will stay in the results cache. -1 disables the limit. + 0 disables caching.</para> + <para>If this option is not set, the default is 10.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:quarantine directory mode = 0755</term> + <listitem> + <para>This is the octet mode for the quarantine directory and + its sub-directories as they are created.</para> + <para>If this option is not set, the default is 0755 or + S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | + S_IXOTH.</para> + <para>Permissions must be such that all users can read and + search. I.E. don't mess with this unless you really know what + you are doing.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>virusfilter:block suspected file = false</term> + <listitem> + <para>With this option on, suspected malware will be blocked as + well. Only the <emphasis>fsav</emphasis>scanner supports this + option.</para> + <para>If this option is not set, the default is false.</para> + </listitem> + </varlistentry> + + </variablelist> +</refsect1> + +<refsect1> + <title>NOTES</title> + + <para>This module can scan other than default streams, if the + alternative datastreams are each backed as separate files, such as with + the vfs module streams_depot.</para> + + <para>For proper operation the streams support module must be before + the virusfilter module in your vfs objects list (i.e. streams_depot + must be called before virusfilter module).</para> + + <para>This module is intended for security in depth by providing + virus scanning capability on the server. It is not intended to be used + in lieu of proper client based security. Other modules for security may + exist and may be desirable for security in depth on the server.</para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</para> + +</refsect1> + +</refentry> diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build index f586208..954c62a 100644 --- a/docs-xml/wscript_build +++ b/docs-xml/wscript_build @@ -90,6 +90,7 @@ manpages=''' manpages/vfs_time_audit.8 manpages/vfs_tsmsm.8 manpages/vfs_unityed_media.8 + manpages/vfs_virusfilter.8 manpages/vfs_worm.8 manpages/vfs_xattr_tdb.8 manpages/vfstest.1 diff --git a/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh b/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh new file mode 100644 index 0000000..a07b914 --- /dev/null +++ b/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh @@ -0,0 +1,284 @@ +#!/bin/ksh +## +## Samba-VirusFilter VFS modules +## Copyright (C) 2010-2016 SATOH Fumiyasu @ OSS Technology Corp., Japan +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 3 of the License, or +## (at your option) any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## +## You should have received a copy of the GNU General Public License +## along with this program. If not, see <http://www.gnu.org/licenses/>. +## + +set -u + +pdie() { echo "$0: ERROR: ${1-}" 1>&2; exit "${2-1}"; } + +## ====================================================================== + +sendmail="${VIRUSFILTER_NOTIFY_SENDMAIL_COMMAND:-/usr/sbin/sendmail}" +sendmail_opts="${VIRUSFILTER_NOTIFY_SENDMAIL_OPTIONS:-}" + +smbclient="${VIRUSFILTER_NOTIFY_SMBCLIENT_COMMAND:-@SAMBA_BINDIR@/smbclient}" +smbclient_opts="${VIRUSFILTER_NOTIFY_SMBCLIENT_OPTIONS:-}" + +## ====================================================================== + +if [ -n "${VIRUSFILTER_RESULT_IS_CACHE-}" ]; then + ## Result is cache. Ignore! + exit 0 +fi + +if [ ! -t 1 ] && [ -z "${VIRUSFILTER_NOTIFY_BG-}" ]; then + export VIRUSFILTER_NOTIFY_BG=1 + "$0" ${1+"$@"} </dev/null >/dev/null & + exit 0 +fi + +## ---------------------------------------------------------------------- + +if [ -n "${VIRUSFILTER_INFECTED_FILE_ACTION-}" ]; then + report="$VIRUSFILTER_INFECTED_FILE_REPORT" +else + report="$VIRUSFILTER_SCAN_ERROR_REPORT" +fi + +if [ X"$VIRUSFILTER_SERVER_NAME" != X"$VIRUSFILTER_SERVER_IP" ]; then + server_name="$VIRUSFILTER_SERVER_NAME" +else + server_name="$VIRUSFILTER_SERVER_NETBIOS_NAME" +fi + +if [ X"$VIRUSFILTER_CLIENT_NAME" != X"$VIRUSFILTER_CLIENT_IP" ]; then + client_name="$VIRUSFILTER_CLIENT_NAME" +else + client_name="$VIRUSFILTER_CLIENT_NETBIOS_NAME" +fi + +mail_to="" +winpopup_to="" +subject_prefix="" +sender="" +from="" +cc="" +bcc="" +content_type="text/plain" +content_encoding="UTF-8" + +cmd_usage="Usage: $0 [OPTIONS] + +Options: + --mail-to ADDRESS + Send a notice message to this e-mail address(es) + --winpopup-to NAME + Send a \"WinPopup\" message to this NetBIOS name + --sender ADDRESS + Envelope sender address for mail + --from ADDRESS + From: e-mail address for mail + --cc ADDRESS + Cc: e-mail address(es) for mail + --bcc ADDRESS + Bcc: e-mail address(es) for mail + --subject-prefix PREFIX + Subject: prefix string for mail + --content-type TYPE + --content-encoding ENCODING + Content-Type: TYPE; charset=\"ENCODING\" for mail [$content_type; charset=\"$content_encoding\"] + --header-file FILE + Prepend the content of FILE to the message + --footer-file FILE + Append the content of FILE to the message +" + +## ---------------------------------------------------------------------- + +getopts_want_arg() +{ + if [ "$#" -lt 2 ]; then + pdie "Option requires an argument: $1" + fi -- Samba Shared Repository