Package: src:linux Version: 4.9.30-2+deb9u5 Severity: normal Tags: upstream
Dear Maintainer, we use the Linux fanotify interface in a virus scanner to detect viruses as soon as the files are written. Yesterday we noticed that a machine that has been upgraded to Debian stretch no longer detects viruses that have been uploaded with a PHP script served by Apache. The issue is easily reproducable by installing the package fnotifystat and using that to monitor for filesystem events caused by Apache, for example: # fnotifystat -v | grep apache Then request some document served by Apache, or just trigger a reload: # systemctl reload apache2 fnotifystat won't print any filesystem events caused by Apache, the only thing you'll see are a few events from apachectl that is used by systemd to reload Apache. The reason for this is apparently the namespace isolation done by systemd that is triggered by the following setting: host ~ # grep PrivateTmp /lib/systemd/system/apache2.service PrivateTmp=true If I comment the PrivateTmp line out and then restart Apache: # systemctl daemon-reload; systemctl restart apache2 then fnotifystat will be able to see events caused by Apache, either from requesting a document, or from reloading it. This issue has been documented on some websites already, but I haven't found any bugreports for it yet: https://community.sophos.com/kb/en-us/122625 https://lkml.org/lkml/2015/10/29/268 https://community.f-secure.com/t5/Business/Linux-Security-11-00-unable-to/ta-p/77793 It is easily worked around by disabling PrivateTmp on all services that may be used to upload files, but I do believe that it should be properly fixed in the kernel. fanotify seems to be the intended interface for virus scanners, and therefore it shouldn't be accidentally circumvented by namespace isolation. -- Package-specific info: ** Version: Linux version 4.9.0-3-amd64 (debian-ker...@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) ** Command line: root=UUID=97174b79-e90a-436b-b6b8-55f37167c1e5 ro quiet ** Tainted: W (512) * Taint on warning. ** Kernel log: Unable to read kernel log; any relevant messages should be attached ** Model information ** Loaded modules: dm_mod cpuid ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_NFLOG xt_REDIRECT nf_nat_redirect ipt_REJECT nf_reject_ipv4 xt_mac xt_u32 xt_length xt_nat iptable_nat nf_nat_ipv4 veth xt_multiport nf_conntrack_ipv4 nf_defrag_ipv4 xt_TCPMSS nf_nat_tftp xt_conntrack nf_conntrack_tftp nf_nat_sip nf_conntrack_sip nf_nat_pptp nf_nat_proto_gre nf_conntrack_pptp nf_conntrack_proto_gre xt_tcpudp nf_nat_irc iptable_filter bridge nf_conntrack_irc stp llc nf_nat_h323 nf_conntrack_netlink nf_conntrack_h323 xfrm_user nf_nat_ftp xfrm_algo nf_conntrack_ftp nf_nat_amanda ts_kmp nf_conntrack_amanda nf_nat nf_conntrack overlay nfnetlink_log nfnetlink intel_rapl x86_pkg_temp_thermal coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel evdev pcspkr intel_rapl_perf loop parport_pc ppdev lp parport ip_tables x_tables autofs4 ext4 crc16 jbd2 fscrypto ecb mbcache raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod crc32c_intel xen_netfront xen_blkfront aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd ** PCI devices: ** USB devices: not available -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages linux-image-4.9.0-3-amd64 depends on: ii initramfs-tools [linux-initramfs-tool] 0.130 ii kmod 23-2 ii linux-base 4.5 Versions of packages linux-image-4.9.0-3-amd64 recommends: ii firmware-linux-free 3.4 pn irqbalance <none> Versions of packages linux-image-4.9.0-3-amd64 suggests: pn debian-kernel-handbook <none> ii grub-pc 2.02~beta3-5 pn linux-doc-4.9 <none> Versions of packages linux-image-4.9.0-3-amd64 is related to: ii firmware-amd-graphics 20161130-3 pn firmware-atheros <none> ii firmware-bnx2 20161130-3 pn firmware-bnx2x <none> pn firmware-brcm80211 <none> pn firmware-cavium <none> pn firmware-intel-sound <none> pn firmware-intelwimax <none> pn firmware-ipw2x00 <none> pn firmware-ivtv <none> pn firmware-iwlwifi <none> pn firmware-libertas <none> ii firmware-linux-nonfree 20161130-3 ii firmware-misc-nonfree 20161130-3 pn firmware-myricom <none> pn firmware-netxen <none> pn firmware-qlogic <none> ii firmware-realtek 20161130-3 pn firmware-samsung <none> pn firmware-siano <none> pn firmware-ti-connectivity <none> pn xen-hypervisor <none> -- no debconf information