[Bug 173495] [PATCH] kmail_clamav.sh needs tuning, when clamd runs as a different user
Sascha Lucas
sascha.lucas at rus.uni-stuttgart.de
Fri Nov 21 09:36:07 GMT 2008
http://bugs.kde.org/show_bug.cgi?id=173495
--- Comment #2 from Sascha Lucas <sascha lucas rus uni-stuttgart de> 2008-11-21 10:36:01 ---
(In reply to comment #1)
> Did you actually test the patch you posted here??
actually not enough. I must revert my bugreport. Every thing works as expected.
> "ps -eo user,comm | grep clamd | awk '{print $1}"
you are right! else it wont work this way.
> I don't have clamav here, so please test if that works or submit your working
> solution.
Last I can't reproduce what my problem was. I think I tested only by executing
"clamdscan --stdout --no-summary /some/virus/in/my/home". And indeed clamdscan
behaves like described above. The reason seems that my $HOME has not the
permisson o+rx. So clamd can't access the test file.
But now an other issue appears: kmail_clamav.sh has an insecure tempfile
creation, when clamdscan is used (line 39: chmod a+r $TEMPFILE). While mktemp
creates secure tempfiles, now my mails are readable by all! The chmod a+r seems
to be an uggly workaround to make $TEMPFILE accessible for clamd.
So my wish is to make it more secure by this patch (now better tested by
running "kmail_clamav.sh < eicar.com" with and without clamd running ->
"X-Virus-Flag: yes" appears)
--- /usr/kde/4.1/bin/kmail_clamav.sh 2008-01-15 02:57:51.000000000 +0100
+++ kmail_clamav.sh 2008-11-21 10:23:01.000000000 +0100
@@ -36,14 +36,13 @@
# check for a running daemon
if [ "`ps -eo comm|grep clamd`" = "clamd" ]; then
- chmod a+r $TEMPFILE
- CLAMCOMANDO="clamdscan --stdout --no-summary "
+ CLAMCOMANDO="clamdscan --stdout --no-summary - <"
else
CLAMCOMANDO="clamscan --stdout --no-summary"
fi
# analyze the message
-if $CLAMCOMANDO $TEMPFILE | grep -q FOUND; then
+if eval $CLAMCOMANDO $TEMPFILE | grep -q FOUND; then
echo "X-Virus-Flag: yes"
else
echo "X-Virus-Flag: no"
Please decide weather this bug should be closed as invalid and if I should open
a new one with the tempfile issue...
--
Configure bugmail: http://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list