[Bug 173495] [PATCH] kmail_clamav.sh needs tuning, when clamd runs as a different user

Sascha Lucas sascha.lucas at rus.uni-stuttgart.de
Fri Nov 21 09:36:07 GMT 2008 

http://bugs.kde.org/show_bug.cgi?id=173495





--- Comment #2 from Sascha Lucas <sascha lucas rus uni-stuttgart de>  2008-11-21 10:36:01 ---
(In reply to comment #1)
> Did you actually test the patch you posted here??

actually not enough. I must revert my bugreport. Every thing works as expected.

> "ps -eo user,comm | grep clamd | awk '{print $1}"

you are right! else it wont work this way.

> I don't have clamav here, so please test if that works or submit your working
> solution.

Last I can't reproduce what my problem was. I think I tested only by executing
"clamdscan --stdout --no-summary /some/virus/in/my/home". And indeed clamdscan
behaves like described above. The reason seems that my $HOME has not the
permisson o+rx. So clamd can't access the test file.

But now an other issue appears: kmail_clamav.sh has an insecure tempfile
creation, when clamdscan is used (line 39: chmod a+r $TEMPFILE). While mktemp
creates secure tempfiles, now my mails are readable by all! The chmod a+r seems
to be an uggly workaround to make $TEMPFILE accessible for clamd.

So my wish is to make it more secure by this patch (now better tested by
running "kmail_clamav.sh < eicar.com" with and without clamd running ->
"X-Virus-Flag: yes" appears) 

--- /usr/kde/4.1/bin/kmail_clamav.sh    2008-01-15 02:57:51.000000000 +0100
+++ kmail_clamav.sh     2008-11-21 10:23:01.000000000 +0100
@@ -36,14 +36,13 @@

 # check for a running daemon
 if [ "`ps -eo comm|grep clamd`" = "clamd" ]; then
-    chmod a+r $TEMPFILE
-    CLAMCOMANDO="clamdscan --stdout --no-summary "
+    CLAMCOMANDO="clamdscan --stdout --no-summary - <"
 else
     CLAMCOMANDO="clamscan --stdout --no-summary"
 fi

 # analyze the message
-if $CLAMCOMANDO $TEMPFILE | grep -q FOUND; then
+if eval $CLAMCOMANDO $TEMPFILE | grep -q FOUND; then
     echo "X-Virus-Flag: yes"
 else
     echo "X-Virus-Flag: no"

Please decide weather this bug should be closed as invalid and if I should open
a new one with the tempfile issue...


-- 
Configure bugmail: http://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Kdepim-bugs mailing list