[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Wed Jan 24 14:09:02 UTC 2018
The branch, master has been updated
via cbf743d Samba-VirusFilter: clamav VFS and man page.
via 5970d68 Samba-VirusFilter: F-Secure AntiVirus (fsav) VFS and man page.
via 0b25089 Samba-VirusFilter: Sophos VFS backend.
via b1e69ed Samba-VirusFilter: common headers and sources.
via 70d7f7d Samba-VirusFilter: memcache changes.
from 8b82d10 ctdb-tests: Fix a typo
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit cbf743d329730387ede92a9d329893d1c651e97a
Author: Trever L. Adams <trever.adams at gmail.com>
Date: Tue Oct 18 13:40:01 2016 -0600
Samba-VirusFilter: clamav VFS and man page.
Signed-off-by: Trever L. Adams <trever.adams at gmail.com>
Signed-off-by: SATOH Fumiyasu <fumiyas at osstech.co.jp>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Jan 24 15:08:59 CET 2018 on sn-devel-144
commit 5970d68bf651fb8dbf1ac4e79d8f2e9467154870
Author: Trever L. Adams <trever.adams at gmail.com>
Date: Tue Oct 18 13:39:20 2016 -0600
Samba-VirusFilter: F-Secure AntiVirus (fsav) VFS and man page.
Signed-off-by: Trever L. Adams <trever.adams at gmail.com>
Signed-off-by: SATOH Fumiyasu <fumiyas at osstech.co.jp>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0b25089edd453270e52f2d8e6858a9996bb29a0d
Author: Trever L. Adams <trever.adams at gmail.com>
Date: Tue Oct 18 13:38:14 2016 -0600
Samba-VirusFilter: Sophos VFS backend.
Signed-off-by: Trever L. Adams <trever.adams at gmail.com>
Signed-off-by: SATOH Fumiyasu <fumiyas at osstech.co.jp>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b1e69edd0592d3b4b0f958792826a236dd3466e1
Author: Trever L. Adams <trever.adams at gmail.com>
Date: Tue Oct 18 13:34:53 2016 -0600
Samba-VirusFilter: common headers and sources.
Samba-VirusFilter Contributors:
SATOH Fumiyasu @ OSS Technology Corp., Japan
Module creator/maintainer
Luke Dixon luke.dixon at zynstra.com
Samba 4 support
Trever L. Adams
Documentation
Code contributions
Samba-master merge work
With many thanks to the Samba Team.
Signed-off-by: Trever L. Adams <trever.adams at gmail.com>
Signed-off-by: SATOH Fumiyasu <fumiyas at osstech.co.jp>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 70d7f7d03c46c8727833f322bdc03da1b2aad720
Author: Trever L. Adams <trever.adams at gmail.com>
Date: Tue Oct 18 13:37:19 2016 -0600
Samba-VirusFilter: memcache changes.
Signed-off-by: Trever L. Adams <trever.adams at gmail.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/vfs_virusfilter.8.xml | 369 +++++
docs-xml/wscript_build | 1 +
.../scripts/vfs/virusfilter/virusfilter-notify.ksh | 284 ++++
lib/util/memcache.c | 1 +
lib/util/memcache.h | 3 +-
source3/modules/vfs_virusfilter.c | 1521 ++++++++++++++++++++
source3/modules/vfs_virusfilter_clamav.c | 195 +++
source3/modules/vfs_virusfilter_common.h | 153 ++
source3/modules/vfs_virusfilter_fsav.c | 451 ++++++
source3/modules/vfs_virusfilter_sophos.c | 391 +++++
source3/modules/vfs_virusfilter_utils.c | 1025 +++++++++++++
source3/modules/vfs_virusfilter_utils.h | 177 +++
source3/modules/wscript_build | 18 +
source3/wscript | 2 +-
14 files changed, 4589 insertions(+), 2 deletions(-)
create mode 100644 docs-xml/manpages/vfs_virusfilter.8.xml
create mode 100644 examples/scripts/vfs/virusfilter/virusfilter-notify.ksh
create mode 100644 source3/modules/vfs_virusfilter.c
create mode 100644 source3/modules/vfs_virusfilter_clamav.c
create mode 100644 source3/modules/vfs_virusfilter_common.h
create mode 100644 source3/modules/vfs_virusfilter_fsav.c
create mode 100644 source3/modules/vfs_virusfilter_sophos.c
create mode 100644 source3/modules/vfs_virusfilter_utils.c
create mode 100644 source3/modules/vfs_virusfilter_utils.h
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml
new file mode 100644
index 0000000..ee49df1
--- /dev/null
+++ b/docs-xml/manpages/vfs_virusfilter.8.xml
@@ -0,0 +1,369 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="vfs_virusfilter.8">
+
+<refmeta>
+ <refentrytitle>vfs_virusfilter</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">4.8</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>vfs_virusfilter</refname>
+ <refpurpose>On access virus scanner</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>vfs objects = virusfilter</command>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This is a set of various Samba VFS modules to scan and filter
+ virus files on Samba file services with an anti-virus scanner.</para>
+
+ <para>This module is stackable.</para>
+
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term>virusfilter:scanner</term>
+ <listitem>
+ <para>The antivirus scan-engine.</para>
+ <itemizedlist>
+ <listitem><para><emphasis>sophos</emphasis>, the Sophos AV
+ scanner</para></listitem>
+ <listitem><para><emphasis>fsav</emphasis>, the F-Secure AV
+ scanner</para></listitem>
+ <listitem><para><emphasis>clamav</emphasis>, the ClamAV
+ scanner</para></listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:socket path = PATH</term>
+ <listitem>
+ <para>Path of local socket for the virus scanner.
+ </para>
+ <para>If this option is not set, the default path depends on the
+ configured AV scanning engine.
+ </para>
+ <para>For the <emphasis>sophos</emphasis>backend the default is
+ <emphasis>/var/run/savdi/sssp.sock</emphasis>.</para>
+ <para>For the <emphasis>fsav</emphasis> backend the default is
+ <emphasis>/tmp/.fsav-0</emphasis>.</para>
+ <para>For the <emphasis>fsav</emphasis> backend the default is
+ <emphasis>/var/run/clamav/clamd.ctl</emphasis>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:connect timeout = 30000</term>
+ <listitem>
+ <para>Controls how long to wait on connecting to the virus
+ scanning process before timing out. Value is in milliseconds.
+ </para>
+ <para>If this option is not set, the default is 30000.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:io timeout = 60000</term>
+ <listitem>
+ <para>Controls how long to wait on communications with the virus
+ scanning process before timing out. Value is in milliseconds.
+ </para>
+ <para>If this option is not set, the default is 60000.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan on open = yes</term>
+ <listitem>
+ <para>This option controls whether files are scanned on open.
+ </para>
+ <para>If this option is not set, the default is yes.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan on close = no</term>
+ <listitem>
+ <para>This option controls whether files are scanned on close.
+ </para>
+ <para>If this option is not set, the default is no.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:max file size = 100000000</term>
+ <listitem>
+ <para>This is the largest sized file, in bytes, which will be scanned.
+ </para>
+ <para>If this option is not set, the default is 100MB.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:min file size = 10</term>
+ <listitem>
+ <para>This is the smallest sized file, in bytes, which will be scanned.
+ </para>
+ <para>If this option is not set, the default is 10.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:infected file action = nothing</term>
+ <listitem>
+ <para>What to do with an infected file. The options are
+ nothing, quarantine, rename, delete.</para>
+ <para>If this option is not set, the default is nothing.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:infected file errno on open = EACCES</term>
+ <listitem>
+ <para>What errno to return on open if the file is infected.
+ </para>
+ <para>If this option is not set, the default is EACCES.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:infected file errno on close = 0</term>
+ <listitem>
+ <para>What errno to return on close if the file is infected.
+ </para>
+ <para>If this option is not set, the default is 0.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine directory = PATH</term>
+ <listitem>
+ <para>Where to move infected files. This path must be an
+ absolute path.</para>
+ <para>If this option is not set, the default is ".quarantine"
+ relative to the share path. </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine prefix = virusfilter.</term>
+ <listitem>
+ <para>Prefix for quarantined files.</para>
+ <para>If this option is not set, the default is "virusfilter.".</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine suffix = .infected</term>
+ <listitem>
+ <para>Suffix for quarantined files.
+ This option is only used if keep name is true. Otherwise it is ignored.</para>
+ <para>If this option is not set, the default is ".infected".</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:rename prefix = virusfilter.</term>
+ <listitem>
+ <para>Prefix for infected files.</para>
+ <para>If this option is not set, the default is "virusfilter.".</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:rename suffix = .infected</term>
+ <listitem>
+ <para>Suffix for infected files.</para>
+ <para>If this option is not set, the default is ".infected".</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine keep tree = yes</term>
+ <listitem>
+ <para>If keep tree is set, the directory structure relative
+ to the share is maintained in the quarantine directory.
+ </para>
+ <para>If this option is not set, the default is yes.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine keep name = yes</term>
+ <listitem>
+ <para>Should the file name be left unmodified other than adding a suffix
+ and/or prefix and a random suffix name as defined in virusfilter:rename prefix
+ and virusfilter:rename suffix.</para>
+ <para>If this option is not set, the default is yes.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:infected file command = @SAMBA_DATADIR@/bin/virusfilter-notify --mail-to virusmaster at example.com --cc "%U at example.com" --from samba at example.com --subject-prefix "Samba: Infected File: "</term>
+ <listitem>
+ <para>External command to run on an infected file is found.</para>
+ <para>If this option is not set, the default is none.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan archive = true</term>
+ <listitem>
+ <para>This defines whether or not to scan archives.</para>
+ <para>Sophos and F-Secure support this and it defaults to false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:max nested scan archive = 1</term>
+ <listitem>
+ <para>This defines the maximum depth to search nested archives.</para>
+ <para>The Sophos and F-Secure support this and it defaults to 1.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan mime = true</term>
+ <listitem>
+ <para>This defines whether or not to scan mime files.</para>
+ <para>Only the <emphasis>fsav</emphasis>scanner supports this
+ option and defaults to false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan error command = @SAMBA_DATADIR@/bin/virusfilter-notify --mail-to virusmaster at example.com --from samba at example.com --subject-prefix "Samba: Scan Error: "</term>
+ <listitem>
+ <para>External command to run on scan error.</para>
+ <para>If this option is not set, the default is none.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:exclude files = empty</term>
+ <listitem>
+ <para>Files to exclude from scanning.</para>
+ <para>If this option is not set, the default is empty.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:block access on error = false</term>
+ <listitem>
+ <para>Controls whether or not access should be blocked on
+ a scanning error.</para>
+ <para>If this option is not set, the default is false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan error errno on open = EACCES</term>
+ <listitem>
+ <para>What errno to return on open if there is an error in
+ scanning the file and block access on error is true.
+ </para>
+ <para>If this option is not set, the default is EACCES.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan error errno on close = 0</term>
+ <listitem>
+ <para>What errno to return on close if there is an error in
+ scanning the file and block access on error is true.
+ </para>
+ <para>If this option is not set, the default is 0.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:cache entry limit = 100</term>
+ <listitem>
+ <para>The maximum number of entries in the scanning results
+ cache. Due to how Samba's memcache works, this is approximate.</para>
+ <para>If this option is not set, the default is 100.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:cache time limit = 10</term>
+ <listitem>
+ <para>The maximum number of seconds that a scanning result
+ will stay in the results cache. -1 disables the limit.
+ 0 disables caching.</para>
+ <para>If this option is not set, the default is 10.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine directory mode = 0755</term>
+ <listitem>
+ <para>This is the octet mode for the quarantine directory and
+ its sub-directories as they are created.</para>
+ <para>If this option is not set, the default is 0755 or
+ S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH |
+ S_IXOTH.</para>
+ <para>Permissions must be such that all users can read and
+ search. I.E. don't mess with this unless you really know what
+ you are doing.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:block suspected file = false</term>
+ <listitem>
+ <para>With this option on, suspected malware will be blocked as
+ well. Only the <emphasis>fsav</emphasis>scanner supports this
+ option.</para>
+ <para>If this option is not set, the default is false.</para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>NOTES</title>
+
+ <para>This module can scan other than default streams, if the
+ alternative datastreams are each backed as separate files, such as with
+ the vfs module streams_depot.</para>
+
+ <para>For proper operation the streams support module must be before
+ the virusfilter module in your vfs objects list (i.e. streams_depot
+ must be called before virusfilter module).</para>
+
+ <para>This module is intended for security in depth by providing
+ virus scanning capability on the server. It is not intended to be used
+ in lieu of proper client based security. Other modules for security may
+ exist and may be desirable for security in depth on the server.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+</refsect1>
+
+</refentry>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index f586208..954c62a 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -90,6 +90,7 @@ manpages='''
manpages/vfs_time_audit.8
manpages/vfs_tsmsm.8
manpages/vfs_unityed_media.8
+ manpages/vfs_virusfilter.8
manpages/vfs_worm.8
manpages/vfs_xattr_tdb.8
manpages/vfstest.1
diff --git a/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh b/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh
new file mode 100644
index 0000000..a07b914
--- /dev/null
+++ b/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh
@@ -0,0 +1,284 @@
+#!/bin/ksh
+##
+## Samba-VirusFilter VFS modules
+## Copyright (C) 2010-2016 SATOH Fumiyasu @ OSS Technology Corp., Japan
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 3 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program. If not, see <http://www.gnu.org/licenses/>.
+##
+
+set -u
+
+pdie() { echo "$0: ERROR: ${1-}" 1>&2; exit "${2-1}"; }
+
+## ======================================================================
+
+sendmail="${VIRUSFILTER_NOTIFY_SENDMAIL_COMMAND:-/usr/sbin/sendmail}"
+sendmail_opts="${VIRUSFILTER_NOTIFY_SENDMAIL_OPTIONS:-}"
+
+smbclient="${VIRUSFILTER_NOTIFY_SMBCLIENT_COMMAND:- at SAMBA_BINDIR@/smbclient}"
+smbclient_opts="${VIRUSFILTER_NOTIFY_SMBCLIENT_OPTIONS:-}"
+
+## ======================================================================
+
+if [ -n "${VIRUSFILTER_RESULT_IS_CACHE-}" ]; then
+ ## Result is cache. Ignore!
+ exit 0
+fi
+
+if [ ! -t 1 ] && [ -z "${VIRUSFILTER_NOTIFY_BG-}" ]; then
+ export VIRUSFILTER_NOTIFY_BG=1
+ "$0" ${1+"$@"} </dev/null >/dev/null &
+ exit 0
+fi
+
+## ----------------------------------------------------------------------
+
+if [ -n "${VIRUSFILTER_INFECTED_FILE_ACTION-}" ]; then
+ report="$VIRUSFILTER_INFECTED_FILE_REPORT"
+else
+ report="$VIRUSFILTER_SCAN_ERROR_REPORT"
+fi
+
+if [ X"$VIRUSFILTER_SERVER_NAME" != X"$VIRUSFILTER_SERVER_IP" ]; then
+ server_name="$VIRUSFILTER_SERVER_NAME"
+else
+ server_name="$VIRUSFILTER_SERVER_NETBIOS_NAME"
+fi
+
+if [ X"$VIRUSFILTER_CLIENT_NAME" != X"$VIRUSFILTER_CLIENT_IP" ]; then
+ client_name="$VIRUSFILTER_CLIENT_NAME"
+else
+ client_name="$VIRUSFILTER_CLIENT_NETBIOS_NAME"
+fi
+
+mail_to=""
+winpopup_to=""
+subject_prefix=""
+sender=""
+from=""
+cc=""
+bcc=""
+content_type="text/plain"
+content_encoding="UTF-8"
+
+cmd_usage="Usage: $0 [OPTIONS]
+
+Options:
+ --mail-to ADDRESS
+ Send a notice message to this e-mail address(es)
+ --winpopup-to NAME
+ Send a \"WinPopup\" message to this NetBIOS name
+ --sender ADDRESS
+ Envelope sender address for mail
+ --from ADDRESS
+ From: e-mail address for mail
+ --cc ADDRESS
+ Cc: e-mail address(es) for mail
+ --bcc ADDRESS
+ Bcc: e-mail address(es) for mail
+ --subject-prefix PREFIX
+ Subject: prefix string for mail
+ --content-type TYPE
+ --content-encoding ENCODING
+ Content-Type: TYPE; charset=\"ENCODING\" for mail [$content_type; charset=\"$content_encoding\"]
+ --header-file FILE
+ Prepend the content of FILE to the message
+ --footer-file FILE
+ Append the content of FILE to the message
+"
+
+## ----------------------------------------------------------------------
+
+getopts_want_arg()
+{
+ if [ "$#" -lt 2 ]; then
+ pdie "Option requires an argument: $1"
+ fi
--
Samba Shared Repository
More information about the samba-cvs
mailing list