[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mediawiki-l
Subject:    Re: [Mediawiki-l] Setting up clamav for chrooted apache
From:       Platonides <Platonides () gmail ! com>
Date:       2010-08-30 12:09:54
Message-ID: i5g6pi$60f$1 () dough ! gmane ! org
[Download RAW message or body]

tojja@Safe-mail.net wrote:
> Hi, I am experiencing a problem running clamav on an OpenBSD machine.  Apache comes \
> chrooted by default (a configuration I want to keep) therefore when the apache user \
> tries to scan a file it finds that no executable named clamscan or clamdscan is \
> inside the chroot.  Now I've tried to copy/synlink the executable(s) and the \
> dependent files under the chroot and execute the scan however in my debug log file \
> I always get: 
> UploadBase::detectVirus: running virus scan: /usr/local/bin/clamdscan --no-summary \
>                 '/tmp/phpqkflgiwo' 2>&1
> wfShellExec: /usr/local/bin/clamdscan --no-summary '/tmp/phpqkflgiwo' 2>&1
> Possibly missing executable file: /usr/local/bin/clamdscan --no-summary \
> '/tmp/phpqkflgiwo' 2>&1 UploadBase::detectVirus: failed to scan /tmp/phpqkflgiwo \
> (code 127). 
> From the look of it it can't see the executable to even try to scan.  If the apache \
> user (www) is running the scan and the same user is executing the scan then \
> permissions of usr/local/bin/clamdscan is 555 (all the way through the path) then \
> it seems it should at least be able to find the file.  An odd but seemingly \
> unrelated problem is that the temporary directory is set to /tmp (within the \
> chroot) even though $wgTmpDirectory is set to /htdocs/wiki/images and in php \
> settings they're set to /htdocs/temp.  Trying to compile clamav with the --prefix \
> and --exec-prefix options set inside the chroot doesn't result in the program being \
> installed inside the chroot.   
> If I could just tell clamdscan to talk with the clamd socket that would be nice but \
> it doesn't appear to be practical.  It looks like installing clamav inside the \
> chroot path should help but it isn't working as I had hoped.  I made a test php \
> script that executes the shell command that mediawiki does (from the wfShellExec \
> function in GlobalFunctions.php) and directly put the desired command for a test \
> file within the chroot and it still behaves the same way when invoked directly on \
> the command line "php test.php".  If someone has any suggestions on how to get \
> these programs to work together I'd like to see them.  Thanks in advance!

You have copied /usr/local/bin/clamdscan as
/var/www/usr/local/bin/clamdscan ? What about the libraries ? You will
also need a /var/www/etc/clamav/clamd.conf And have the socket inside
the chroot...

I think the best would be to chroot yourself there and try to run it
from command line seeing what errors it gives you.


_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


[prev in list] [next in list] [prev in thread] [next in thread]