search

Castaglia / proftpd-mod_clamav

Customised version of proftpd mod_clamav
3 stars 1 forks source link

mod_clamav has problems with DefaultRoot (chroot) setup #5

Open rminsk opened 9 years ago

rminsk commented 9 years ago

I am having using clamav with a chrooted setup. From the log after uploading the file walk.py. 

Jan 30 15:13:55 minskdev02 proftpd[3651]: 10.0.100.84 - ProFTPD 1.3.5 (stable) (built Sat May 17 2014 00:43:20 UTC) standalone mode STARTUP
Jan 30 15:13:55 minskdev02 systemd: Started ProFTPD FTP Server.
Jan 30 15:14:36 minskdev02 proftpd[3655]: 10.0.100.84 (10.0.102.231[10.0.102.231]) - FTP session opened.
Jan 30 15:15:03 minskdev02 clamd: WARNING: lstat() failed on: /walk.py
Jan 30 15:15:03 minskdev02 clamd[944]: lstat() failed on: /walk.py
Jan 30 15:15:03 minskdev02 proftpd[3655]: 10.0.100.84 (10.0.102.231[10.0.102.231]) - mod_clamav/0.10b: Clamd Error: 1: /walk.py: lstat() failed: No such file or directory. ERROR
Jan 30 15:15:09 minskdev02 proftpd[3655]: 10.0.100.84 (10.0.102.231[10.0.102.231]) - FTP session closed.

The user in question is not in the dataio group. Server config in next comment.

ProFTPD Version: 1.3.5 (stable)
  Scoreboard Version: 01040003
  Built: Sat May 17 2014 00:43:20 UTC

Loaded modules:
  mod_ctrls_admin/0.9.7
  mod_copy/0.4
  mod_vroot/0.9.4
  mod_clamav/0.10b
  mod_site_misc/1.5
  mod_ldap/2.9.4
  mod_ifsession/1.3
  mod_lang/1.0
  mod_ctrls/0.9.5
  mod_cap/1.1
  mod_memcache/0.1
  mod_tls/2.6
  mod_auth_pam/1.2
  mod_readme/1.0
  mod_ident/1.0
  mod_dso/0.5
  mod_facts/0.3
  mod_delay/0.7
  mod_site.c
  mod_log.c
  mod_ls.c
  mod_auth.c
  mod_auth_file/1.0
  mod_auth_unix.c
  mod_rlimit/1.0
  mod_xfer.c
  mod_core.c
rminsk commented 9 years ago 
# Trace logging, disabled by default for performance reasons                    
#TraceLog               /var/log/proftpd/trace.log                              
#Trace                  DEFAULT:0                                               

SetEnv                  SERVER_STORAGE /mnt/dropbox01                           

ServerName              "XXXXXX Dropbox"                                        
ServerIdent             on "XXXXXX Dropbox Server ready."                       
ServerAdmin             "XXXXXXXXXXXXXX@XXXXXXXXXXXXXXXXX"                      
ServerType              standalone                                              
DefaultServer           on                                                      

# Set the user and group under which the server will run                        
User                    nobody                                                  
Group                   nobody                                                  

# Don't use IPv6 support by default.                                            
UseIPv6                 off                                                     

# Umask 022 is a good standard umask to prevent new dirs and files              
# from being group and world writable.                                          
Umask                   022                                                     

# Don't do reverse DNS lookups (hangs on DNS problems)                          
UseReverseDNS           off                                                     

# To prevent DoS attacks, set the maximum number of child processes             
# to 20.  If you need to allow more than 20 concurrent connections              
# at once, simply increase this value.  Note that this ONLY works               
# in standalone mode; in inetd mode you should use an inetd server              
# that allows you to limit maximum number of processes per service              
# (such as xinetd)                                                              
MaxInstances            20                                                      

# Disable sendfile by default since it breaks displaying the download speeds in 
# ftptop and ftpwho                                                             
UseSendfile             off                                                     

# Define the log formats                                                        
LogFormat               default "%h %l %u %t \"%r\" %s %b"                      
LogFormat               auth    "%v [%P] %h %t \"%r\" %s"                       

# Display the README file when changing to a directory                          
DisplayChdir            README                                                  

# Display logout message                                                        
DisplayQuit             %{env:SERVER_STORAGE}/logout.msg                        

# Display login message after user has successfully logged in.                  
DisplayLogin            %{env:SERVER_STORAGE}/login.msg                         

<Directory /*>                                                                  
  UserOwner             nobody                                                  
  GroupOwner            nobody                                                  
</Directory>                                                                    

<IfModule mod_dso.c>                                                            
  # Allow only user root to load and unload modules, but allow everyone         
  # to see which modules have been loaded                                       
  ModuleControlsACLs            insmod,rmmod allow user root                    
  ModuleControlsACLs            lsmod allow user *                              

  <IfModule !mod_ifsession.c>                                                   
    LoadModule mod_ifsession.c                                                  
  </IfModule>                                                                   
  <IfModule !mod_facts.c>                                                       
    LoadModule mod_facts.c                                                      
  </IfModule>                                                                   
  <IfModule !mod_ldap.c>                                                        
    LoadModule mod_ldap.c                                                       
  </IfModule>                                                                   
  <IfModule !mod_ls.c>                                                          
    LoadModule mod_ls.c                                                         
  </IfModule>                                                                   
  <IfModule !mod_site_misc.c>                                                   
    LoadModule mod_site_misc.c                                                  
  </IfModule>                                                                   
  <IfModule !mod_clamav.c>                                                      
    LoadModule mod_clamav.c                                                     
  </IfModule>                                                                   
  <IfModule !mod_vroot.c>                                                       
    LoadModule mod_vroot.c                                                      
  </IfModule>                                                                   
  <IfModule !mod_facts.c>                                                       
    LoadModule mod_facts.c                                                      
  </IfModule>                                                                   
  <IfModule !mod_copy.c>                                                        
    LoadModule mod_copy.c                                                       
  </IfModule>                                                                   
  <IfModule !mod_site_misc.c>                                                   
    LoadModule mod_site_misc.c                                                  
  </IfModule>                                                                   
  <IfModule !mod_ctrls.c>                                                       
    LoadModule mod_ctrls.c                                                      
  </IfModule>                                                                   
  <IfModule !mod_ctrls_admin.c>                                                 
    LoadModule mod_ctrls_admin.c                                                
  </IfModule>                                                                   
</IfModule>                                                                     

LDAPProtocolVersion             3                                               
LDAPUsers                       ou=People,ou=admin,o=XXXX,ou=XXXXXXX,dc=XXXXXXXXXXXXX,dc=net
LDAPGroups                      ou=Group,ou=admin,o=XXXX,ou=XXXXXXX,dc=XXXXXXXXXXXXX,dc=net
LDAPSearchScope                 subtree                                         
LDAPServer                      ldap01-la01.XXXXXXXXXXXXX.XXX:389 ldap02-la01.XXXXXXXXXXXXX.XXX:389
LDAPAuthBinds                   on                                              
LDAPForceDefaultUID             on                                              
LDAPDefaultUID                  99                                              
LDAPForceDefaultGID             on                                              
LDAPDefaultGID                  99                                              
CreateHome                      on 755                                          
LDAPGenerateHomedir             on                                              
LDAPForceGeneratedHomedir       on                                              
LDAPGenerateHomedirPrefix       %{env:SERVER_STORAGE}/users                     
PersistentPasswd                off                                             

<IfModule mod_site_misc.c>                                                      
  SiteMiscEngine        on                                                      
</IfModule>                                                                     

<IfModule mod_ident.c>                                                          
  IdentLookups          off                                                     
</IfModule>                                                                     

DirFakeUser             on ~                                                    
DirFakeGroup            on ~                                                    
ShowSymlinks            on                                                      
UseGlobbing             on                                                      

<IfModule mod_vroot.c>                                                          
  VRootEngine           on                                                      
  VRootAlias            %{env:SERVER_STORAGE}/users/shared ~/shared             
</IfModule>                                                                     

<IfModule mod_clamav.c>                                                         
  ClamAV                on                                                      
  ClamLocalSocket       /var/run/clamd.dropbox/clamd.sock                       
</IfModule>                                                                     

<IfModule mod_facts.c>
  FactsAdvertise        on                                                      
  FactsOptions          UseSlink                                                
</IfModule>                                                                     

<IfModule mod_site_misc.c>                                                      
  SiteMiscEngine        on                                                      
</IfModule>                                                                     

<IfModule mod_ctrls.c>                                                          
  ControlsEngine        on                                                      
  ControlsACLs          all allow user root                                     
  ControlsSocketACL     allow user *                                            
  ControlsLog           /var/log/proftpd/controls.log                           
</IfModule>                                                                     

<IfModule mod_ctrls_admin.c>                                                    
  AdminControlsEngine   on                                                      
  AdminControlsACLs     all allow user root                                     
</IfModule>                                                                     

AuthOrder               mod_auth_file.c mod_ldap.c*                             
AuthGroupFile           /etc/proftpd.group                                      
RequireValidShell       on                                                      

# Data I/O sees all of the dropbox structure                                    
DefaultRoot             %{env:SERVER_STORAGE} dataio                            
DefaultChdir            %{env:SERVER_STORAGE}/users dataio                      

# Cause every FTP user except data I/O to be chrooted into their home directory.
DefaultRoot             ~ !dataio
rminsk commented 9 years ago

So why is session.chroot_path empty? (line 397) I'm guessing it has to do with mod_vroot.

2015-01-31 00:02:29,202 minskdev02.xxxxxx.com proftpd[3733] 10.0.100.84 (10.0.102.231[10.0.102.231]): mod_clamav/0.10b: absolute path is '/walk.py', relative path is '/walk.py'
2015-01-31 00:02:29,202 minskdev02.xxxxxx.com proftpd[3733] 10.0.100.84 (10.0.102.231[10.0.102.231]): mod_clamav/0.10b: Going to virus scan absolute filename = '/walk.py' with relative filename = '/walk.py'.
2015-01-31 00:02:29,202 minskdev02.xxxxxx.com proftpd[3733] 10.0.100.84 (10.0.102.231[10.0.102.231]): mod_clamav/0.10b: Connecting to local Clamd socket '/var/run/clamd.dropbox/clamd.sock'
2015-01-31 00:02:29,202 minskdev02.xxxxxx.com proftpd[3733] 10.0.100.84 (10.0.102.231[10.0.102.231]): mod_clamav/0.10b: Successfully reconnected to Clamd
2015-01-31 00:02:29,203 minskdev02.xxxxxx.com proftpd[3733] 10.0.100.84 (10.0.102.231[10.0.102.231]): mod_clamav/0.10b: Clamd Error: 1: /walk.py: lstat() failed: No such file or directory. ERROR
2015-01-31 00:02:29,203 minskdev02.xxxxxx.com proftpd[3733] 10.0.100.84 (10.0.102.231[10.0.102.231]): mod_clamav/0.10b: No virus detected in filename = '/walk.py'
rminsk commented 9 years ago

I think this is a problem with mod_vroot and not mod_clamav. I have submitted a pull request on mod_vroot to address this problem.