cannot change to "delete" instead of "log only"

[crysman]

I am unable to change to "delete the file" instead of "log only" in the plugin options. Why? Any hints?

owncloud: ownCloud 8.2.3 (stable) app: Antivirus App for files 0.8.0.1 php 5.5.30

[Lqp1]

Hi, I have a similar issue : I can't change any option (daemon mode, socket, port, length, ...) in the administration panel. Maybe this is the same issue ?

infos: ClamAV is running as daemon on a remote server, so no clamav binary installed on owncloud server. ownCloud 9.0.1 (stable) app: 0.8.0.1 php5-fpm 5.6.19 nginx 1.6.2

[marco-aa]

Hello Lqp1 and crysman,

maybe it's helpfull to check appconfit table via mysql @crysman

select * from oc_appconfig where appid like '%anti%' \G ... *** 4. row *** appid: files_antivirus configkey: av_infected_action configvalue: delete

If the scanner is working - maybe you can change it in the database as a workaround ...

By the way i'm using 8.2.3 and 0.8.0.1 too - did you check your Log in the adminpanel ? Did you try a activation deactivation - other apps in the appfolder working ?

[Lqp1]

Hi, Thanks for the feedback. Here's the output: *** 4. row *** appid: files_antivirus configkey: av_infected_action configvalue: NULL

I've "NULL" value for several other fields... So I changed all the fields manually (set to daemon, with right port, hosts, etc...) and now it shows up with the right parameters in Owncloud Administration Panel. Furthermore, it now works as expected when I upload files. So, this is a working workaround, thanks :)

But I think there is an issue because it's impossible to change the parameters from owncloud directly :/

[crysman]

Hmm, I seee... this will be a problem (from the log): file_exists(): open_basedir restriction in effect. File(/usr/bin/clamscan) is not within the allowed path(s):

But, when I try to change to "Daemon" mode, it does not let me :/ - still errors like this in the log.

How to solve it correctly?

[marco-aa]

Hello crysman,

how is your open_basedir set ? I found some hints in this article https://wiki.archlinux.org/index.php/OwnCloud - it's pointing to https://github.com/owncloud/core/search?q=open_basedir&type=Issues&utf8=%E2%9C%93

Maybe you finde something there ? p.s check via <?php phpinfo() ?> your open_basedir settings - maybe you can (for a test) comment it out/change it

[Lqp1]

Yep, I think you need to add /usr/bin/ to open_basedir if you want to use this mode for the plugin. If you want to use daemon mode, I think there is an issue in the plugin, and you can't change that from the menu... Just open mysql cli and update the fields manually.

[crysman]

I've added /usr/bin to the php_admin_value[open_basedir] but I am still unable to make it work.

Although there are no more error messages in the log, it does not let me change it to "Delete file" mode. What might be wrong?

[crysman]

Here is my output:

MariaDB [owncloud]> select * from oc_appconfig where appid like '%anti%' \G;
*************************** 1. row ***************************
      appid: files_antivirus
  configkey: av_path
configvalue: /usr/bin/clamscan
*************************** 2. row ***************************
      appid: files_antivirus
  configkey: enabled
configvalue: yes
*************************** 3. row ***************************
      appid: files_antivirus
  configkey: installed_version
configvalue: 0.8.0.1
*************************** 4. row ***************************
      appid: files_antivirus
  configkey: ocsid
configvalue: 157439
*************************** 5. row ***************************
      appid: files_antivirus
  configkey: types
configvalue: filesystem
5 rows in set (0.01 sec)

There is nothing like "av_infected_action", and consequently no NULL values, as you say. Does it mean I should add it?

[Lqp1]

Hi @crysman Regarding open_basedir : did you check the value of open_basedir within PHP (as @marco-aa said, maybe check that the path is effectively in open_basedir in the page showed by <?php phpinfo() ?>) ? If not, ensure that you changed the right php config file (for me it's the one of php-fpm). If it's correct, also check that clamscan is in this directory : #whereis -b clamscan clamscan: /usr/bin/clamscan If not, you'll need to update the options "av_path".

Regarding your database, I think there is more options as I have much more entries in MySQL:

mysql> select * from oc_appconfig where appid like '%anti%' \G; *** 1. row *** appid: files_antivirus configkey: av_chunk_size configvalue: 1024 *** 2. row *** appid: files_antivirus configkey: av_cmd_options configvalue: NULL *** 3. row *** appid: files_antivirus configkey: av_host configvalue: 10.7.0.1 *** 4. row *** appid: files_antivirus configkey: av_infected_action configvalue: delete *** 5. row *** appid: files_antivirus configkey: av_mode configvalue: daemon *** 6. row *** appid: files_antivirus configkey: av_path configvalue: /usr/bin/clamscan *** 7. row *** appid: files_antivirus configkey: av_port configvalue: 3310 *** 8. row *** appid: files_antivirus configkey: av_socket configvalue: NULL *** 9. row *** appid: files_antivirus configkey: enabled configvalue: yes *** 10. row *** appid: files_antivirus configkey: installed_version configvalue: 0.8.0.1 *** 11. row *** appid: files_antivirus configkey: ocsid configvalue: 157439 *** 12. row *** appid: files_antivirus configkey: signed configvalue: true *** 13. row *** appid: files_antivirus configkey: types configvalue: filesystem

Maybe the missing entries are created when needed (like for daemon mode or socket mode). You can try to update/create those fields manually ? It will allow you to change options, but you'll need to fix the open_basedir issue anyway :)

[crysman]

Yes, I did check it via phpinfo() and indeed, it is there. Have a look in the config:

⚡ cat /etc/php5/fpm/pool.d/owncloud.mysite.cz.conf | grep basedir
php_admin_value[open_basedir] = /var/www/owncloud:/domains/mysite.cz/tmp/owncloud:/usr/share/php/XML:/dev/urandom:/tmp:/usr/bin

Clamscan is, indeed, in /usr/bin:

⚡ which clamscan
/usr/bin/clamscan

There are no errors regarding missing clamscan or PHP basedir in the log, so that is not an issue. I have only "Official" plugins enabled:

⚡ sudo -u mysiteuser php owncloud/occ app:list
Enabled:
  - activity: 2.1.4
  - external: 1.2
  - files: 1.2.1
  - files_antivirus: 0.8.0.1
  - files_sharing: 0.7.0
  - files_texteditor: 2.0
  - files_trashbin: 0.7.0
  - files_versions: 1.1.0
  - gallery: 14.2.0
  - provisioning_api: 0.3.0
  - user_external: 0.4
Disabled:
  - calendar
  - contacts
  - conversations
  - documents
  - encryption
  - files_encryption
  - files_external
  - files_pdfviewer
  - files_videoviewer
  - firstrunwizard
  - galleryplus
  - notes
  - notifications
  - tasks
  - templateeditor
  - user_ldap

I've already:

1. Updated to OwnCloud 8.2.4.2
2. Switched the UI language to English
3. Tried to Disable the AV plugin and enable it again

No success :/

So the question remains: What is wrong with the plugin? How to make it work without direct DB changes?

[crysman]

Doesn't my owncloud PHP website need also access to /var/run/clamav/ (There is a default "Socket" option in the Antivirus Configuration containing "/var/run/clamav/clamd.ctl")

But I believe the plugin is broken somehow, because e.g. the "Add + rule" button doesn't do anything (see https://github.com/owncloud/files_antivirus/issues/108)

EDIT 2016-05-11: I've added "/var/run/clamav" to the PHP's open_basedir in order to try the Daemon socket mode, but no luck. The UI doesn't let me change anything in the admin menu, even though there are no more AV-plugin-related errors in the log.

[Lqp1]

I think you're right, and the plugin is broken... I hope someone else will be able to help us with this issue...

The "Add + rule" button and plugin setup without direct DB access does not work neither in my setup... Maybe it's related to the fix in commit 8bea266cf14d696c363d7a844d8b12217512fae9 in PR #111 . If you really need to add more rules, you can give it a try ?

owncloud PHP user must have access to /var/run/clamav only if you use AV plugin in socket mode. If using binary mode, you must only set open_basedir.

[crysman]

I've just found out that the plugin kind of works. "Kind of" means:

1. the "executable" mode is enabled and obviously works, because: a) since the php errors are gone, server reports CPU overusage, what is something that has not ever happened yet b) the client refuses to upload a virus sample to the server and reports it in my local log:

   11.05.16 16:01:07tmp/VIRUSTEST ownCloud The item is not synced because of previous errors: Error downloading https://cloud.mysite.cz/remote.php/webdav/tmp/VIRUSTEST - server replied: Unsupported Media Type (Virus SecuriteInfo.com.TR.Crypt.ZPACK.mlap.1703.26433.26942.UNOFFICIAL is detected in the file. Upload cannot be completed.)
   11.05.16 16:00:48tmp/VIRUSTEST ownCloud Error downloading https://cloud.mysite.cz/remote.php/webdav/tmp/VIRUSTEST - server replied: Unsupported Media Type (Virus SecuriteInfo.com.TR.Crypt.ZPACK.mlap.1703.26433.26942.UNOFFICIAL is detected in the file. Upload cannot be completed.)152 KiB

2. The UI does not let me change any option in the Admin -> Antivirus Configuration menu. E.g. I would like to change the bahaviour to the daemon mode, not executable, which is extremely slow and demanding...

So this is the issue now. Any optimistic future in the horizon?

[crysman]

Adding required options directly to the DB and modifying some already existing values has solved partially the problem. Partially, because:

1. It's not possible to change the options via the UI
2. It's not ready for an end-user who does NOT want to modify DB directly
3. I believe malfuctioning (useless) UI plugin's admin menu is a serious bug

[Lqp1]

I'm glad to hear you finally make it work. I hope this issue will find a decent fix because this is really annoying.

[VicDeo]

I never was able to reproduce it.

Here is another take for a newly released 9.0.3:

1. Install 9.0.3
2. Enable files_antivirus (v0.8.0.2)
3. Switch whatever option above advanced section (Mode, Action for infected files found while scanning, etc)
4. Click Save

Result

Everything is saved

Rules in advanced section are broken indeed. Everyone are welcome to test https://github.com/owncloud/files_antivirus/pull/111 on this matter

[Lqp1]

I just upgraded to OC 9.0.4, with files_antivirus v0.8.0.2 (I manually downloaded Tag 9.04). After that I disabled then re-enabled the application (just in case). When I go in the administration Panel I change the port or the action to perform when a Virus in found then I click "save" and a green text appear telling me it's OK. If I go back to administration panel (refresh or log out/in) the setting is not saved.

[VicDeo]

@Lqp1 is it still reproducible with more recent versions?

[Lqp1]

@VicDeo I downloaded tag version v9.0.7RC1 (it shows v0.8.1.0 in OC) for my 9.0.4 owncloud and uncompressed the new archive in the "apps" folder. I reproduced the same issue as in my previous post. So if I want to change some parameters, I need to connect to my database directly.

Maybe should I try a 9.1.X owncloud version ? Maybe some log may help ? When I click on save nginx returns HTTP 200, this is why I get the green text I guess; but there is nothing in owncloud.log (even if I set log level to debug, so maybe i do something the wrong way?)

[crysman]

We've just upgraded to OC 9.1.2 (stable), issue still persists. PHP 5.6.27 Apache/2.4.10

[IMRcom]

Issue still persists with oC 9.1.4, files_antivirus 0.9.0.0, PHP 5.6.30.

[crysman]

Any chance to get this fixed? After one whole year and 2 months, I am still unable to change settings for this plugin in the UI. Any changes are not being saved. I cannot believe we are just 3 users here actually trying to use this plugin, since I consider it quite essential (for security reasons of course)

[VicDeo]

@crysman Are you able to change other antivirus settings? What comes in response from the server when you click Save?

[crysman]

no message at all, page is reloaded, modified settings are gone (page is reloaded with the same settings as before changing them) using ownCloud 9.1.4 (stable)

there is only the error message with the code integrity warning, but that message is there all the time anyway (we need lib/imap.php modified)

[VicDeo]

@crysman this line should prevent page from reload https://github.com/owncloud/files_antivirus/blob/stable9.1/js/settings.js#L146

So either the javascript part is not loaded properly or admin page layout is broken.

[crysman]

@VicDeo well, this seems to be a good trail - there seems to be a problem with ACL, have look at this report from Chromium developer console when page https://cloud.mydomain.yeah/index.php/settings/admin is loaded (domain has been obfuscated by me):

10:24:57.502 admin:38 GET https://cloud.mydomain.yeah/apps/files_antivirus/css/settings.css?v=ae3f99d72dd26dc27594d009b55ac470 net::ERR_ABORTED
10:24:57.564 admin:104 GET https://cloud.mydomain.yeah/apps/files_antivirus/l10n/cs_CZ.js?v=ae3f99d72dd26dc27594d009b55ac470 net::ERR_ABORTED
10:24:57.587 admin:105 GET https://cloud.mydomain.yeah/apps/files_antivirus/js/settings.js?v=ae3f99d72dd26dc27594d009b55ac470 net::ERR_ABORTED
10:24:57.720 jquery-migrate.min.js?v=ae3f99d72dd26dc27594d009b55ac470:2 JQMIGRATE: Migrate is installed, version 1.4.0
10:24:58.016 admin:104 GET https://cloud.mydomain.yeah/apps/files_antivirus/l10n/cs_CZ.js?v=ae3f99d72dd26dc27594d009b55ac470 net::ERR_ABORTED
10:24:58.047 admin:105 GET https://cloud.mydomain.yeah/apps/files_antivirus/js/settings.js?v=ae3f99d72dd26dc27594d009b55ac470 403 (Forbidden)
10:24:58.543 jquery.js:8630 GET https://cloud.mydomain.yeah/data/htaccesstest.txt?t=1510737898274 403 (Forbidden)
send @ jquery.js:8630
ajax @ jquery.js:8166
checkDataProtected @ setupchecks.js?v=ae3f99d72dd26dc27594d009b55ac470:210
(anonymous) @ admin.js?v=ae3f99d72dd26dc27594d009b55ac470:179
j @ jquery.js:3099
fireWith @ jquery.js:3211
ready @ jquery.js:3417
I @ jquery.js:3433

What shall I do? Where do I find proper ACL settings and why is it wrong in the first place? Thanks

[crysman]

it seems to be quite inconsistent :/ look:

❯ pwd
/var/www/owncloud/apps
❯ ls -la
celkem 288
drwxrwx---+ 36 ocmydomainyeah www-data          4096 úno  3  2017 .
drwxrwx---+ 17 ocmydomainyeah www-data          4096 lis  8 22:23 ..
drwxrwx---+ 10 ocmydomainyeah www-data          4096 lis  8 22:23 activity
drwxrwx---+ 11 ocmydomainyeah ocmydomainyeah 4096 pro  9  2016 calendar
drwxr-xr-x+  7 root              root              4096 pro  9  2016 comments
drwxr-xr-x+  7 root              root              4096 lis  8 22:23 configreport
drwxrwx---+  9 ocmydomainyeah ocmydomainyeah 4096 pro  9  2016 contacts
drwxrwxr-x+ 11 ocmydomainyeah www-data          4096 čec 23  2015 conversations
drwxr-xr-x+  6 root              root              4096 pro  9  2016 dav
drwxrwx---+ 11 ocmydomainyeah ocmydomainyeah 4096 led 29  2016 documents
drwxr-xr-x+ 10 root              root              4096 pro  9  2016 encryption
drwxrwx---+ 10 ocmydomainyeah www-data          4096 lis  8 22:23 external
drwxr-xr-x+  9 root              root              4096 lis  8 22:23 federatedfilesharing
drwxr-xr-x+ 10 root              root              4096 pro  9  2016 federation
drwxrwx---+ 10 ocmydomainyeah www-data          4096 lis  8 22:23 files
drwxrwx---+ 10 ocmydomainyeah ocmydomainyeah 4096 lis  8 22:23 files_antivirus
drwxrwx---+ 14 ocmydomainyeah www-data          4096 čen 19  2015 files_encryption
drwxrwx---+ 12 ocmydomainyeah www-data          4096 lis  8 22:23 files_external
drwxr-xr-x+  9 root              root              4096 pro  9  2016 files_pdfviewer
drwxrwx---+ 11 ocmydomainyeah www-data          4096 lis  8 22:23 files_sharing
drwxrwx---+  9 ocmydomainyeah www-data          4096 pro  9  2016 files_texteditor
drwxr-xr-x+ 10 root              root              4096 lis  8 22:23 files_trashbin
drwxr-xr-x+  9 root              root              4096 lis  8 22:23 files_versions
drwxr-xr-x+  7 root              root              4096 lis  8 22:23 files_videoplayer
drwxr-xr-x+ 10 root              root              4096 lis  8 22:23 firstrunwizard
drwxr-xr-x+ 19 root              root              4096 lis  8 22:23 gallery
drwxrwx---+ 17 ocmydomainyeah ocmydomainyeah 4096 pro 24  2015 galleryplus
drwxrwx---+ 12 ocmydomainyeah ocmydomainyeah 4096 led 13  2016 notes
drwxr-xr-x+  8 root              root              4096 lis  8 22:23 notifications
drwxr-xr-x+  5 root              root              4096 pro  9  2016 provisioning_api
drwxr-xr-x+  9 root              root              4096 lis  8 22:23 systemtags
drwxrwx---+ 11 ocmydomainyeah ocmydomainyeah 4096 pro 28  2015 tasks
drwxr-xr-x+ 12 root              root              4096 lis  8 22:23 templateeditor
drwxr-xr-x+  7 root              root              4096 lis  8 22:23 updatenotification
drwxrwx---+  5 ocmydomainyeah www-data          4096 pro  9  2016 user_external
drwxrwx---+ 11 ocmydomainyeah www-data          4096 lis  8 22:23 user_ldap

[row2hot]

Hello,

i found a Solution for our Installation, after doing some research with the "Chrome Developer-Tools". The "Chrome Developer-Tools" show me the following Error when i pressed the "save" Button: An invalid form control with name='avPort' is not focusable.

Please switch the Antivirus-Configuration to "Daemon" it looks like this:

Now fill the Fields with valid Data (Port and Host) press "save". It should be possible now and the Changes are permanent.

Now switch back to "Daemon (Socket)" an edit the Settings with your needs and press "save" again. The bug is, that in "Daemon-Mode” the Port is set to 0 which is not in the target Range 1-65535. When you set a valid port the Bug is gone.

Regards

row2hot

[crysman]

This has fixed the problem: ❯ chown ocmydomainyeah:www-data files_antivirus

After making this change, apache2 no longer replied with "403 Forbidden" to some of the .js and .css files under files_antivirus.

I suppose it occurred a loong time ago, when files_antivirus had not been an official included app yet, and that it prevailed unfixed till these days.

Thanks @VicDeo for leading me to the javascript debug trail.

There is still one unanswered question here: What are the correct permissions for /var/www/owncloud/apps subfolders and files?

[row2hot]

Hi,

there are some "Post Installation Steps" with a Permission Script. Feel free to modify it for you Installation: https://doc.owncloud.org/server/10.0/admin_manual/installation/installation_wizard.html#post-installation-steps-label

Regards

row2hot

[VicDeo]

@crysman TL;DR default permissions: 0644 for files, 0755 for directories strict permissions: 0640 for files, 0750 for directories

Files and directories should be at least readable by the user that is used to run webserver. To meet this requirement it enought to have all files/dirs should be owned by this user.

The link provided by @row2hot comes from an ideal world of unix where the principle of least privilege rules and this is a basic hardening of ownCloud instance.

[crysman]

OK, thank you both. I had to modify the referred script in order to have our owncloud web functioning (it has stopped working after running the set-strict-permissions script - it ended with whether NOT FOUND or 500 errors)

Namely, I had to set the owner of all files and directories to the webserver user, as @VicDeo says. However, I've left the permissions to be set strict (0640 + 0750) in the script. My modified script version:

❯ cat oc_setPermissions-semiStrict.sh 
#!/bin/bash
#For hardened security we recommend setting the permissions on your ownCloud directories as strictly as possible, and for proper server operations.
#source: https://doc.owncloud.org/server/10.0/admin_manual/installation/installation_wizard.html#post-installation-steps-label

#modified to semi-strict version with not rooting the owner

ocpath='__CORRECTPATH__'
ocdata='__CORRECTPATH__'
htuser=`cat /etc/php5/fpm/pool.d/owncloud.mydomain.conf | grep owncloud | grep "user[[:blank:]]*=" | cut -d'=' -f2 | tr -d ' '`
test -z $htuser && {
  echo "ERR: unable to find the user :/" >&2
  exit 2
}
htgroup='www-data'
rootuser='root'

printf "Creating possible missing Directories\n"
mkdir -p $ocdata
mkdir -p $ocpath/updater

printf "chmod Files and Directories\n"
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750
find ${ocdata}/ -type f -print0 | xargs -0 chmod 0640
find ${ocdata}/ -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"
chown -R ${htuser}:${htgroup} ${ocpath}/

chmod +x ${ocpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ocpath}/.htaccess ]
 then
  chmod 0644 ${ocpath}/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
fi
if [ -f ${ocdata}/.htaccess ]
 then
  chmod 0644 ${ocdata}/.htaccess
  chown ${rootuser}:${htgroup} ${ocdata}/.htaccess
fi

Is this safe enough?

[crysman]

No, I don't believe its safe enough, since it has user-RW everywhere and the user is now the webserver user. What shall I do to both make it work and have it secure?

Is this default installation setup, though? I do not remember...

[micbar]

0640 and 0750 is working since years now in prod deployments.