Closed crysman closed 3 years ago
Hi, I have a similar issue : I can't change any option (daemon mode, socket, port, length, ...) in the administration panel. Maybe this is the same issue ?
infos: ClamAV is running as daemon on a remote server, so no clamav binary installed on owncloud server. ownCloud 9.0.1 (stable) app: 0.8.0.1 php5-fpm 5.6.19 nginx 1.6.2
Hello Lqp1 and crysman,
maybe it's helpfull to check appconfit table via mysql @crysman
select * from oc_appconfig where appid like '%anti%' \G ... *** 4. row *** appid: files_antivirus configkey: av_infected_action configvalue: delete
If the scanner is working - maybe you can change it in the database as a workaround ...
By the way i'm using 8.2.3 and 0.8.0.1 too - did you check your Log in the adminpanel ? Did you try a activation deactivation - other apps in the appfolder working ?
Hi, Thanks for the feedback. Here's the output: *** 4. row *** appid: files_antivirus configkey: av_infected_action configvalue: NULL
I've "NULL" value for several other fields... So I changed all the fields manually (set to daemon, with right port, hosts, etc...) and now it shows up with the right parameters in Owncloud Administration Panel. Furthermore, it now works as expected when I upload files. So, this is a working workaround, thanks :)
But I think there is an issue because it's impossible to change the parameters from owncloud directly :/
Hmm, I seee... this will be a problem (from the log):
file_exists(): open_basedir restriction in effect. File(/usr/bin/clamscan) is not within the allowed path(s):
But, when I try to change to "Daemon" mode, it does not let me :/ - still errors like this in the log.
How to solve it correctly?
Hello crysman,
how is your open_basedir set ? I found some hints in this article https://wiki.archlinux.org/index.php/OwnCloud - it's pointing to https://github.com/owncloud/core/search?q=open_basedir&type=Issues&utf8=%E2%9C%93
Maybe you finde something there ? p.s check via <?php phpinfo() ?> your open_basedir settings - maybe you can (for a test) comment it out/change it
Yep, I think you need to add /usr/bin/ to open_basedir if you want to use this mode for the plugin. If you want to use daemon mode, I think there is an issue in the plugin, and you can't change that from the menu... Just open mysql cli and update the fields manually.
I've added /usr/bin to the php_admin_value[open_basedir] but I am still unable to make it work.
Although there are no more error messages in the log, it does not let me change it to "Delete file" mode. What might be wrong?
Here is my output:
MariaDB [owncloud]> select * from oc_appconfig where appid like '%anti%' \G;
*************************** 1. row ***************************
appid: files_antivirus
configkey: av_path
configvalue: /usr/bin/clamscan
*************************** 2. row ***************************
appid: files_antivirus
configkey: enabled
configvalue: yes
*************************** 3. row ***************************
appid: files_antivirus
configkey: installed_version
configvalue: 0.8.0.1
*************************** 4. row ***************************
appid: files_antivirus
configkey: ocsid
configvalue: 157439
*************************** 5. row ***************************
appid: files_antivirus
configkey: types
configvalue: filesystem
5 rows in set (0.01 sec)
There is nothing like "av_infected_action", and consequently no NULL values, as you say. Does it mean I should add it?
Hi @crysman
Regarding open_basedir : did you check the value of open_basedir within PHP (as @marco-aa said, maybe check that the path is effectively in open_basedir in the page showed by <?php phpinfo() ?>) ? If not, ensure that you changed the right php config file (for me it's the one of php-fpm). If it's correct, also check that clamscan is in this directory :
#whereis -b clamscan
clamscan: /usr/bin/clamscan
If not, you'll need to update the options "av_path".
Regarding your database, I think there is more options as I have much more entries in MySQL:
mysql> select * from oc_appconfig where appid like '%anti%' \G; *** 1. row *** appid: files_antivirus configkey: av_chunk_size configvalue: 1024 *** 2. row *** appid: files_antivirus configkey: av_cmd_options configvalue: NULL *** 3. row *** appid: files_antivirus configkey: av_host configvalue: 10.7.0.1 *** 4. row *** appid: files_antivirus configkey: av_infected_action configvalue: delete *** 5. row *** appid: files_antivirus configkey: av_mode configvalue: daemon *** 6. row *** appid: files_antivirus configkey: av_path configvalue: /usr/bin/clamscan *** 7. row *** appid: files_antivirus configkey: av_port configvalue: 3310 *** 8. row *** appid: files_antivirus configkey: av_socket configvalue: NULL *** 9. row *** appid: files_antivirus configkey: enabled configvalue: yes *** 10. row *** appid: files_antivirus configkey: installed_version configvalue: 0.8.0.1 *** 11. row *** appid: files_antivirus configkey: ocsid configvalue: 157439 *** 12. row *** appid: files_antivirus configkey: signed configvalue: true *** 13. row *** appid: files_antivirus configkey: types configvalue: filesystem
Maybe the missing entries are created when needed (like for daemon mode or socket mode). You can try to update/create those fields manually ? It will allow you to change options, but you'll need to fix the open_basedir issue anyway :)
Yes, I did check it via phpinfo() and indeed, it is there. Have a look in the config:
⚡ cat /etc/php5/fpm/pool.d/owncloud.mysite.cz.conf | grep basedir
php_admin_value[open_basedir] = /var/www/owncloud:/domains/mysite.cz/tmp/owncloud:/usr/share/php/XML:/dev/urandom:/tmp:/usr/bin
Clamscan is, indeed, in /usr/bin:
⚡ which clamscan
/usr/bin/clamscan
There are no errors regarding missing clamscan or PHP basedir in the log, so that is not an issue. I have only "Official" plugins enabled:
⚡ sudo -u mysiteuser php owncloud/occ app:list
Enabled:
- activity: 2.1.4
- external: 1.2
- files: 1.2.1
- files_antivirus: 0.8.0.1
- files_sharing: 0.7.0
- files_texteditor: 2.0
- files_trashbin: 0.7.0
- files_versions: 1.1.0
- gallery: 14.2.0
- provisioning_api: 0.3.0
- user_external: 0.4
Disabled:
- calendar
- contacts
- conversations
- documents
- encryption
- files_encryption
- files_external
- files_pdfviewer
- files_videoviewer
- firstrunwizard
- galleryplus
- notes
- notifications
- tasks
- templateeditor
- user_ldap
I've already:
No success :/
So the question remains: What is wrong with the plugin? How to make it work without direct DB changes?
Doesn't my owncloud PHP website need also access to /var/run/clamav/ (There is a default "Socket" option in the Antivirus Configuration containing "/var/run/clamav/clamd.ctl")
But I believe the plugin is broken somehow, because e.g. the "Add + rule" button doesn't do anything (see https://github.com/owncloud/files_antivirus/issues/108)
EDIT 2016-05-11: I've added "/var/run/clamav" to the PHP's open_basedir in order to try the Daemon socket mode, but no luck. The UI doesn't let me change anything in the admin menu, even though there are no more AV-plugin-related errors in the log.
I think you're right, and the plugin is broken... I hope someone else will be able to help us with this issue...
The "Add + rule" button and plugin setup without direct DB access does not work neither in my setup... Maybe it's related to the fix in commit 8bea266cf14d696c363d7a844d8b12217512fae9 in PR #111 . If you really need to add more rules, you can give it a try ?
owncloud PHP user must have access to /var/run/clamav only if you use AV plugin in socket mode. If using binary mode, you must only set open_basedir.
I've just found out that the plugin kind of works. "Kind of" means:
the "executable" mode is enabled and obviously works, because: a) since the php errors are gone, server reports CPU overusage, what is something that has not ever happened yet b) the client refuses to upload a virus sample to the server and reports it in my local log:
11.05.16 16:01:07tmp/VIRUSTEST ownCloud The item is not synced because of previous errors: Error downloading https://cloud.mysite.cz/remote.php/webdav/tmp/VIRUSTEST - server replied: Unsupported Media Type (Virus SecuriteInfo.com.TR.Crypt.ZPACK.mlap.1703.26433.26942.UNOFFICIAL is detected in the file. Upload cannot be completed.)
11.05.16 16:00:48tmp/VIRUSTEST ownCloud Error downloading https://cloud.mysite.cz/remote.php/webdav/tmp/VIRUSTEST - server replied: Unsupported Media Type (Virus SecuriteInfo.com.TR.Crypt.ZPACK.mlap.1703.26433.26942.UNOFFICIAL is detected in the file. Upload cannot be completed.)152 KiB
So this is the issue now. Any optimistic future in the horizon?
Adding required options directly to the DB and modifying some already existing values has solved partially the problem. Partially, because:
I'm glad to hear you finally make it work. I hope this issue will find a decent fix because this is really annoying.
I never was able to reproduce it.
advanced
section (Mode, Action for infected files found while scanning, etc)Save
Everything is saved
Rules in advanced
section are broken indeed. Everyone are welcome to test https://github.com/owncloud/files_antivirus/pull/111 on this matter
I just upgraded to OC 9.0.4, with files_antivirus v0.8.0.2 (I manually downloaded Tag 9.04). After that I disabled then re-enabled the application (just in case). When I go in the administration Panel I change the port or the action to perform when a Virus in found then I click "save" and a green text appear telling me it's OK. If I go back to administration panel (refresh or log out/in) the setting is not saved.
@Lqp1 is it still reproducible with more recent versions?
@VicDeo I downloaded tag version v9.0.7RC1 (it shows v0.8.1.0 in OC) for my 9.0.4 owncloud and uncompressed the new archive in the "apps" folder. I reproduced the same issue as in my previous post. So if I want to change some parameters, I need to connect to my database directly.
Maybe should I try a 9.1.X owncloud version ?
Maybe some log may help ? When I click on save
nginx returns HTTP 200, this is why I get the green text I guess; but there is nothing in owncloud.log
(even if I set log level to debug, so maybe i do something the wrong way?)
We've just upgraded to OC 9.1.2 (stable), issue still persists. PHP 5.6.27 Apache/2.4.10
Issue still persists with oC 9.1.4, files_antivirus 0.9.0.0, PHP 5.6.30.
Any chance to get this fixed? After one whole year and 2 months, I am still unable to change settings for this plugin in the UI. Any changes are not being saved. I cannot believe we are just 3 users here actually trying to use this plugin, since I consider it quite essential (for security reasons of course)
@crysman
Are you able to change other antivirus settings?
What comes in response from the server when you click Save
?
no message at all, page is reloaded, modified settings are gone (page is reloaded with the same settings as before changing them) using ownCloud 9.1.4 (stable)
there is only the error message with the code integrity warning, but that message is there all the time anyway (we need lib/imap.php modified)
@crysman this line should prevent page from reload https://github.com/owncloud/files_antivirus/blob/stable9.1/js/settings.js#L146
So either the javascript part is not loaded properly or admin page layout is broken.
@VicDeo well, this seems to be a good trail - there seems to be a problem with ACL, have look at this report from Chromium developer console when page https://cloud.mydomain.yeah/index.php/settings/admin
is loaded (domain has been obfuscated by me):
10:24:57.502 admin:38 GET https://cloud.mydomain.yeah/apps/files_antivirus/css/settings.css?v=ae3f99d72dd26dc27594d009b55ac470 net::ERR_ABORTED
10:24:57.564 admin:104 GET https://cloud.mydomain.yeah/apps/files_antivirus/l10n/cs_CZ.js?v=ae3f99d72dd26dc27594d009b55ac470 net::ERR_ABORTED
10:24:57.587 admin:105 GET https://cloud.mydomain.yeah/apps/files_antivirus/js/settings.js?v=ae3f99d72dd26dc27594d009b55ac470 net::ERR_ABORTED
10:24:57.720 jquery-migrate.min.js?v=ae3f99d72dd26dc27594d009b55ac470:2 JQMIGRATE: Migrate is installed, version 1.4.0
10:24:58.016 admin:104 GET https://cloud.mydomain.yeah/apps/files_antivirus/l10n/cs_CZ.js?v=ae3f99d72dd26dc27594d009b55ac470 net::ERR_ABORTED
10:24:58.047 admin:105 GET https://cloud.mydomain.yeah/apps/files_antivirus/js/settings.js?v=ae3f99d72dd26dc27594d009b55ac470 403 (Forbidden)
10:24:58.543 jquery.js:8630 GET https://cloud.mydomain.yeah/data/htaccesstest.txt?t=1510737898274 403 (Forbidden)
send @ jquery.js:8630
ajax @ jquery.js:8166
checkDataProtected @ setupchecks.js?v=ae3f99d72dd26dc27594d009b55ac470:210
(anonymous) @ admin.js?v=ae3f99d72dd26dc27594d009b55ac470:179
j @ jquery.js:3099
fireWith @ jquery.js:3211
ready @ jquery.js:3417
I @ jquery.js:3433
What shall I do? Where do I find proper ACL settings and why is it wrong in the first place? Thanks
it seems to be quite inconsistent :/ look:
❯ pwd
/var/www/owncloud/apps
❯ ls -la
celkem 288
drwxrwx---+ 36 ocmydomainyeah www-data 4096 úno 3 2017 .
drwxrwx---+ 17 ocmydomainyeah www-data 4096 lis 8 22:23 ..
drwxrwx---+ 10 ocmydomainyeah www-data 4096 lis 8 22:23 activity
drwxrwx---+ 11 ocmydomainyeah ocmydomainyeah 4096 pro 9 2016 calendar
drwxr-xr-x+ 7 root root 4096 pro 9 2016 comments
drwxr-xr-x+ 7 root root 4096 lis 8 22:23 configreport
drwxrwx---+ 9 ocmydomainyeah ocmydomainyeah 4096 pro 9 2016 contacts
drwxrwxr-x+ 11 ocmydomainyeah www-data 4096 čec 23 2015 conversations
drwxr-xr-x+ 6 root root 4096 pro 9 2016 dav
drwxrwx---+ 11 ocmydomainyeah ocmydomainyeah 4096 led 29 2016 documents
drwxr-xr-x+ 10 root root 4096 pro 9 2016 encryption
drwxrwx---+ 10 ocmydomainyeah www-data 4096 lis 8 22:23 external
drwxr-xr-x+ 9 root root 4096 lis 8 22:23 federatedfilesharing
drwxr-xr-x+ 10 root root 4096 pro 9 2016 federation
drwxrwx---+ 10 ocmydomainyeah www-data 4096 lis 8 22:23 files
drwxrwx---+ 10 ocmydomainyeah ocmydomainyeah 4096 lis 8 22:23 files_antivirus
drwxrwx---+ 14 ocmydomainyeah www-data 4096 čen 19 2015 files_encryption
drwxrwx---+ 12 ocmydomainyeah www-data 4096 lis 8 22:23 files_external
drwxr-xr-x+ 9 root root 4096 pro 9 2016 files_pdfviewer
drwxrwx---+ 11 ocmydomainyeah www-data 4096 lis 8 22:23 files_sharing
drwxrwx---+ 9 ocmydomainyeah www-data 4096 pro 9 2016 files_texteditor
drwxr-xr-x+ 10 root root 4096 lis 8 22:23 files_trashbin
drwxr-xr-x+ 9 root root 4096 lis 8 22:23 files_versions
drwxr-xr-x+ 7 root root 4096 lis 8 22:23 files_videoplayer
drwxr-xr-x+ 10 root root 4096 lis 8 22:23 firstrunwizard
drwxr-xr-x+ 19 root root 4096 lis 8 22:23 gallery
drwxrwx---+ 17 ocmydomainyeah ocmydomainyeah 4096 pro 24 2015 galleryplus
drwxrwx---+ 12 ocmydomainyeah ocmydomainyeah 4096 led 13 2016 notes
drwxr-xr-x+ 8 root root 4096 lis 8 22:23 notifications
drwxr-xr-x+ 5 root root 4096 pro 9 2016 provisioning_api
drwxr-xr-x+ 9 root root 4096 lis 8 22:23 systemtags
drwxrwx---+ 11 ocmydomainyeah ocmydomainyeah 4096 pro 28 2015 tasks
drwxr-xr-x+ 12 root root 4096 lis 8 22:23 templateeditor
drwxr-xr-x+ 7 root root 4096 lis 8 22:23 updatenotification
drwxrwx---+ 5 ocmydomainyeah www-data 4096 pro 9 2016 user_external
drwxrwx---+ 11 ocmydomainyeah www-data 4096 lis 8 22:23 user_ldap
Hello,
i found a Solution for our Installation, after doing some research with the "Chrome Developer-Tools". The "Chrome Developer-Tools" show me the following Error when i pressed the "save" Button: An invalid form control with name='avPort' is not focusable.
Please switch the Antivirus-Configuration to "Daemon" it looks like this:
Now fill the Fields with valid Data (Port and Host) press "save". It should be possible now and the Changes are permanent.
Now switch back to "Daemon (Socket)" an edit the Settings with your needs and press "save" again. The bug is, that in "Daemon-Mode” the Port is set to 0 which is not in the target Range 1-65535. When you set a valid port the Bug is gone.
Regards
row2hot
This has fixed the problem:
❯ chown ocmydomainyeah:www-data files_antivirus
After making this change, apache2 no longer replied with "403 Forbidden" to some of the .js and .css files under files_antivirus.
I suppose it occurred a loong time ago, when files_antivirus had not been an official included app yet, and that it prevailed unfixed till these days.
Thanks @VicDeo for leading me to the javascript debug trail.
There is still one unanswered question here: What are the correct permissions for /var/www/owncloud/apps subfolders and files?
Hi,
there are some "Post Installation Steps" with a Permission Script. Feel free to modify it for you Installation: https://doc.owncloud.org/server/10.0/admin_manual/installation/installation_wizard.html#post-installation-steps-label
Regards
row2hot
@crysman
TL;DR
default permissions: 0644
for files, 0755
for directories
strict permissions: 0640
for files, 0750
for directories
Files and directories should be at least readable by the user that is used to run webserver. To meet this requirement it enought to have all files/dirs should be owned by this user.
The link provided by @row2hot comes from an ideal world of unix where the principle of least privilege rules and this is a basic hardening of ownCloud instance.
OK, thank you both. I had to modify the referred script in order to have our owncloud web functioning (it has stopped working after running the set-strict-permissions script - it ended with whether NOT FOUND or 500 errors)
Namely, I had to set the owner of all files and directories to the webserver user, as @VicDeo says. However, I've left the permissions to be set strict (0640 + 0750) in the script. My modified script version:
❯ cat oc_setPermissions-semiStrict.sh
#!/bin/bash
#For hardened security we recommend setting the permissions on your ownCloud directories as strictly as possible, and for proper server operations.
#source: https://doc.owncloud.org/server/10.0/admin_manual/installation/installation_wizard.html#post-installation-steps-label
#modified to semi-strict version with not rooting the owner
ocpath='__CORRECTPATH__'
ocdata='__CORRECTPATH__'
htuser=`cat /etc/php5/fpm/pool.d/owncloud.mydomain.conf | grep owncloud | grep "user[[:blank:]]*=" | cut -d'=' -f2 | tr -d ' '`
test -z $htuser && {
echo "ERR: unable to find the user :/" >&2
exit 2
}
htgroup='www-data'
rootuser='root'
printf "Creating possible missing Directories\n"
mkdir -p $ocdata
mkdir -p $ocpath/updater
printf "chmod Files and Directories\n"
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750
find ${ocdata}/ -type f -print0 | xargs -0 chmod 0640
find ${ocdata}/ -type d -print0 | xargs -0 chmod 0750
printf "chown Directories\n"
chown -R ${htuser}:${htgroup} ${ocpath}/
chmod +x ${ocpath}/occ
printf "chmod/chown .htaccess\n"
if [ -f ${ocpath}/.htaccess ]
then
chmod 0644 ${ocpath}/.htaccess
chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
fi
if [ -f ${ocdata}/.htaccess ]
then
chmod 0644 ${ocdata}/.htaccess
chown ${rootuser}:${htgroup} ${ocdata}/.htaccess
fi
Is this safe enough?
No, I don't believe its safe enough, since it has user-RW everywhere and the user is now the webserver user. What shall I do to both make it work and have it secure?
Is this default installation setup, though? I do not remember...
0640 and 0750 is working since years now in prod deployments.
I am unable to change to "delete the file" instead of "log only" in the plugin options. Why? Any hints?
owncloud: ownCloud 8.2.3 (stable) app: Antivirus App for files 0.8.0.1 php 5.5.30