[Mediawiki-l] Setting up clamav for chrooted apache

tojja at Safe-mail.net tojja at Safe-mail.net
Sun Sep 5 19:41:43 UTC 2010 

Passing --fdpass or --stream to clamdscan works for calling up a scan on the command prompt however calling it through mediawiki (via the chrooted web user www) still fails with an error 127.  If I make a file called test.php containing:
<?php
define("MEDIAWIKI", "mediawiki");
require_once("/htdocs/w/includes/GlobalFunctions.php" );
$output = wfShellExec( "command=/usr/local/bin/clamdscan --fdpass --no-summary '/htdocs/file.txt' 2>&1, $exitCode );
echo "exitcode is $exitCode";
?>

Executing "chroot -u www /var/www /usr/local/bin/clamdscan --fdpass --no-summary '/htdocs/file.txt' 2>&1" will work just fine but running the script will always fail with error 127.  Even substituting in the $output line something like wfShellExec( "/bin/echo 'hello world' > world.txt" ); will always fail with error 127 as well, despite echo being at /var/www/bin/echo and permissions readable and executable by the proper www user.  Appears that there may be something up with how mediawiki is executing shell commands, maybe I'm going about testing this the wrong way.

Thanks for the insight.

-------- Original Message --------
From: Platonides <Platonides at gmail.com>
Apparently from: mediawiki-l-bounces at lists.wikimedia.org
To: mediawiki-l at lists.wikimedia.org
Subject: Re: [Mediawiki-l] Setting up clamav for chrooted apache
Date: Fri, 03 Sep 2010 23:02:09 +0200

> tojja at Safe-mail.net wrote:
> > Thanks for the suggestion Platonides.  After some digging around it appears that I have the same problem identified at http://readlist.com/lists/lists.clamav.net/clamav-users/1/6452.html which looks to be a problem with clamdscan passing a path within the chroot to clamd which typically won't exist.  To test this one can 'touch /var/www/tmp/test' then 'chroot -u www /var/www /usr/local/bin/clamdscan /tmp/test' and it will fail with '/tmp/test: lstat() failed: No such file or directory.  ERROR'.  Now if one executes 'touch /tmp/test' and tries to scan within the chroot again it will work (barring any permissions problems).  What I need is a way to tell clamd to append the chroot path onto the path supplied by clamdscan or trick clamdscan to not check for file existence since clamdscan checks if the path is valid inside the chroot then passes the path directly to clamd.
> 
> Try passing --fdpass or --stream to clamdscan.

More information about the MediaWiki-l mailing list