Passing --fdpass or --stream to clamdscan works for calling up a scan on the command prompt however calling it through mediawiki (via the chrooted web user www) still fails with an error 127. If I make a file called test.php containing: <?php define("MEDIAWIKI", "mediawiki"); require_once("/htdocs/w/includes/GlobalFunctions.php" ); $output = wfShellExec( "command=/usr/local/bin/clamdscan --fdpass --no-summary '/htdocs/file.txt' 2>&1, $exitCode ); echo "exitcode is $exitCode"; ?>
Executing "chroot -u www /var/www /usr/local/bin/clamdscan --fdpass --no-summary '/htdocs/file.txt' 2>&1" will work just fine but running the script will always fail with error 127. Even substituting in the $output line something like wfShellExec( "/bin/echo 'hello world' > world.txt" ); will always fail with error 127 as well, despite echo being at /var/www/bin/echo and permissions readable and executable by the proper www user. Appears that there may be something up with how mediawiki is executing shell commands, maybe I'm going about testing this the wrong way.
Thanks for the insight.
-------- Original Message -------- From: Platonides Platonides@gmail.com Apparently from: mediawiki-l-bounces@lists.wikimedia.org To: mediawiki-l@lists.wikimedia.org Subject: Re: [Mediawiki-l] Setting up clamav for chrooted apache Date: Fri, 03 Sep 2010 23:02:09 +0200
tojja@Safe-mail.net wrote:
Thanks for the suggestion Platonides. After some digging around it appears that I have the same problem identified at http://readlist.com/lists/lists.clamav.net/clamav-users/1/6452.html which looks to be a problem with clamdscan passing a path within the chroot to clamd which typically won't exist. To test this one can 'touch /var/www/tmp/test' then 'chroot -u www /var/www /usr/local/bin/clamdscan /tmp/test' and it will fail with '/tmp/test: lstat() failed: No such file or directory. ERROR'. Now if one executes 'touch /tmp/test' and tries to scan within the chroot again it will work (barring any permissions problems). What I need is a way to tell clamd to append the chroot path onto the path supplied by clamdscan or trick clamdscan to not check for file existence since clamdscan checks if the path is valid inside the chroot then passes the path directly to clamd.
Try passing --fdpass or --stream to clamdscan.
tojja@Safe-mail.net wrote:
Passing --fdpass or --stream to clamdscan works for calling up a scan on the command prompt however calling it through mediawiki (via the chrooted web user www) still fails with an error 127. If I make a file called test.php containing:
<?php define("MEDIAWIKI", "mediawiki"); require_once("/htdocs/w/includes/GlobalFunctions.php" ); $output = wfShellExec( "command=/usr/local/bin/clamdscan --fdpass --no-summary '/htdocs/file.txt' 2>&1, $exitCode ); echo "exitcode is $exitCode"; ?>
Executing "chroot -u www /var/www /usr/local/bin/clamdscan --fdpass --no-summary '/htdocs/file.txt' 2>&1" will work just fine but running the script will always fail with error 127. Even substituting in the $output line something like wfShellExec( "/bin/echo 'hello world' > world.txt" ); will always fail with error 127 as well, despite echo being at /var/www/bin/echo and permissions readable and executable by the proper www user. Appears that there may be something up with how mediawiki is executing shell commands, maybe I'm going about testing this the wrong way.
Thanks for the insight.
Exit code 127 is usually the shell not finding out the executable. Try removing command= from the beginning (you also miss the closing of the double quotes, by that seems an overlook on copying).
mediawiki-l@lists.wikimedia.org