Passing --fdpass or --stream to clamdscan works for calling up a scan on the command
prompt however calling it through mediawiki (via the chrooted web user www) still fails
with an error 127. If I make a file called test.php containing:
<?php
define("MEDIAWIKI", "mediawiki");
require_once("/htdocs/w/includes/GlobalFunctions.php" );
$output = wfShellExec( "command=/usr/local/bin/clamdscan --fdpass --no-summary
'/htdocs/file.txt' 2>&1, $exitCode );
echo "exitcode is $exitCode";
?>
Executing "chroot -u www /var/www /usr/local/bin/clamdscan --fdpass --no-summary
'/htdocs/file.txt' 2>&1" will work just fine but running the script
will always fail with error 127. Even substituting in the $output line something like
wfShellExec( "/bin/echo 'hello world' > world.txt" ); will always
fail with error 127 as well, despite echo being at /var/www/bin/echo and permissions
readable and executable by the proper www user. Appears that there may be something up
with how mediawiki is executing shell commands, maybe I'm going about testing this the
wrong way.
Thanks for the insight.
-------- Original Message --------
From: Platonides <Platonides(a)gmail.com>
Apparently from: mediawiki-l-bounces(a)lists.wikimedia.org
To: mediawiki-l(a)lists.wikimedia.org
Subject: Re: [Mediawiki-l] Setting up clamav for chrooted apache
Date: Fri, 03 Sep 2010 23:02:09 +0200
tojja(a)Safe-mail.net wrote:
Thanks for the suggestion Platonides. After some
digging around it appears that I have the same problem identified at
http://readlist.com/lists/lists.clamav.net/clamav-users/1/6452.html which looks to be a
problem with clamdscan passing a path within the chroot to clamd which typically won't
exist. To test this one can 'touch /var/www/tmp/test' then 'chroot -u www
/var/www /usr/local/bin/clamdscan /tmp/test' and it will fail with '/tmp/test:
lstat() failed: No such file or directory. ERROR'. Now if one executes 'touch
/tmp/test' and tries to scan within the chroot again it will work (barring any
permissions problems). What I need is a way to tell clamd to append the chroot path onto
the path supplied by clamdscan or trick clamdscan to not check for file existence since
clamdscan checks if the path is valid inside the chroot then passes the path directly to
clamd.
Try passing --fdpass or --stream to clamdscan.