--- /dev/null
+#!/bin/bash
+#
+# $Id: update_sanesecurity.sh 706 2008-09-15 20:27:11Z mendel $
+#
+# A Modified version of the update script originally written by
+# Bill Landry
+#
+# Modified by Rick Cooper: Contact sanescript@dwford.com
+#
+# Modified by Norbert Buchmuller <norbi@nix.hu>
+#
+# TODO:
+# * split off changelog to a separate file
+# * split off configuration to a separate file
+# * support optional gzipping (if the downloaded file ends in .gz|.bz2, unzip it)
+# * support for protocol (rsync://|http://|https://|ftp://) auto-detection (and call the appropriate download method)
+# * support for more flexible download URLs (a list of them eg.)
+# * support for external configuration file
+# * support for additional DBs (securiteinfo.com, www.malware.com.br)
+#
+# Last updated Sep 15, 2008
+# FIX 09/15/2008
+# Looks for 'main.cld' in $clam_db_dir as new versions of ClamAV use
+# '.cld' extension for virus definition files.
+#
+# FIX 04/26/2008
+# Changed '--debug' to mean '--syslog-loglevel=none --stderr-loglevel=debug'.
+# Added diagnostic message when tty is detected (and so random sleep is disabled).
+#
+# FIX 12/21/2007
+# Fixed a grave bug: previously it failed to detect if the newly downloaded
+# database was corrupt.
+# Detects if the user runs the script from a terminal, and disables
+# the random sleep if it is so.
+#
+# FIX 09/26/2007
+# Fixed a bug: now it passes the log levels to the unprivileged child.
+# Fixed a bug: now the unprivileged child does not attempt to reload ClamAV db.
+# Prints usage message if asked for.
+#
+# FIX 09/21/2007
+# Added SELinux support.
+# Thanks Andrew Colin Kissa <kissaa@sentech.co.za>.
+# Added support to run the script as root (the superuser privileges are only used
+# when changing the owner:group and security context of the signature files,
+# and when reloading clamd).
+#
+# FIX 09/20/2007
+# Fixed a bug introduced by the 08/28/2007 change: the "SPAM.ndb" file was saved
+# (incorrectly) with the name "SPAM.hdb" and thus ClamAV refused to load it.
+# Thanks Keith Brazington <keith@quetz.co.uk>.
+#
+# FIX 08/28/2007
+# Refactored logging to avoid code/text duplication.
+# Refactored downloading to avoid code duplication.
+# Split up the main function into smaller ones.
+# Should be started as the clamav user, not root to avoid
+# security implications.
+# Uses proper temporary dir creation method (mktemp(1)) to avoid
+# security implications.
+# It is assured that a non-zero exit status is used when exiting because of an error.
+# Uses 'mail' syslog facility.
+# Different syslog log priorities are used for messages with different severity.
+# Diagnostic messages (incl. debug messages) go to stderr instead of stdout.
+# More careful quoting to allow spaces or other unexpected chars in variables.
+# Checking carefully for the exit status of all the important commands.
+# Rsync downloads the new signature file to a temporary directory
+# and only installs it after it is verified that ClamAV accepts
+# the signature file. (Note: This requires a relatively new version of Rsync
+# because versions older than cca. 2.6.9 unconditionally download the file, even
+# if it did not change.)
+# Uses '-p' option of 'cp' to preserve modification times.
+# No separate log files for each command, instead their output is logged if
+# they return a non-zero exit status.
+# PATH is appended to, not overwritten.
+# Use 'type -P' instead of 'which'.
+# Fixed a few typos.
+#
+# FIX 08/13/2007
+# Using new SaneSecurity URLs
+#
+# FIX 06/30/2007
+# Removed the -h (human readable) option from the rsync command line
+# as this was for the help option in older versions of rsync, and
+# it's not worth maintaining two versions of the command based on
+# rsync version. Thanks for the bug report Chris
+# Changed the SCAM_SIGS_URL variable to point to the proper URL. The old one
+# worked but this one is the correct/desired URL Thanks Steve Basford.
+#
+# FIX 06/27/2007
+# Fixed incorrect check on CURL return code in phish.db section
+# causing it to consider a success as a failure. Thanks
+# Leonardo Rodrigues Magalhães
+#
+# FIX 05/16/2007
+# Fixed a bug where downloading phish.ndb.gz for the first time results
+# in an error and the downloaded file removed (Thanks Gary V)
+#
+# NEW 05/15/2007
+# Now have option to log to system logger (notify)
+# If you do not wish to use this logging function look below for
+# SYSLOG_ON=1 and set to SYSLOG_ON=0. This also will not function
+# if logger is not installed on your system for some reason
+#
+# Now logs each download stats regardless of debug status, but only outputs
+# to console if in debugging mode, or error and doesn't output
+# to system logger.
+# (as suggested by Gary V)
+# Changed the clamdb grep to use extended pattern matching as suggested
+# by Gary V
+# Altered the rsync portions to use --stats instead of --progress and
+# look for number of files transfered for confirmation of an update
+#
+# NEW 05/08/2007
+# Updated the MSRBL-* files to update vi rsync (tested version 2.6.9)
+# the current db(s) will be saved before the update and if there is a
+# problem with the download or clam db tests the old version is
+# moved back into place, an error message is produced and the
+# corrupt file is moved to filename.bad for the operator to look into
+# Changed the detection of the clam db directory it's now very fast
+# and will accommodate trailing slash (ie. /usr/local/share/clamav/) and
+# will also check for main.cvd as well as the *.inc directories since
+# apparently it's possible to have an install with only the main.cvd,
+# at least temporarily
+#
+# NEW 05/05/2007
+# Fixed a potential problem with the downloaded file size being zero
+# Now test a small txt file using the downloaded sig file, if clam doesn't
+# like it we don't move it or use it. Throw an error to the operator
+# Fixed a possible issue with the log size being very large if the site is
+# busy, now only return the last line from the transmission progress
+# Changed the operation to find the clam database dir to checking for
+# the standard /usr/local/share/clamav location first, and if not there
+# ask clamscan. (save a few seconds)
+#
+#
+
+# Make sure the path to your ClamAV binaries is in here, it should
+# cover all normal installations
+export PATH="$PATH":/bin:/usr/bin:/usr/local/bin
+
+# The file names and URLs of the scam and phish signature files from SaneSecurity
+SCAM_SIGS="scam.ndb"
+SCAM_SIGS_URL="http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz"
+PHISH_SIGS="phish.ndb"
+PHISH_SIGS_URL="http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz"
+
+# The URLs of the spam and image-spam signature files from MSRBL
+MSRBL_SPAM_SIGS="MSRBL-SPAM.ndb"
+MSRBL_SPAM_SIGS_URL="rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb"
+MSRBL_IMAGE_SIGS="MSRBL-Images.hdb"
+MSRBL_IMAGE_SIGS_URL="rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb"
+
+# Log messages with this or greater severity to syslog
+syslog_loglevel=error
+
+# Log messages with this or greater severity to standard error
+stderr_loglevel=none
+
+# Use this syslog facility
+syslog_facility=mail
+
+# The script will sleep for a random amount of time before starting the
+# actual update. This evens out the load on the update servers when people
+# have a tendency to set cron jobs on the hour, half hour or quarter hour.
+# The extra padding keeps the servers from being hammered all at once.
+# These are the minimum and maximum sleep times in seconds.
+min_sleep_time=30
+max_sleep_time=600
+
+# Should the script reload the clamd service
+# (Should not be necessary if you have "SelfCheck" enabled in clamd.conf
+# and "NotifyClamd" enabled in freshclam.conf.)
+reload_clamd=0
+
+# If the script is run as root, change the owner and group of
+# the signature files to this user and group. (The username
+# and group name should be separated by a colon.)
+sigfile_owner_and_group=clamav:clamav
+
+# If the script is run as root, perform downloading, checking and
+# installation of the signature files as this user. (The SELinux
+# security context fixing and the clamd reload need superuser
+# privileges, so these will be performed as root.)
+# Note: This user must be able to read and write signature files
+# in ClamAV db dir.
+unprivileged_user=${sigfile_owner_and_group%:*}
+
+# Whether to preserve the temporary directory (for debugging purposes)
+# on exit instead of deleting it (the default)
+keep_temp_dir=0
+
+####################################################################
+# No user tunable variables below
+####################################################################
+
+####################################################################
+# Logging functions
+#
+
+# Return the numeric constant associated with the given
+# severity name.
+#
+# Usage: numeric_loglevel=`numeric_log_severity $loglevel_name`
+#
+numeric_log_severity()
+{
+ local name="$1"
+
+ # The severity names (same as in syslog)
+ local -a severity_names=(
+ debug,deb,dbg
+ info,inf
+ notice
+ warning,warn,wrn
+ err,error
+ crit,critical
+ alert
+ emerg,emergency,panic
+ none,off
+ )
+
+ local i=0
+ local numeric_level
+ while [ -n "${severity_names[i]}" ]; do
+ for levelname in ${severity_names[i]//,/ }; do
+ if [ "$name" == "$levelname" ]; then
+ numeric_level=$i
+ break 2
+ fi
+ done
+ let i++
+ done
+ if [ -z "$numeric_level" ]; then
+ numeric_level=`numeric_log_severity debug`
+ fi
+
+ echo $numeric_level
+}
+
+# Log the given message with the given priority.
+# Logging includes printing to stderr and sending the message to
+# syslog, depending on the debug level and syslog loglevel settings.
+#
+# Usage: log level message [message_continuation [...]]
+#
+log()
+{
+ local level="$1"
+ local -a message_parts='("${@:2}")'
+
+ local message=`echo -e "${message_parts[@]}"`
+
+ if [ $(numeric_log_severity $level) -ge $(numeric_log_severity $stderr_loglevel) ]; then
+ echo "$program_invocation_short_name: [$level] $message" >&2
+ fi
+ if [ $(numeric_log_severity $level) -ge $(numeric_log_severity $syslog_loglevel) ]; then
+ if [ -n "$logger" ]; then
+ "$logger" -p ${syslog_facility}.${level} -i -t "$program_invocation_short_name" -- "${message//$'\n'/\\n}"
+ fi
+ fi
+}
+
+####################################################################
+# Utility functions
+#
+
+# Run the command silently. If the command exits with a
+# non-zero exit status, log an error message including the command run,
+# the exit status and and the collected output, otherwise swallow the output.
+#
+# Usage: run_cmd "$cmd" ["$arg1" [...]]
+#
+run_cmd()
+{
+ local -a cmd_and_args='("${@}")'
+
+ local output # must be a separate command, as 'local' always returns 0 exit status
+ output=`"${cmd_and_args[@]}" 2>&1`
+ local exit_status=$?
+ if [ $exit_status -ne 0 ]; then
+ log err "Error executing command <<<${cmd_and_args[*]}>>>, exit status: $exit_status, output: <<<$output>>>"
+ fi
+
+ return $exit_status
+}
+
+# Push one or more elements to the end of the array.
+#
+# Usage: push array_name "$elem1" [...]
+#
+push()
+{
+ local -a array="$1" elems='("${@:2}")'
+
+ local len=`eval echo \\\${#$array[@]}`
+ for elem in "${elems[@]}"; do
+ eval "$array[$len]=$elem"
+ let len++
+ done
+}
+
+####################################################################
+# Signature file download/test/installation functions
+#
+
+# Check if ClamAV accepts the signature file,
+# and moves it to the database dir if so.
+# Exit status:
+# 0 - sigfile was updated successfully
+# 1 - sigfile was up-to-date or an error occurred
+#
+# Usage: check_and_install_sigfile "$file_basename"
+#
+check_and_install_sigfile()
+{
+ local filename="$1"
+
+ local sigfile="$clam_db_dir/$filename"
+ local new_sigfile="$tmp_dir/$filename"
+
+ local sigfile_updated=0
+
+ if [ -s "$new_sigfile" ]; then
+ # First we do a quick test of the downloaded file. If ClamAV doesn't
+ # like it we won't use it and issue an error to the operator
+ # renaming the file so they can inspect it themselves.
+ run_cmd "$clamscan" --quiet -d "$new_sigfile" "$test_file"
+ local exit_status=$?
+ if [ $exit_status -eq 0 ]; then
+ if [ -s "$sigfile" ]; then
+ run_cmd cp -pf "$sigfile" "${sigfile}.bak"
+ fi
+ run_cmd mv -f "$new_sigfile" "$sigfile"
+ exit_status=$?
+ if [ $exit_status -eq 0 ]; then
+ sigfile_updated=1
+ else
+ log err "Cannot move '$new_sigfile' to '$sigfile', 'mv' exit status: $exit_status"
+ fi
+ else
+ log err "ClamAV had a problem using '$new_sigfile' (exit status: $exit_status)."
+ log err "We will NOT install '$new_sigfile' into the database directory."
+ run_cmd mv -f "$new_sigfile" "${sigfile}.bad"
+ exit_status=$?
+ if [ $exit_status -eq 0 ]; then
+ log err "Preserving the corrupt file as '${sigfile}.bad' for you to check."
+ else
+ log err "Cannot move the corrupt file from '$new_sigfile' to '${sigfile}.bad', 'mv' exit status: $exit_status."
+ fi
+ fi
+ elif [ -e "$new_sigfile" ]; then
+ log warning "'$new_sigfile' was zero bytes and will not be used!"
+ fi
+
+ local ret_val=1
+ if [ $sigfile_updated -ne 0 ]; then
+ log info "'$sigfile' was updated"
+ ret_val=0
+ else
+ log info "'$sigfile' was NOT updated"
+ ret_val=1
+ fi
+
+ return $ret_val
+}
+
+# Update/download a gzip-compressed signature file using CURL,
+# uncompress it, check if ClamAV accepts it, and install it in
+# the database directory.
+# Exit status:
+# 0 - sigfile was updated successfully
+# 1 - sigfile was up-to-date or an error occurred
+#
+# Usage: update_sigfile_with_curl "$url" "$file_basename"
+#
+update_sigfile_with_curl()
+{
+ local url="$1" filename="$2"
+
+ if [ -z "$url" ]; then
+ log info "Skipping '$filename' because no URL is configured for it"
+ return 1
+ fi
+
+ local sigfile_gz="$clam_db_dir/${filename}.gz"
+ local new_sigfile_gz="$tmp_dir/${filename}.gz"
+ local sigfile="$clam_db_dir/$filename"
+ local new_sigfile="$tmp_dir/$filename"
+
+ local sigfile_gz_updated=0
+
+ declare -a curl_additional_flags
+
+ # If something happend to the sig file, or this is the first time
+ # this script has been run then we can't do the date test on the
+ # current file so we just grab what ever is current on the site
+ if [ -s "$sigfile_gz" ]; then
+ log debug "Checking for newer version of '$sigfile_gz'"
+ push curl_additional_flags "-z" "$sigfile_gz"
+ else
+ log debug "'$sigfile_gz' does not exist, so doing initial download"
+ fi
+
+ if [ $stderr_loglevel != debug ]; then
+ push curl_additional_flags "-s"
+ fi
+
+ run_cmd "$curl" -R "${curl_additional_flags[@]}" -o "$new_sigfile_gz" \
+ -f -v --referer ";auto" --location "$url"
+ local exit_status=$?
+ if [ $exit_status -eq 0 -o $exit_status -eq 22 ]; then
+ # If we don't have the download or it's zero bytes
+ # something went wrong and we did not get an update.
+ if [ ! -s "$new_sigfile_gz" ]; then
+ if [ -e "$new_sigfile_gz" ]; then
+ rm -f "$new_sigfile_gz"
+ log warning "'$new_sigfile_gz' was zero bytes and will not be used!"
+ fi
+ if [ $exit_status -eq 22 ]; then
+ log warning "CURL returned an error code 22 which results from a HTTP error 4xx"
+ log warning "This might be caused by the file not being updated (HTTP 412) but"
+ log warning "it could be something else."
+ fi
+ fi
+ else
+ log err "CURL had a problem getting '$new_sigfile_gz' from '$url', exit status: $exit_status"
+ rm -f "$new_sigfile_gz"
+ fi
+
+ if [ -s "$new_sigfile_gz" ]; then
+ "$gunzip" -cdf "$new_sigfile_gz" > "$new_sigfile"
+ exit_status=$?
+ if [ $exit_status -eq 0 ]; then
+ run_cmd mv -f "$new_sigfile_gz" "$sigfile_gz"
+ exit_status=$?
+ if [ $exit_status -eq 0 ]; then
+ sigfile_gz_updated=1
+ else
+ log err "Cannot move '$new_sigfile_gz' to '$sigfile_gz', 'mv' exit status: $exit_status"
+ fi
+ else
+ rm -f "$new_sigfile_gz"
+ log err "Cannot uncompress '$new_sigfile_gz', 'gunzip' exit status: $exit_status"
+ fi
+ fi
+
+ if [ $sigfile_gz_updated -ne 0 ]; then
+ log info "'$sigfile_gz' was updated"
+ else
+ log info "'$sigfile_gz' was NOT updated"
+ fi
+
+ check_and_install_sigfile "$filename"
+}
+
+# Update/download the signature file using Rsync,
+# check if ClamAV accepts it, and and installs it in
+# the database directory.
+# Exit status:
+# 0 - sigfile was updated successfully
+# 1 - sigfile was up-to-date or an error occurred
+#
+# Usage: update_sigfile_with_curl "$url" "$file_basename"
+#
+update_sigfile_with_rsync()
+{
+ local url="$1" filename="$2"
+
+ if [ -z "$url" ]; then
+ log info "Skipping '$filename' because no URL is configured for it"
+ return 1
+ fi
+
+ local sigfile="$clam_db_dir/$filename"
+ local new_sigfile="$tmp_dir/$filename"
+
+ if [ -s "$sigfile" ]; then
+ log debug "Checking for newer version of '$sigfile'"
+ else
+ log debug "'$sigfile' does not exist, so doing initial download"
+ fi
+
+ # Rsync will download the file only if it is different from the one in
+ # $clam_db_dir. The downloaded file will be stored in $tmp_dir.
+ run_cmd "$rsync" --stats -t --compare-dest="$clam_db_dir/" \
+ "$url" "$new_sigfile"
+ local exit_status=$?
+ if [ $exit_status -ne 0 ]; then
+ log err "Rsync had a problem getting '$new_sigfile' from '$url', exit status: $exit_status"
+ rm -f "$new_sigfile"
+ fi
+
+ check_and_install_sigfile "$filename"
+}
+
+####################################################################
+# Startup functions
+#
+
+# Check for the external programs/tools and
+# set the corresponding variables to the found paths
+#
+# Usage: check_for_external_programs
+#
+check_for_external_programs()
+{
+ # Look for the paths to the programs we are going to need
+ logger=`type -P logger`
+ clamscan=`type -P clamscan`
+ curl=`type -P curl`
+ gunzip=`type -P gunzip`
+ rsync=`type -P rsync`
+
+ # Check if the 'logger' binary is missing
+ if [ -z "$logger" -o ! -x "$logger" ]; then
+ unset logger
+ log err "Could not find the 'logger' program, no syslog will be attempted"
+ fi
+
+ # If we did not find any of our external programs
+ # give an error message and exit
+ local prg
+ for prg in clamscan curl gunzip rsync; do
+ if [ -z ${!prg} ]; then
+ log err "Cannot find '$prg'"
+ log err "Exiting."
+ exit 1
+ fi
+ done
+}
+
+# Print usage message.
+#
+# Usage: print_usage
+#
+print_usage()
+{
+ echo -e "Downloads unofficial ClamAV signature files from sanesecurity.com and msrbl.com."
+ echo -e "Usage: $0 [options]"
+ echo -e "OPTIONS:"
+ echo -e " --syslog-loglevel=level\tSets the log level for syslog to 'level'."
+ echo -e " --stderr-loglevel=level\tSets the log level for stderr to 'level'."
+ echo -e " --debug\t\t\tShorthand for '--syslog-loglevel=none"
+ echo -e " \t\t\t\t--stderr-loglevel=debug'."
+ echo -e " --sleep\t\t\tEnable the (random length) sleep before"
+ echo -e " \t\t\t\tstarting the download. (this is the default)"
+ echo -e " --no-sleep\t\t\tDisable the (random length) sleep before"
+ echo -e " \t\t\t\tstarting the download. (default if stdin is"
+ echo -e " \t\t\t\ta tty)"
+ echo -e ""
+ echo -e "Log level can be one of these:"
+ echo -e " debug, info, notice, warning, err, crit, alert, emerg"
+}
+
+# Parse options/arguments
+#
+# Usage: parse_arguments
+#
+parse_arguments()
+{
+ local arg
+
+ # Parse options/arguments
+ while [ $# -ge 1 ]; do
+ case "$1" in
+ --debug|-d|debug|Debug|DEBUG)
+ syslog_loglevel=none
+ stderr_loglevel=debug
+ log debug "Debug mode is ON"
+ ;;
+ --syslog-loglevel)
+ syslog_loglevel=$2
+ shift
+ ;;
+ --syslog-loglevel=*)
+ syslog_loglevel=${1#--*=}
+ ;;
+ --stderr-loglevel)
+ stderr_loglevel=$2
+ shift
+ ;;
+ --stderr-loglevel=*)
+ stderr_loglevel=${1#--*=}
+ ;;
+ --sleep)
+ no_sleep=0
+ ;;
+ --no-sleep)
+ no_sleep=1
+ ;;
+ --unprivileged-child)
+ unprivileged_child=1
+ ;;
+ --help|-h|-\?)
+ print_usage
+ exit 0
+ ;;
+ *)
+ log err "Got command line argument of '$1' and I don't understand it!"
+ log err "Exiting."
+ exit 1
+ ;;
+ esac
+ shift
+ done
+}
+
+# Create a temporary directory and arrange to remove it on exit,
+# plus create an empty file to use for testing ClamScan
+#
+# Usage: create_temp_dir
+#
+create_temp_dir()
+{
+ tmp_dir=`mktemp -d -t ${program_invocation_short_name}.XXXXXXXX` || (
+ log err "Cannot create temporary directory"
+ log err "Exiting."
+ exit 1
+ )
+ local exit_status=$?
+ if [ $exit_status -ne 0 ]; then
+ log err "Error running mktemp(1), exit status: $exit_status"
+ log err "Exiting."
+ exit 1
+ fi
+ log debug "Created temporary directory: '$tmp_dir'"
+ if [ $keep_temp_dir -eq 0 ]; then
+ trap 'rm -rf "$tmp_dir"' EXIT
+ fi
+
+ # We create a file for ClamScan to test in debug mode.
+ test_file="$tmp_dir/test.file"
+ touch "$test_file"
+}
+
+# Log a couple of debug messages with a summary on some parameters
+#
+# Usage: log_startup_summary
+#
+log_startup_summary()
+{
+ log debug "PHISH_SIGS : $PHISH_SIGS_URL"
+ log debug "SCAM_SIGS : $SCAM_SIGS_URL"
+ log debug "SPAM_SIGS : $MSRBL_SPAM_SIGS_URL"
+ log debug "IMAGE_SIGS : $MSRBL_IMAGE_SIGS_URL"
+ log debug "ClamScan : $clamscan"
+ log debug "CURL : $curl"
+ log debug "GunZip : $gunzip"
+ log debug "RSync : $rsync"
+ log debug "ClamAV db dir : $clam_db_dir"
+ log debug "temp dir : $tmp_dir"
+}
+
+# Sleep for a random time (determined by $min_sleep_time and $max_sleep_time global variables)
+#
+# Usage: random_sleep
+#
+random_sleep()
+{
+ local sleep_time
+
+ sleep_time=$(($RANDOM * $(($max_sleep_time-$min_sleep_time)) / 32767 + $min_sleep_time))
+ log debug "Sleeping for $sleep_time seconds..."
+ sleep $sleep_time
+}
+
+# Find the ClamAV db dir and set the $clam_db_dir global variable
+#
+# Usage: find_clam_db_dir
+#
+find_clam_db_dir()
+{
+ # Scan an empty test file with debug enabled to determine where ClamAV expects
+ # to find it's signature database
+ log debug "Checking for ClamAV database directory..."
+ clam_db_dir=`"$clamscan" --debug "$test_file" 2>&1 | \
+ sed -ne 's/\/$//; s/^.*loading databases from \(.*\)$/\1/ip' | head -1`
+ log debug "Found ClamAV database directory: $clam_db_dir"
+
+ # Check for either the daily.inc, the main.inc dirs or the main.cvd one of which
+ # must exist for a functional clamav installation
+ if [ \
+ ! -d "$clam_db_dir/daily.inc" -a \
+ ! -d "$clam_db_dir/main.inc" -a \
+ ! -f "$clam_db_dir/main.cvd" -a \
+ ! -f "$clam_db_dir/main.cld" \
+ ]; then
+ log err "None of '$clam_db_dir/daily.inc', '$clam_db_dir/main.inc',"
+ log err "'$clam_db_dir/main.cvd', '$clam_db_dir/main.cld' found"
+ log err "in your database directory. Either '$clam_db_dir' is NOT"
+ log err "the correct database path or there is something wrong with your"
+ log err "ClamAV installation. This path came from your '$clamscan' so I would guess"
+ log err "you need to check your clamd.conf file and/or '$clam_db_dir'"
+ log err "Exiting."
+ exit 1
+ fi
+}
+
+#
+# Change owner, group and security context of the signature files.
+#
+# Usage: chown_chcon sigfiles ...
+#
+chown_chcon()
+{
+ local -a sigfiles='("$@")'
+
+ for i in "${sigfiles[@]}"; do
+ [ -f "$i" ] || continue
+
+ run_cmd chown $sigfile_owner_and_group "$i"
+ exit_status=$?
+ if [ $exit_status -ne 0 ]; then
+ log err "chown had a problem changing ownership of signature file '$i', exit status: $exit_status"
+ log err "Exiting."
+ exit 1
+ fi
+ done
+
+ # SELinux fix: change security context
+ if [ -n "$(type -P sestatus 2>/dev/null)" ] && [ "$(sestatus | head -n 1 | awk '{ print $3 }')" == "enabled" ]; then
+ for i in "${sigfiles[@]}"; do
+ [ -f "$i" ] || continue
+
+ run_cmd chcon user_u:object_r:var_t "$i"
+ exit_status=$?
+ if [ $exit_status -ne 0 ]; then
+ log err "chcon had a problem changing security context of signature file '$i', exit status: $exit_status"
+ log err "Exiting."
+ exit 1
+ fi
+ done
+ fi
+}
+
+# Reload the ClamAV daemon
+#
+# Usage: reload_clamav_daemon
+#
+reload_clamav_daemon()
+{
+ local -a clamd_reload_cmd
+ if [ -n "`type -P service`" ]; then
+ clamd_reload_cmd=(service clamd reload)
+ else
+ for init_script in /etc/{init,rc}.d/{clamd,clamav-daemon}; do
+ if [ -x "$init_script" ]; then
+ clamd_reload_cmd=("$init_script" reload-database)
+ break
+ fi
+ done
+ fi
+ if [ -n "${clamd_reload_cmd[*]}" ]; then
+ log info "Reloading ClamAV daemon"
+ run_cmd "${clamd_reload_cmd[@]}"
+ else
+ log err "Cannot reload ClamAV daemon because no initscript found"
+ return 1
+ fi
+}
+
+####################################################################
+
+
+declare logger clamscan curl gunzip rsync
+declare tmp_dir test_file
+declare clam_db_dir
+declare unprivileged_child=0
+declare no_sleep=0
+
+# Skip sleeping if run interactively
+if tty -s; then
+ log debug "Disabling random sleep feature because stdin is a terminal."
+ no_sleep=1
+fi
+
+# The short name of this script
+readonly program_invocation_short_name=`basename "$0"`
+
+# The absolute name of this script
+readonly program_invocation_absolute_name=$(readlink -f "$0" || type -P "$0")
+
+# Startup
+parse_arguments "$@"
+if [ "$unprivileged_child" -eq 0 ]; then
+ log debug "Starting."
+fi
+check_for_external_programs
+create_temp_dir
+find_clam_db_dir
+if [ "$unprivileged_child" -eq 0 ]; then
+ log_startup_summary
+ if [ "$no_sleep" -eq 0 ]; then
+ random_sleep
+ fi
+fi
+
+# Change current directory to ClamAV database directory
+# but just for the sake of safety we will use
+# absolute paths for copy/move operations
+cd "$clam_db_dir"
+
+declare sigfile_updated=0
+if [ "$unprivileged_child" -ne 0 -o $(id -u) -ne 0 ]; then
+ # Update/download the signature files
+ update_sigfile_with_curl "$SCAM_SIGS_URL" "$SCAM_SIGS" && sigfile_updated=1
+ update_sigfile_with_curl "$PHISH_SIGS_URL" "$PHISH_SIGS" && sigfile_updated=1
+ update_sigfile_with_rsync "$MSRBL_SPAM_SIGS_URL" "$MSRBL_SPAM_SIGS" && sigfile_updated=1
+ update_sigfile_with_rsync "$MSRBL_IMAGE_SIGS_URL" "$MSRBL_IMAGE_SIGS" && sigfile_updated=1
+else
+ # Re-execute the script as the unprivileged user to do the download/check/install part.
+ # (It exits with 0 exit status only if at least on the signature file were updated.)
+ su -s $SHELL $unprivileged_user -c "'$program_invocation_absolute_name' --unprivileged-child --syslog-loglevel=$syslog_loglevel --stderr-loglevel=$stderr_loglevel" && sigfile_updated=1
+
+ # Change owner, group and security context.
+ chown_chcon "$SCAM_SIGS" "$PHISH_SIGS" "$MSRBL_SPAM_SIGS" "$MSRBL_IMAGE_SIGS"
+fi
+
+# Reload database
+if [ $reload_clamd -ne 0 -a $sigfile_updated -ne 0 -a "$unprivileged_child" -eq 0 ]; then
+ reload_clamav_daemon
+fi
+
+if [ "$unprivileged_child" -eq 0 ]; then
+ log debug "Exiting."
+fi
+if [ $sigfile_updated -ne 0 ]; then
+ final_exit_status=0
+else
+ final_exit_status=100
+fi
+exit $final_exit_status
projects / clamav-cn.git / commitdiff