From 3de571828171add4be29976b557530fe9ea41927 Mon Sep 17 00:00:00 2001 From: Ivan Rako Date: Mon, 29 Sep 2008 16:03:21 +0200 Subject: [PATCH] Nova upstream verzija... Dodana skripta za sanesecurity... --- clamav-sanesecurity | 833 +++++++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 + debian/conffiles | 1 + debian/dirs | 1 + debian/install | 1 + 5 files changed, 842 insertions(+) create mode 100755 clamav-sanesecurity create mode 100644 debian/conffiles create mode 100644 debian/dirs create mode 100644 debian/install diff --git a/clamav-sanesecurity b/clamav-sanesecurity new file mode 100755 index 0000000..ec3ecdf --- /dev/null +++ b/clamav-sanesecurity @@ -0,0 +1,833 @@ +#!/bin/bash +# +# $Id: update_sanesecurity.sh 706 2008-09-15 20:27:11Z mendel $ +# +# A Modified version of the update script originally written by +# Bill Landry +# +# Modified by Rick Cooper: Contact sanescript@dwford.com +# +# Modified by Norbert Buchmuller +# +# TODO: +# * split off changelog to a separate file +# * split off configuration to a separate file +# * support optional gzipping (if the downloaded file ends in .gz|.bz2, unzip it) +# * support for protocol (rsync://|http://|https://|ftp://) auto-detection (and call the appropriate download method) +# * support for more flexible download URLs (a list of them eg.) +# * support for external configuration file +# * support for additional DBs (securiteinfo.com, www.malware.com.br) +# +# Last updated Sep 15, 2008 +# FIX 09/15/2008 +# Looks for 'main.cld' in $clam_db_dir as new versions of ClamAV use +# '.cld' extension for virus definition files. +# +# FIX 04/26/2008 +# Changed '--debug' to mean '--syslog-loglevel=none --stderr-loglevel=debug'. +# Added diagnostic message when tty is detected (and so random sleep is disabled). +# +# FIX 12/21/2007 +# Fixed a grave bug: previously it failed to detect if the newly downloaded +# database was corrupt. +# Detects if the user runs the script from a terminal, and disables +# the random sleep if it is so. +# +# FIX 09/26/2007 +# Fixed a bug: now it passes the log levels to the unprivileged child. +# Fixed a bug: now the unprivileged child does not attempt to reload ClamAV db. +# Prints usage message if asked for. +# +# FIX 09/21/2007 +# Added SELinux support. +# Thanks Andrew Colin Kissa . +# Added support to run the script as root (the superuser privileges are only used +# when changing the owner:group and security context of the signature files, +# and when reloading clamd). +# +# FIX 09/20/2007 +# Fixed a bug introduced by the 08/28/2007 change: the "SPAM.ndb" file was saved +# (incorrectly) with the name "SPAM.hdb" and thus ClamAV refused to load it. +# Thanks Keith Brazington . +# +# FIX 08/28/2007 +# Refactored logging to avoid code/text duplication. +# Refactored downloading to avoid code duplication. +# Split up the main function into smaller ones. +# Should be started as the clamav user, not root to avoid +# security implications. +# Uses proper temporary dir creation method (mktemp(1)) to avoid +# security implications. +# It is assured that a non-zero exit status is used when exiting because of an error. +# Uses 'mail' syslog facility. +# Different syslog log priorities are used for messages with different severity. +# Diagnostic messages (incl. debug messages) go to stderr instead of stdout. +# More careful quoting to allow spaces or other unexpected chars in variables. +# Checking carefully for the exit status of all the important commands. +# Rsync downloads the new signature file to a temporary directory +# and only installs it after it is verified that ClamAV accepts +# the signature file. (Note: This requires a relatively new version of Rsync +# because versions older than cca. 2.6.9 unconditionally download the file, even +# if it did not change.) +# Uses '-p' option of 'cp' to preserve modification times. +# No separate log files for each command, instead their output is logged if +# they return a non-zero exit status. +# PATH is appended to, not overwritten. +# Use 'type -P' instead of 'which'. +# Fixed a few typos. +# +# FIX 08/13/2007 +# Using new SaneSecurity URLs +# +# FIX 06/30/2007 +# Removed the -h (human readable) option from the rsync command line +# as this was for the help option in older versions of rsync, and +# it's not worth maintaining two versions of the command based on +# rsync version. Thanks for the bug report Chris +# Changed the SCAM_SIGS_URL variable to point to the proper URL. The old one +# worked but this one is the correct/desired URL Thanks Steve Basford. +# +# FIX 06/27/2007 +# Fixed incorrect check on CURL return code in phish.db section +# causing it to consider a success as a failure. Thanks +# Leonardo Rodrigues Magalhães +# +# FIX 05/16/2007 +# Fixed a bug where downloading phish.ndb.gz for the first time results +# in an error and the downloaded file removed (Thanks Gary V) +# +# NEW 05/15/2007 +# Now have option to log to system logger (notify) +# If you do not wish to use this logging function look below for +# SYSLOG_ON=1 and set to SYSLOG_ON=0. This also will not function +# if logger is not installed on your system for some reason +# +# Now logs each download stats regardless of debug status, but only outputs +# to console if in debugging mode, or error and doesn't output +# to system logger. +# (as suggested by Gary V) +# Changed the clamdb grep to use extended pattern matching as suggested +# by Gary V +# Altered the rsync portions to use --stats instead of --progress and +# look for number of files transfered for confirmation of an update +# +# NEW 05/08/2007 +# Updated the MSRBL-* files to update vi rsync (tested version 2.6.9) +# the current db(s) will be saved before the update and if there is a +# problem with the download or clam db tests the old version is +# moved back into place, an error message is produced and the +# corrupt file is moved to filename.bad for the operator to look into +# Changed the detection of the clam db directory it's now very fast +# and will accommodate trailing slash (ie. /usr/local/share/clamav/) and +# will also check for main.cvd as well as the *.inc directories since +# apparently it's possible to have an install with only the main.cvd, +# at least temporarily +# +# NEW 05/05/2007 +# Fixed a potential problem with the downloaded file size being zero +# Now test a small txt file using the downloaded sig file, if clam doesn't +# like it we don't move it or use it. Throw an error to the operator +# Fixed a possible issue with the log size being very large if the site is +# busy, now only return the last line from the transmission progress +# Changed the operation to find the clam database dir to checking for +# the standard /usr/local/share/clamav location first, and if not there +# ask clamscan. (save a few seconds) +# +# + +# Make sure the path to your ClamAV binaries is in here, it should +# cover all normal installations +export PATH="$PATH":/bin:/usr/bin:/usr/local/bin + +# The file names and URLs of the scam and phish signature files from SaneSecurity +SCAM_SIGS="scam.ndb" +SCAM_SIGS_URL="http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz" +PHISH_SIGS="phish.ndb" +PHISH_SIGS_URL="http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz" + +# The URLs of the spam and image-spam signature files from MSRBL +MSRBL_SPAM_SIGS="MSRBL-SPAM.ndb" +MSRBL_SPAM_SIGS_URL="rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb" +MSRBL_IMAGE_SIGS="MSRBL-Images.hdb" +MSRBL_IMAGE_SIGS_URL="rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb" + +# Log messages with this or greater severity to syslog +syslog_loglevel=error + +# Log messages with this or greater severity to standard error +stderr_loglevel=none + +# Use this syslog facility +syslog_facility=mail + +# The script will sleep for a random amount of time before starting the +# actual update. This evens out the load on the update servers when people +# have a tendency to set cron jobs on the hour, half hour or quarter hour. +# The extra padding keeps the servers from being hammered all at once. +# These are the minimum and maximum sleep times in seconds. +min_sleep_time=30 +max_sleep_time=600 + +# Should the script reload the clamd service +# (Should not be necessary if you have "SelfCheck" enabled in clamd.conf +# and "NotifyClamd" enabled in freshclam.conf.) +reload_clamd=0 + +# If the script is run as root, change the owner and group of +# the signature files to this user and group. (The username +# and group name should be separated by a colon.) +sigfile_owner_and_group=clamav:clamav + +# If the script is run as root, perform downloading, checking and +# installation of the signature files as this user. (The SELinux +# security context fixing and the clamd reload need superuser +# privileges, so these will be performed as root.) +# Note: This user must be able to read and write signature files +# in ClamAV db dir. +unprivileged_user=${sigfile_owner_and_group%:*} + +# Whether to preserve the temporary directory (for debugging purposes) +# on exit instead of deleting it (the default) +keep_temp_dir=0 + +#################################################################### +# No user tunable variables below +#################################################################### + +#################################################################### +# Logging functions +# + +# Return the numeric constant associated with the given +# severity name. +# +# Usage: numeric_loglevel=`numeric_log_severity $loglevel_name` +# +numeric_log_severity() +{ + local name="$1" + + # The severity names (same as in syslog) + local -a severity_names=( + debug,deb,dbg + info,inf + notice + warning,warn,wrn + err,error + crit,critical + alert + emerg,emergency,panic + none,off + ) + + local i=0 + local numeric_level + while [ -n "${severity_names[i]}" ]; do + for levelname in ${severity_names[i]//,/ }; do + if [ "$name" == "$levelname" ]; then + numeric_level=$i + break 2 + fi + done + let i++ + done + if [ -z "$numeric_level" ]; then + numeric_level=`numeric_log_severity debug` + fi + + echo $numeric_level +} + +# Log the given message with the given priority. +# Logging includes printing to stderr and sending the message to +# syslog, depending on the debug level and syslog loglevel settings. +# +# Usage: log level message [message_continuation [...]] +# +log() +{ + local level="$1" + local -a message_parts='("${@:2}")' + + local message=`echo -e "${message_parts[@]}"` + + if [ $(numeric_log_severity $level) -ge $(numeric_log_severity $stderr_loglevel) ]; then + echo "$program_invocation_short_name: [$level] $message" >&2 + fi + if [ $(numeric_log_severity $level) -ge $(numeric_log_severity $syslog_loglevel) ]; then + if [ -n "$logger" ]; then + "$logger" -p ${syslog_facility}.${level} -i -t "$program_invocation_short_name" -- "${message//$'\n'/\\n}" + fi + fi +} + +#################################################################### +# Utility functions +# + +# Run the command silently. If the command exits with a +# non-zero exit status, log an error message including the command run, +# the exit status and and the collected output, otherwise swallow the output. +# +# Usage: run_cmd "$cmd" ["$arg1" [...]] +# +run_cmd() +{ + local -a cmd_and_args='("${@}")' + + local output # must be a separate command, as 'local' always returns 0 exit status + output=`"${cmd_and_args[@]}" 2>&1` + local exit_status=$? + if [ $exit_status -ne 0 ]; then + log err "Error executing command <<<${cmd_and_args[*]}>>>, exit status: $exit_status, output: <<<$output>>>" + fi + + return $exit_status +} + +# Push one or more elements to the end of the array. +# +# Usage: push array_name "$elem1" [...] +# +push() +{ + local -a array="$1" elems='("${@:2}")' + + local len=`eval echo \\\${#$array[@]}` + for elem in "${elems[@]}"; do + eval "$array[$len]=$elem" + let len++ + done +} + +#################################################################### +# Signature file download/test/installation functions +# + +# Check if ClamAV accepts the signature file, +# and moves it to the database dir if so. +# Exit status: +# 0 - sigfile was updated successfully +# 1 - sigfile was up-to-date or an error occurred +# +# Usage: check_and_install_sigfile "$file_basename" +# +check_and_install_sigfile() +{ + local filename="$1" + + local sigfile="$clam_db_dir/$filename" + local new_sigfile="$tmp_dir/$filename" + + local sigfile_updated=0 + + if [ -s "$new_sigfile" ]; then + # First we do a quick test of the downloaded file. If ClamAV doesn't + # like it we won't use it and issue an error to the operator + # renaming the file so they can inspect it themselves. + run_cmd "$clamscan" --quiet -d "$new_sigfile" "$test_file" + local exit_status=$? + if [ $exit_status -eq 0 ]; then + if [ -s "$sigfile" ]; then + run_cmd cp -pf "$sigfile" "${sigfile}.bak" + fi + run_cmd mv -f "$new_sigfile" "$sigfile" + exit_status=$? + if [ $exit_status -eq 0 ]; then + sigfile_updated=1 + else + log err "Cannot move '$new_sigfile' to '$sigfile', 'mv' exit status: $exit_status" + fi + else + log err "ClamAV had a problem using '$new_sigfile' (exit status: $exit_status)." + log err "We will NOT install '$new_sigfile' into the database directory." + run_cmd mv -f "$new_sigfile" "${sigfile}.bad" + exit_status=$? + if [ $exit_status -eq 0 ]; then + log err "Preserving the corrupt file as '${sigfile}.bad' for you to check." + else + log err "Cannot move the corrupt file from '$new_sigfile' to '${sigfile}.bad', 'mv' exit status: $exit_status." + fi + fi + elif [ -e "$new_sigfile" ]; then + log warning "'$new_sigfile' was zero bytes and will not be used!" + fi + + local ret_val=1 + if [ $sigfile_updated -ne 0 ]; then + log info "'$sigfile' was updated" + ret_val=0 + else + log info "'$sigfile' was NOT updated" + ret_val=1 + fi + + return $ret_val +} + +# Update/download a gzip-compressed signature file using CURL, +# uncompress it, check if ClamAV accepts it, and install it in +# the database directory. +# Exit status: +# 0 - sigfile was updated successfully +# 1 - sigfile was up-to-date or an error occurred +# +# Usage: update_sigfile_with_curl "$url" "$file_basename" +# +update_sigfile_with_curl() +{ + local url="$1" filename="$2" + + if [ -z "$url" ]; then + log info "Skipping '$filename' because no URL is configured for it" + return 1 + fi + + local sigfile_gz="$clam_db_dir/${filename}.gz" + local new_sigfile_gz="$tmp_dir/${filename}.gz" + local sigfile="$clam_db_dir/$filename" + local new_sigfile="$tmp_dir/$filename" + + local sigfile_gz_updated=0 + + declare -a curl_additional_flags + + # If something happend to the sig file, or this is the first time + # this script has been run then we can't do the date test on the + # current file so we just grab what ever is current on the site + if [ -s "$sigfile_gz" ]; then + log debug "Checking for newer version of '$sigfile_gz'" + push curl_additional_flags "-z" "$sigfile_gz" + else + log debug "'$sigfile_gz' does not exist, so doing initial download" + fi + + if [ $stderr_loglevel != debug ]; then + push curl_additional_flags "-s" + fi + + run_cmd "$curl" -R "${curl_additional_flags[@]}" -o "$new_sigfile_gz" \ + -f -v --referer ";auto" --location "$url" + local exit_status=$? + if [ $exit_status -eq 0 -o $exit_status -eq 22 ]; then + # If we don't have the download or it's zero bytes + # something went wrong and we did not get an update. + if [ ! -s "$new_sigfile_gz" ]; then + if [ -e "$new_sigfile_gz" ]; then + rm -f "$new_sigfile_gz" + log warning "'$new_sigfile_gz' was zero bytes and will not be used!" + fi + if [ $exit_status -eq 22 ]; then + log warning "CURL returned an error code 22 which results from a HTTP error 4xx" + log warning "This might be caused by the file not being updated (HTTP 412) but" + log warning "it could be something else." + fi + fi + else + log err "CURL had a problem getting '$new_sigfile_gz' from '$url', exit status: $exit_status" + rm -f "$new_sigfile_gz" + fi + + if [ -s "$new_sigfile_gz" ]; then + "$gunzip" -cdf "$new_sigfile_gz" > "$new_sigfile" + exit_status=$? + if [ $exit_status -eq 0 ]; then + run_cmd mv -f "$new_sigfile_gz" "$sigfile_gz" + exit_status=$? + if [ $exit_status -eq 0 ]; then + sigfile_gz_updated=1 + else + log err "Cannot move '$new_sigfile_gz' to '$sigfile_gz', 'mv' exit status: $exit_status" + fi + else + rm -f "$new_sigfile_gz" + log err "Cannot uncompress '$new_sigfile_gz', 'gunzip' exit status: $exit_status" + fi + fi + + if [ $sigfile_gz_updated -ne 0 ]; then + log info "'$sigfile_gz' was updated" + else + log info "'$sigfile_gz' was NOT updated" + fi + + check_and_install_sigfile "$filename" +} + +# Update/download the signature file using Rsync, +# check if ClamAV accepts it, and and installs it in +# the database directory. +# Exit status: +# 0 - sigfile was updated successfully +# 1 - sigfile was up-to-date or an error occurred +# +# Usage: update_sigfile_with_curl "$url" "$file_basename" +# +update_sigfile_with_rsync() +{ + local url="$1" filename="$2" + + if [ -z "$url" ]; then + log info "Skipping '$filename' because no URL is configured for it" + return 1 + fi + + local sigfile="$clam_db_dir/$filename" + local new_sigfile="$tmp_dir/$filename" + + if [ -s "$sigfile" ]; then + log debug "Checking for newer version of '$sigfile'" + else + log debug "'$sigfile' does not exist, so doing initial download" + fi + + # Rsync will download the file only if it is different from the one in + # $clam_db_dir. The downloaded file will be stored in $tmp_dir. + run_cmd "$rsync" --stats -t --compare-dest="$clam_db_dir/" \ + "$url" "$new_sigfile" + local exit_status=$? + if [ $exit_status -ne 0 ]; then + log err "Rsync had a problem getting '$new_sigfile' from '$url', exit status: $exit_status" + rm -f "$new_sigfile" + fi + + check_and_install_sigfile "$filename" +} + +#################################################################### +# Startup functions +# + +# Check for the external programs/tools and +# set the corresponding variables to the found paths +# +# Usage: check_for_external_programs +# +check_for_external_programs() +{ + # Look for the paths to the programs we are going to need + logger=`type -P logger` + clamscan=`type -P clamscan` + curl=`type -P curl` + gunzip=`type -P gunzip` + rsync=`type -P rsync` + + # Check if the 'logger' binary is missing + if [ -z "$logger" -o ! -x "$logger" ]; then + unset logger + log err "Could not find the 'logger' program, no syslog will be attempted" + fi + + # If we did not find any of our external programs + # give an error message and exit + local prg + for prg in clamscan curl gunzip rsync; do + if [ -z ${!prg} ]; then + log err "Cannot find '$prg'" + log err "Exiting." + exit 1 + fi + done +} + +# Print usage message. +# +# Usage: print_usage +# +print_usage() +{ + echo -e "Downloads unofficial ClamAV signature files from sanesecurity.com and msrbl.com." + echo -e "Usage: $0 [options]" + echo -e "OPTIONS:" + echo -e " --syslog-loglevel=level\tSets the log level for syslog to 'level'." + echo -e " --stderr-loglevel=level\tSets the log level for stderr to 'level'." + echo -e " --debug\t\t\tShorthand for '--syslog-loglevel=none" + echo -e " \t\t\t\t--stderr-loglevel=debug'." + echo -e " --sleep\t\t\tEnable the (random length) sleep before" + echo -e " \t\t\t\tstarting the download. (this is the default)" + echo -e " --no-sleep\t\t\tDisable the (random length) sleep before" + echo -e " \t\t\t\tstarting the download. (default if stdin is" + echo -e " \t\t\t\ta tty)" + echo -e "" + echo -e "Log level can be one of these:" + echo -e " debug, info, notice, warning, err, crit, alert, emerg" +} + +# Parse options/arguments +# +# Usage: parse_arguments +# +parse_arguments() +{ + local arg + + # Parse options/arguments + while [ $# -ge 1 ]; do + case "$1" in + --debug|-d|debug|Debug|DEBUG) + syslog_loglevel=none + stderr_loglevel=debug + log debug "Debug mode is ON" + ;; + --syslog-loglevel) + syslog_loglevel=$2 + shift + ;; + --syslog-loglevel=*) + syslog_loglevel=${1#--*=} + ;; + --stderr-loglevel) + stderr_loglevel=$2 + shift + ;; + --stderr-loglevel=*) + stderr_loglevel=${1#--*=} + ;; + --sleep) + no_sleep=0 + ;; + --no-sleep) + no_sleep=1 + ;; + --unprivileged-child) + unprivileged_child=1 + ;; + --help|-h|-\?) + print_usage + exit 0 + ;; + *) + log err "Got command line argument of '$1' and I don't understand it!" + log err "Exiting." + exit 1 + ;; + esac + shift + done +} + +# Create a temporary directory and arrange to remove it on exit, +# plus create an empty file to use for testing ClamScan +# +# Usage: create_temp_dir +# +create_temp_dir() +{ + tmp_dir=`mktemp -d -t ${program_invocation_short_name}.XXXXXXXX` || ( + log err "Cannot create temporary directory" + log err "Exiting." + exit 1 + ) + local exit_status=$? + if [ $exit_status -ne 0 ]; then + log err "Error running mktemp(1), exit status: $exit_status" + log err "Exiting." + exit 1 + fi + log debug "Created temporary directory: '$tmp_dir'" + if [ $keep_temp_dir -eq 0 ]; then + trap 'rm -rf "$tmp_dir"' EXIT + fi + + # We create a file for ClamScan to test in debug mode. + test_file="$tmp_dir/test.file" + touch "$test_file" +} + +# Log a couple of debug messages with a summary on some parameters +# +# Usage: log_startup_summary +# +log_startup_summary() +{ + log debug "PHISH_SIGS : $PHISH_SIGS_URL" + log debug "SCAM_SIGS : $SCAM_SIGS_URL" + log debug "SPAM_SIGS : $MSRBL_SPAM_SIGS_URL" + log debug "IMAGE_SIGS : $MSRBL_IMAGE_SIGS_URL" + log debug "ClamScan : $clamscan" + log debug "CURL : $curl" + log debug "GunZip : $gunzip" + log debug "RSync : $rsync" + log debug "ClamAV db dir : $clam_db_dir" + log debug "temp dir : $tmp_dir" +} + +# Sleep for a random time (determined by $min_sleep_time and $max_sleep_time global variables) +# +# Usage: random_sleep +# +random_sleep() +{ + local sleep_time + + sleep_time=$(($RANDOM * $(($max_sleep_time-$min_sleep_time)) / 32767 + $min_sleep_time)) + log debug "Sleeping for $sleep_time seconds..." + sleep $sleep_time +} + +# Find the ClamAV db dir and set the $clam_db_dir global variable +# +# Usage: find_clam_db_dir +# +find_clam_db_dir() +{ + # Scan an empty test file with debug enabled to determine where ClamAV expects + # to find it's signature database + log debug "Checking for ClamAV database directory..." + clam_db_dir=`"$clamscan" --debug "$test_file" 2>&1 | \ + sed -ne 's/\/$//; s/^.*loading databases from \(.*\)$/\1/ip' | head -1` + log debug "Found ClamAV database directory: $clam_db_dir" + + # Check for either the daily.inc, the main.inc dirs or the main.cvd one of which + # must exist for a functional clamav installation + if [ \ + ! -d "$clam_db_dir/daily.inc" -a \ + ! -d "$clam_db_dir/main.inc" -a \ + ! -f "$clam_db_dir/main.cvd" -a \ + ! -f "$clam_db_dir/main.cld" \ + ]; then + log err "None of '$clam_db_dir/daily.inc', '$clam_db_dir/main.inc'," + log err "'$clam_db_dir/main.cvd', '$clam_db_dir/main.cld' found" + log err "in your database directory. Either '$clam_db_dir' is NOT" + log err "the correct database path or there is something wrong with your" + log err "ClamAV installation. This path came from your '$clamscan' so I would guess" + log err "you need to check your clamd.conf file and/or '$clam_db_dir'" + log err "Exiting." + exit 1 + fi +} + +# +# Change owner, group and security context of the signature files. +# +# Usage: chown_chcon sigfiles ... +# +chown_chcon() +{ + local -a sigfiles='("$@")' + + for i in "${sigfiles[@]}"; do + [ -f "$i" ] || continue + + run_cmd chown $sigfile_owner_and_group "$i" + exit_status=$? + if [ $exit_status -ne 0 ]; then + log err "chown had a problem changing ownership of signature file '$i', exit status: $exit_status" + log err "Exiting." + exit 1 + fi + done + + # SELinux fix: change security context + if [ -n "$(type -P sestatus 2>/dev/null)" ] && [ "$(sestatus | head -n 1 | awk '{ print $3 }')" == "enabled" ]; then + for i in "${sigfiles[@]}"; do + [ -f "$i" ] || continue + + run_cmd chcon user_u:object_r:var_t "$i" + exit_status=$? + if [ $exit_status -ne 0 ]; then + log err "chcon had a problem changing security context of signature file '$i', exit status: $exit_status" + log err "Exiting." + exit 1 + fi + done + fi +} + +# Reload the ClamAV daemon +# +# Usage: reload_clamav_daemon +# +reload_clamav_daemon() +{ + local -a clamd_reload_cmd + if [ -n "`type -P service`" ]; then + clamd_reload_cmd=(service clamd reload) + else + for init_script in /etc/{init,rc}.d/{clamd,clamav-daemon}; do + if [ -x "$init_script" ]; then + clamd_reload_cmd=("$init_script" reload-database) + break + fi + done + fi + if [ -n "${clamd_reload_cmd[*]}" ]; then + log info "Reloading ClamAV daemon" + run_cmd "${clamd_reload_cmd[@]}" + else + log err "Cannot reload ClamAV daemon because no initscript found" + return 1 + fi +} + +#################################################################### + + +declare logger clamscan curl gunzip rsync +declare tmp_dir test_file +declare clam_db_dir +declare unprivileged_child=0 +declare no_sleep=0 + +# Skip sleeping if run interactively +if tty -s; then + log debug "Disabling random sleep feature because stdin is a terminal." + no_sleep=1 +fi + +# The short name of this script +readonly program_invocation_short_name=`basename "$0"` + +# The absolute name of this script +readonly program_invocation_absolute_name=$(readlink -f "$0" || type -P "$0") + +# Startup +parse_arguments "$@" +if [ "$unprivileged_child" -eq 0 ]; then + log debug "Starting." +fi +check_for_external_programs +create_temp_dir +find_clam_db_dir +if [ "$unprivileged_child" -eq 0 ]; then + log_startup_summary + if [ "$no_sleep" -eq 0 ]; then + random_sleep + fi +fi + +# Change current directory to ClamAV database directory +# but just for the sake of safety we will use +# absolute paths for copy/move operations +cd "$clam_db_dir" + +declare sigfile_updated=0 +if [ "$unprivileged_child" -ne 0 -o $(id -u) -ne 0 ]; then + # Update/download the signature files + update_sigfile_with_curl "$SCAM_SIGS_URL" "$SCAM_SIGS" && sigfile_updated=1 + update_sigfile_with_curl "$PHISH_SIGS_URL" "$PHISH_SIGS" && sigfile_updated=1 + update_sigfile_with_rsync "$MSRBL_SPAM_SIGS_URL" "$MSRBL_SPAM_SIGS" && sigfile_updated=1 + update_sigfile_with_rsync "$MSRBL_IMAGE_SIGS_URL" "$MSRBL_IMAGE_SIGS" && sigfile_updated=1 +else + # Re-execute the script as the unprivileged user to do the download/check/install part. + # (It exits with 0 exit status only if at least on the signature file were updated.) + su -s $SHELL $unprivileged_user -c "'$program_invocation_absolute_name' --unprivileged-child --syslog-loglevel=$syslog_loglevel --stderr-loglevel=$stderr_loglevel" && sigfile_updated=1 + + # Change owner, group and security context. + chown_chcon "$SCAM_SIGS" "$PHISH_SIGS" "$MSRBL_SPAM_SIGS" "$MSRBL_IMAGE_SIGS" +fi + +# Reload database +if [ $reload_clamd -ne 0 -a $sigfile_updated -ne 0 -a "$unprivileged_child" -eq 0 ]; then + reload_clamav_daemon +fi + +if [ "$unprivileged_child" -eq 0 ]; then + log debug "Exiting." +fi +if [ $sigfile_updated -ne 0 ]; then + final_exit_status=0 +else + final_exit_status=100 +fi +exit $final_exit_status diff --git a/debian/changelog b/debian/changelog index dce42f0..096e484 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +clamav-cn (3:0.94-1) stable; urgency=medium + + * Nova upstream verzija + + -- Ivan Rako Mon, 29 Sep 2008 16:02:06 +0200 + clamav-cn (3:0.93.1-1) stable; urgency=high * Ovisnost o najnovijoj upstream verziji diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 0000000..f551f79 --- /dev/null +++ b/debian/conffiles @@ -0,0 +1 @@ +/etc/cron.hourly/clamav-sanesecurity diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..6066472 --- /dev/null +++ b/debian/dirs @@ -0,0 +1 @@ +etc/cron.hourly diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..f00a5d0 --- /dev/null +++ b/debian/install @@ -0,0 +1 @@ +clamav-sanesecurity etc/cron.hourly -- 1.7.10.4