[ZendTo] Zend.to ClamAV issue
Pedrosi, Derek G.
pedrosi at millercanfield.com
Tue Nov 6 14:59:01 GMT 2018
Looking to close the loop on this…
Below I see that permission is denied on the /var/zendto/drop-offs folder.
This is the permission settings for the failed directory.
drwxr-xr-x 98 www-data www-data 4096 Nov 6 09:27 dropoffs
This equates to 755 permissions, should I simply change this to 775 (rwxrwxr-x)?
Thanks,
derek
From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Pedrosi, Derek G. via ZendTo
Sent: Friday, November 2, 2018 2:48 PM
To: Jules Field <Jules at Zend.To>; ZendTo Users <zendto at zend.to>
Cc: Pedrosi, Derek G. <pedrosi at millercanfield.com>
Subject: Re: [ZendTo] Zend.to ClamAV issue
CAUTION EXTERNAL EMAIL: DO NOT open attachments or click links from unknown or unexpected emails.
First…
www-data at Z5:~$ clamdscan /var/zendto/*
/var/zendto/cache: OK
/var/zendto/dropoffs/5dycMCcTHEizrKuu: lstat() failed: Permission denied. ERROR
/var/zendto/dropoffs/Zhu56KMFUV7Rdabf: lstat() failed: Permission denied. ERROR
/var/zendto/dropoffs/GvdsUjMx7X7NKXPn: lstat() failed: Permission denied. ERROR
Many of these drops failed the same way, I omitted them.
/var/zendto/incoming: OK
/var/zendto/library: OK
/var/zendto/rrd: OK
/var/zendto/templates_c: OK
/var/zendto/zendto.log: OK
/var/zendto/zendto.sqlite: OK
Then…
clamdscan --fdpass /var/zendto/*
www-data at Z5:~$ clamdscan --fdpass /var/zendto/*
/var/zendto/cache: OK
/var/zendto/dropoffs: OK
/var/zendto/incoming: OK
/var/zendto/library: OK
/var/zendto/rrd: OK
/var/zendto/templates_c: OK
/var/zendto/zendto.log: OK
/var/zendto/zendto.sqlite: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 248.382 sec (4 m 8 s)
www-data at Z5:~$
Heres this…
root at Z5:/var/run# ls -al /var/zendto
total 4512
drwxrwxr-x 8 root www-data 4096 Nov 2 14:37 .
drwxr-xr-x 15 root root 4096 Mar 5 2018 ..
drwxr-xr-x 3 www-data www-data 4096 May 18 13:32 cache
drwxr-xr-x 98 www-data www-data 4096 Nov 2 12:37 dropoffs
drwxr-xr-x 2 www-data www-data 4096 Nov 2 12:37 incoming
drwxr-xr-x 2 www-data www-data 4096 Feb 27 2018 library
drwxr-xr-x 2 www-data www-data 4096 May 31 09:28 rrd
drwxr-xr-x 2 www-data www-data 4096 Jun 21 10:39 templates_c
-rw-r--r-- 1 www-data www-data 4183705 Nov 2 14:37 zendto.log
-rw-rw-r-- 1 www-data www-data 382976 Nov 2 14:37 zendto.sqlite
root at Z5:/var/run#
And /etc/group file entries…
www-data:x:33:clamav
clamav:x:118:www-data
Thanx again,
derek
From: Jules Field [mailto:Jules at Zend.To]
Sent: Friday, November 2, 2018 1:24 PM
To: ZendTo Users <zendto at zend.to<mailto:zendto at zend.to>>
Cc: Pedrosi, Derek G. <pedrosi at millercanfield.com<mailto:pedrosi at millercanfield.com>>
Subject: Re: [ZendTo] Zend.to ClamAV issue
CAUTION EXTERNAL EMAIL: DO NOT open attachments or click links from unknown or unexpected emails.
Derek,
# Become root, properly
sudo su -
# Change Apache's login shell to /bin/bash
chsh -s /bin/bash www-data
# Become the Apache user
su - www-data
# Try virus-scanning the /var/zendto directory
clamdscan /var/zendto/*
# And the same again but just using file handles
clamdscan --fdpass /var/zendto/*
# Stop being Apache and revert to being root
exit
# Put Apache's login shell back to what it was
chsh -s /sbin/nologin www-data
# Stop being root
exit
Note the 2 clamav commands are clamdscan and not just clamscan. That's critical. clamdscan makes the clamd service/daemon do the actual scanning.
Send us the output of the clamdscan commands.
Then send us the output of "ls -al /var/zendto" and the lines in your /etc/group file that are anything to do with www-data, apache, virusgroup, clamd, anything like that.
It's probably just the group membership is wrong. This causes a similar problem in CentOS/RedHat 7 as well, things changed there with ClamAV 100. 99 was fine, 100 wasn't.
Cheers,
Jules.
On 02/11/2018 15:33, Pedrosi, Derek G. via ZendTo wrote:
I’m still having this issue with ClamAV, and my *nix skill are horrible.
Can I get the simple version of what I’m to do with "chsh www-data", as I’ve been running without AV for several months.
My apache users is indeed “www-data”.
[cid:image001.jpg at 01D475B5.BD356330]
Thanks,
derek
From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Keith Erekson via ZendTo
Sent: Thursday, October 25, 2018 12:14 PM
To: ZendTo Users <zendto at zend.to><mailto:zendto at zend.to>
Cc: Keith Erekson <kbe2 at lehigh.edu><mailto:kbe2 at lehigh.edu>
Subject: Re: [ZendTo] Zend.to error during drop-off
CAUTION EXTERNAL EMAIL: DO NOT open attachments or click links from unknown or unexpected emails.
Easier to use "chsh www-data" or whatever your Apache user is.
~Keith
On Oct 25, 2018, at 11:41 AM, Jules Field via ZendTo <zendto at zend.to<mailto:zendto at zend.to>> wrote:
Edit your /etc/passwd file to set the shell for your Apache user to /bin/bash.
Then "pwconv" so the change takes effect.
Then try this
su - apache (or whatever user your Apache is running as)
clamdscan /var/zendto/*
clamdscan --fdpass /var/zendto/*
exit
What happened? Did the virus scans both complete successfully?
If not, and you're running CentOS/RedHat 7, try this and then give the above another try:
groupmems --group virusgroup --add apache
systemctl restart httpd
I added that extra groupmems command to the Installer a day or two ago when I discovered that RedHat/CentOS had changed their group membership rules in an update.
Any improvement?
Cheers,
Jules.
P.S. Otherwise, if you can give me remote ssh access I can login myself and take a look for you. I would be interested to see what it is, if it's not any of the above.
On 25/10/2018 16:22, Ken Etter wrote:
Yep, PHP 7.2 is installed. I've run through the installer multiple times now. No change, still get the error.
Ken
>>> Jules Field <Jules at Zend.To><mailto:Jules at Zend.To> 10/25/2018 11:15 AM >>>
> Do you have PHP 7.2 installed?
My Installer can be run in stages, and those stages can be run independently.
So you might want to download the Installer, unpack it and wander into it. In what will obviously be the right sub-dir for your OS, you will see the numbered scripts.
# cd install.ZendTo/CentOS-RedHat/
# ls
1-devtools.sh 3-clamav.sh 5-httpd-php.sh 7-zendto.sh CentOS6 RHEL7
2-php.sh 4-firewall.sh 6-email.sh 8-selinux.sh RHEL5
#
If your web server is already working nicely, then you can probably skip stage 1 (though it won't do any harm).
If you haven't installed PHP 7.2 along with things like the sodium extension, then run stage 2 which installs PHP. (Grab a backup copy of your ZendTo installation first, as it may have to remove the *whole* of PHP first which can also remove ZendTo and other PHP applications in the process, before it can install the correct version).
Stages 3 and 5 shouldn't do any damage, but will add any new settings they need for PHP and so on.
Stage 7 does the actual ZendTo installation itself, which it will do as an upgrade if it finds a zendto RPM already installed. Well worth running.
Stage 8 is only relevant if you are using SELinux, and won't do anything if you're not.
Since version 4, ZendTo no longer needs any form of custom-built PHP or anything like that. So there's no recompiling to be done.
Then if you have a previous preferences.php and/or zendto.conf, you need to use
/opt/zendto/bin/upgrade_preferences_php
and
/opt/zendto/bin/upgrade_zendto_conf
to upgrade those files.
Also, if you have done an RPM upgrade from ZendTo 4, you probably have a whole stack of *.rpmnew files in /opt/zendto/templates. You want to move each of those into place so they replace your old *.tpl files.
As I said, it really is faster/easier/better to build v5 from scratch, its requirements are so different from v4.
Hope that helps,
Jules.
On 25/10/2018 15:59, Ken Etter wrote:
None of that helps. I'm building a new system. This is a production system. I never had problems in the past with upgrading so I went ahead and did it. Bad move. Unless anyone has any other ideas, I will just keep working on setting up the new system. I have to get something running again for my users.
Ken
>>> Jules Field via ZendTo <zendto at zend.to><mailto:zendto at zend.to> 10/25/2018 10:53 AM >>>
> Yes, those directories do need to be writable by whatever user and group your web server is running as.
If you are using SELinux (most likely if you are using CentOS or RedHat), then I would also advise
restorecon -FRv /opt/zendto /var/zendto
to reset all the SELinux attributes to the values configured by my Installer.
Also, if you think it might be an SELinux problem, you can switch it into "permissive" mode by
setenforce permissive
systemctl restart httpd
systemctl restart clamd at scan
To switch it back to "enforcing", you then do
setenforce enforcing
systemctl restart httpd
systemctl restart clamd at scan
Cheers,
Jules.
On 25/10/2018 14:31, Gray McCord via ZendTo wrote:
I’ve seen that message as well. Check the file permissions on the /opt/zendto directories. Seems like I needed to make them writeable by the apache user, but I could be mistaken.
Gray McCord
Adapt, Mutate, Migrate, or Die
-C. Darwin
From: ZendTo <zendto-bounces at zend.to><mailto:zendto-bounces at zend.to> On Behalf Of Ken Etter via ZendTo
Sent: Thursday, October 25, 2018 8:26 AM
To: ZendTo List <zendto at zend.to><mailto:zendto at zend.to>
Cc: Ken Etter <KLE at msktd.com><mailto:KLE at msktd.com>
Subject: Re: [ZendTo] Zend.to error during drop-off
Going back through the mailing list archives, I see that I am having exactly the same problem as Kevin O'Connor in this thread: http://jul.es/pipermail/zendto/2018-June/003208.html<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjul.es%2Fpipermail%2Fzendto%2F2018-June%2F003208.html&data=01%7C01%7CJules%40ecs.soton.ac.uk%7Ca244c38af7594fe02f4008d63a8489e3%7C4a5378f929f44d3ebe89669d03ada9d8%7C1&sdata=%2FMQVOSO5ZjLwkrQ991eChCvoSfFOLwm3yUcnFSzoRc0%3D&reserved=0>
Files are uploaded, but I get that error message and the email is not sent.
There is no stated resolution in that thread. Any suggestions or do I have to rebuild a brand new Zend.To server?
Zend.To has been fairly solid for me...a bit of a pain to find this upgrade to be so fragile.
Ken
>>> Ken Etter via ZendTo <zendto at zend.to<mailto:zendto at zend.to>> 10/25/2018 8:38 AM >>>
I am running this on Ubuntu 16.04.5 LTS if that matters.
Ken
>>> Ken Etter via ZendTo <zendto at zend.to<mailto:zendto at zend.to>> 10/25/2018 8:36 AM >>>
Just upgraded my Zend.To installation from 4.x to 5.15-1. Everything appeared to go ok. But when I click drop-off files, I get an error that states: "Sorry, I failed to drop-off your files! Note that you cannot drop-off directories, only files." I'm not dropping off a directory, just a single file. I tried a couple different file types - same error each time. Any suggestions for fixing this? Thanks!
Ken Etter, System Administrator
Architectural Group
260.432.9337 | msktd.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmsktd.com%2F&data=01%7C01%7CJules%40ecs.soton.ac.uk%7Ca244c38af7594fe02f4008d63a8489e3%7C4a5378f929f44d3ebe89669d03ada9d8%7C1&sdata=XsZydsv5daB1usPtdakyqf%2BjPxBLH9n8NbGcrjhC34Y%3D&reserved=0>
<IMAGE.png><https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmsktd.com%2F&data=01%7C01%7CJules%40ecs.soton.ac.uk%7Ca244c38af7594fe02f4008d63a8489e3%7C4a5378f929f44d3ebe89669d03ada9d8%7C1&sdata=XsZydsv5daB1usPtdakyqf%2BjPxBLH9n8NbGcrjhC34Y%3D&reserved=0>
_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjul.es%2Fmailman%2Flistinfo%2Fzendto&data=01%7C01%7CJules%40ecs.soton.ac.uk%7Ca244c38af7594fe02f4008d63a8489e3%7C4a5378f929f44d3ebe89669d03ada9d8%7C1&sdata=xP3P4EW7oR3QO73%2Bha6sE0Qt7F6lTIDgT%2B09ppjkZZ0%3D&reserved=0
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'The past is supposed to be a place of reference, not a place of
residence! There is a reason why your car has a big windshield and
a small rearview mirror. You are supposed to keep your eyes on where
you are going, and just occasionally check out where you have been.'
- Willie Jolley
www.Zend.To<http://www.Zend.To>
Twitter: @JulesFM
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is
confidential, privileged or unsuitable for overly sensitive persons
with low self-esteem, no sense of humour or irrational religious
beliefs. If you are not the intended recipient, any dissemination,
distribution or copying of this email is not authorised (either
explicitly or implicitly) and constitutes an irritating social faux
pas.
Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal
or no grammatical use and may be ignored. No animals were harmed
in the transmission of this email, although the kelpie next door
is living on borrowed time, let me tell you. Those of you with an
overwhelming fear of the unknown will be gratified to learn that
there is no hidden message revealed by reading this warning backwards,
so just ignore that Alert Notice from Microsoft.
However, by pouring a complete circle of salt around yourself and
your computer you can ensure that no harm befalls you and your pets.
If you have received this email in error, please add some nutmeg
and egg whites, whisk and place in a warm oven for 40 minutes.
www.Zend.To<http://www.Zend.To>
Twitter: @JulesFM
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'It's very unlikely indeed he will ever recover consciousness, and
if he does he won't be the Julian you knew.'
- A hospital consultant I proved very wrong in 2007 :-)
www.Zend.To<http://www.Zend.To>
Twitter: @JulesFM
_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://jul.es/mailman/listinfo/zendto
_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://jul.es/mailman/listinfo/zendto
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'If I were a Brazilian without land or money or the means to feed
my children, I would be burning the rain forest too.' - Sting
www.Zend.To<http://www.Zend.To>
Twitter: @JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20181106/27fd9745/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 12883 bytes
Desc: image001.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20181106/27fd9745/attachment-0001.jpg>
More information about the ZendTo
mailing list