[ZendTo] {Disarmed} Re: Zend.to ClamAV issue
Jules Field
Jules at Zend.To
Mon Nov 12 17:02:22 GMT 2018
On 07/11/2018 17:24, Gray McCord via ZendTo wrote:
>
> It’s likely that the clamscan user does not have write access to
> /var/zendto/drop-offs. I think it is clamd that actually writes the
> file to the drop-off folder once it’s been analyzed, and as such needs
> write permission to do so.
>
No it's not. ZendTo writes files. clamd only reads them.
clamd needs to be able to read the contents of the /var/zendto/incoming
directory (and the files in there).
There was a change in ClamAV x.x.100 (can't remember what the values of
x.x are, it's the 100 that's the important bit).
You need to add a user to a group.
On CentOS / RedHat, it's this:
groupmems --group virusgroup --add apache
On Ubuntu / Debian, it should be something very similar. Check your
/etc/group file for a "virusgroup" group. If that exists, then you
probably want
groupmems --group virusgroup --add www-data
Then restart Apache and clamd and see if that helps.
Cheers,
Jules.
> I suggest two things
>
> Give the “www-data” group write access to the drop-offs directory
>
> Add the “clamscan” user to the “www-data” group so that clamd can
> write to the drop-offs folder (check to make sure that “clamscan” is
> your clam user.)
>
> Good Luck!
>
> Gray
>
> Gray McCord
>
> /Adapt, Mutate, Migrate, or Die/
>
> -C. Darwin
>
> *From: *ZendTo <zendto-bounces at zend.to> on behalf of Scott Silva via
> ZendTo <zendto at zend.to>
> *Reply-To: *ZendTo Users <zendto at zend.to>
> *Date: *Tuesday, November 6, 2018 at 12:17 PM
> *To: *'ZendTo Users' <zendto at zend.to>
> *Cc: *Scott Silva <ssilva at sgvwater.com>
> *Subject: *{Disarmed} Re: [ZendTo] Zend.to ClamAV issue
>
> As far as I remember, that user and or group needs at least r or x
> access up to the top level or it can’t get to that directory. Maybe I
> am remembering wrong…
>
> So would probably need at least group access all the way to /var
>
> I could be wrong, and if I am I’m sure someone will correct me…
>
> *From:* ZendTo [mailto:zendto-bounces at zend.to] *On Behalf Of *Pedrosi,
> Derek G. via ZendTo
> *Sent:* Tuesday, November 6, 2018 7:00 AM
> *To:* ZendTo Users <zendto at zend.to>; Jules Field <Jules at Zend.To>
> *Cc:* Pedrosi, Derek G. <pedrosi at millercanfield.com>
> *Subject:* Re: [ZendTo] Zend.to ClamAV issue
>
> Looking to close the loop on this…
>
> Below I see that permission is denied on the /var/zendto/drop-offs folder.
>
> This is the permission settings for the failed directory.
>
> drwxr-xr-x 98 www-data www-data 4096 Nov 6 09:27 dropoffs
>
> This equates to 755 permissions, should I simply change this to 775
> (rwxrwxr-x)?
>
> Thanks,
>
> derek
>
> *From:* ZendTo [mailto:zendto-bounces at zend.to] *On Behalf Of *Pedrosi,
> Derek G. via ZendTo
> *Sent:* Friday, November 2, 2018 2:48 PM
> *To:* Jules Field <Jules at Zend.To <mailto:Jules at Zend.To>>; ZendTo Users
> <zendto at zend.to <mailto:zendto at zend.to>>
> *Cc:* Pedrosi, Derek G. <pedrosi at millercanfield.com
> <mailto:pedrosi at millercanfield.com>>
> *Subject:* Re: [ZendTo] Zend.to ClamAV issue
>
> *CAUTION EXTERNAL EMAIL:*DO NOT open attachments or click links from
> unknown or unexpected emails.
>
> First…
>
> www-data at Z5:~$ clamdscan /var/zendto/*
>
> /var/zendto/cache: OK
>
> /var/zendto/dropoffs/5dycMCcTHEizrKuu: lstat() failed: Permission
> denied. ERROR
>
> /var/zendto/dropoffs/Zhu56KMFUV7Rdabf: lstat() failed: Permission
> denied. ERROR
>
> /var/zendto/dropoffs/GvdsUjMx7X7NKXPn: lstat() failed: Permission
> denied. ERROR
>
> Many of these drops failed the same way, I omitted them.
>
> /var/zendto/incoming: OK
>
> /var/zendto/library: OK
>
> /var/zendto/rrd: OK
>
> /var/zendto/templates_c: OK
>
> /var/zendto/zendto.log: OK
>
> /var/zendto/zendto.sqlite: OK
>
> Then…
>
> clamdscan --fdpass /var/zendto/*
>
> www-data at Z5:~$ clamdscan --fdpass /var/zendto/*
>
> /var/zendto/cache: OK
>
> /var/zendto/dropoffs: OK
>
> /var/zendto/incoming: OK
>
> /var/zendto/library: OK
>
> /var/zendto/rrd: OK
>
> /var/zendto/templates_c: OK
>
> /var/zendto/zendto.log: OK
>
> /var/zendto/zendto.sqlite: OK
>
> ----------- SCAN SUMMARY -----------
>
> Infected files: 0
>
> Time: 248.382 sec (4 m 8 s)
>
> www-data at Z5:~$
>
> Heres this…
>
> root at Z5:/var/run# ls -al /var/zendto
>
> total 4512
>
> drwxrwxr-x 8 root www-data 4096 Nov 2 14:37 .
>
> drwxr-xr-x 15 root root 4096 Mar 5 2018 ..
>
> drwxr-xr-x 3 www-data www-data 4096 May 18 13:32 cache
>
> drwxr-xr-x 98 www-data www-data 4096 Nov 2 12:37 dropoffs
>
> drwxr-xr-x 2 www-data www-data 4096 Nov 2 12:37 incoming
>
> drwxr-xr-x 2 www-data www-data 4096 Feb 27 2018 library
>
> drwxr-xr-x 2 www-data www-data 4096 May 31 09:28 rrd
>
> drwxr-xr-x 2 www-data www-data 4096 Jun 21 10:39 templates_c
>
> -rw-r--r-- 1 www-data www-data 4183705 Nov 2 14:37 zendto.log
>
> -rw-rw-r-- 1 www-data www-data 382976 Nov 2 14:37 zendto.sqlite
>
> root at Z5:/var/run#
>
> And /etc/group file entries…
>
> www-data:x:33:clamav
>
> clamav:x:118:www-data
>
> Thanx again,
>
> derek
>
> *From:* Jules Field [mailto:Jules at Zend.To]
> *Sent:* Friday, November 2, 2018 1:24 PM
> *To:* ZendTo Users <zendto at zend.to <mailto:zendto at zend.to>>
> *Cc:* Pedrosi, Derek G. <pedrosi at millercanfield.com
> <mailto:pedrosi at millercanfield.com>>
> *Subject:* Re: [ZendTo] Zend.to ClamAV issue
>
> *CAUTION EXTERNAL EMAIL:*DO NOT open attachments or click links from
> unknown or unexpected emails.
>
> Derek,
>
> # Become root, properly
> sudo su -
> # Change Apache's login shell to /bin/bash
> chsh -s /bin/bash www-data
> # Become the Apache user
> su - www-data
> # Try virus-scanning the /var/zendto directory
> clamdscan /var/zendto/*
> # And the same again but just using file handles
> clamdscan --fdpass /var/zendto/*
> # Stop being Apache and revert to being root
> exit
> # Put Apache's login shell back to what it was
> chsh -s /sbin/nologin www-data
> # Stop being root
> exit
>
> Note the 2 clamav commands are clam*d*scan and not just clamscan.
> That's critical. clamdscan makes the clamd service/daemon do the
> actual scanning.
>
> Send us the output of the clamdscan commands.
>
> Then send us the output of "ls -al /var/zendto" and the lines in your
> /etc/group file that are anything to do with www-data, apache,
> virusgroup, clamd, anything like that.
>
> It's probably just the group membership is wrong. This causes a
> similar problem in CentOS/RedHat 7 as well, things changed there with
> ClamAV 100. 99 was fine, 100 wasn't.
>
> Cheers,
> Jules.
>
> On 02/11/2018 15:33, Pedrosi, Derek G. via ZendTo wrote:
>
> I’m still having this issue with ClamAV, and my *nix skill are
> horrible.
>
> Can I get the simple version of what I’m to do with "chsh
> www-data", as I’ve been running without AV for several months.
>
> My apache users is indeed “www-data”.
>
> cid:image001.jpg at 01D475B5.BD356330
>
> Thanks,
>
> derek
>
> *From:* ZendTo [mailto:zendto-bounces at zend.to] *On Behalf Of
> *Keith Erekson via ZendTo
> *Sent:* Thursday, October 25, 2018 12:14 PM
> *To:* ZendTo Users <zendto at zend.to> <mailto:zendto at zend.to>
> *Cc:* Keith Erekson <kbe2 at lehigh.edu> <mailto:kbe2 at lehigh.edu>
> *Subject:* Re: [ZendTo] Zend.to error during drop-off
>
> *CAUTION EXTERNAL EMAIL:*DO NOT open attachments or click links
> from unknown or unexpected emails.
>
> Easier to use "chsh www-data" or whatever your Apache user is.
>
> ~Keith
>
>
> On Oct 25, 2018, at 11:41 AM, Jules Field via ZendTo
> <zendto at zend.to <mailto:zendto at zend.to>> wrote:
>
> Edit your /etc/passwd file to set the shell for your Apache
> user to /bin/bash.
> Then "pwconv" so the change takes effect.
> Then try this
> su - apache (or whatever user your Apache is running as)
> clamdscan /var/zendto/*
> clamdscan --fdpass /var/zendto/*
> exit
> What happened? Did the virus scans both complete successfully?
>
> If not, and you're running CentOS/RedHat 7, try this and then
> give the above another try:
> groupmems --group virusgroup --add apache
> systemctl restart httpd
>
> I added that extra groupmems command to the Installer a day or
> two ago when I discovered that RedHat/CentOS had changed their
> group membership rules in an update.
>
> Any improvement?
>
> Cheers,
> Jules.
>
> P.S. Otherwise, if you can give me remote ssh access I can
> login myself and take a look for you. I would be interested to
> see what it is, if it's not any of the above.
>
> On 25/10/2018 16:22, Ken Etter wrote:
>
> Yep, PHP 7.2 is installed. I've run through the installer
> multiple times now. No change, still get the error.
>
> Ken
>
> >>> Jules Field <Jules at Zend.To>
> <mailto:Jules at Zend.To>10/25/2018 11:15 AM >>>
>
> > Do you have PHP 7.2 installed?
>
> My Installer can be run in stages, and those stages can be
> run independently.
>
> So you might want to download the Installer, unpack it and
> wander into it. In what will obviously be the right
> sub-dir for your OS, you will see the numbered scripts.
>
> # cd install.ZendTo/CentOS-RedHat/
>
> # ls
>
> 1-devtools.sh 3-clamav.sh 5-httpd-php.sh 7-zendto.sh
> CentOS6 RHEL7
>
> 2-php.sh 4-firewall.sh 6-email.sh 8-selinux.sh RHEL5
>
> #
>
> If your web server is already working nicely, then you can
> probably skip stage 1 (though it won't do any harm).
>
> If you haven't installed PHP 7.2 along with things like
> the sodium extension, then run stage 2 which installs PHP.
> (Grab a backup copy of your ZendTo installation first, as
> it may have to remove the *whole* of PHP first which can
> also remove ZendTo and other PHP applications in the
> process, before it can install the correct version).
>
> Stages 3 and 5 shouldn't do any damage, but will add any
> new settings they need for PHP and so on.
>
> Stage 7 does the actual ZendTo installation itself, which
> it will do as an upgrade if it finds a zendto RPM already
> installed. Well worth running.
>
> Stage 8 is only relevant if you are using SELinux, and
> won't do anything if you're not.
>
> Since version 4, ZendTo no longer needs any form of
> custom-built PHP or anything like that. So there's no
> recompiling to be done.
>
> Then if you have a previous preferences.php and/or
> zendto.conf, you need to use
>
> /opt/zendto/bin/upgrade_preferences_php
>
> and
>
> /opt/zendto/bin/upgrade_zendto_conf
>
> to upgrade those files.
>
> Also, if you have done an RPM upgrade from ZendTo 4, you
> probably have a whole stack of *.rpmnew files in
> /opt/zendto/templates. You want to move each of those into
> place so they replace your old *.tpl files.
>
> As I said, it really is faster/easier/better to build v5
> from scratch, its requirements are so different from v4.
>
> Hope that helps,
>
> Jules.
>
> On 25/10/2018 15:59, Ken Etter wrote:
>
> None of that helps. I'm building a new system. This is
> a production system. I never had problems in the past
> with upgrading so I went ahead and did it. Bad move.
> Unless anyone has any other ideas, I will just keep
> working on setting up the new system. I have to get
> something running again for my users.
>
> Ken
>
> >>> Jules Field via ZendTo <zendto at zend.to>
> <mailto:zendto at zend.to>10/25/2018 10:53 AM >>>
>
> > Yes, those directories do need to be writable by
> whatever user and group your web server is running as.
>
> If you are using SELinux (most likely if you are using
> CentOS or RedHat), then I would also advise
>
> restorecon -FRv /opt/zendto /var/zendto
>
> to reset all the SELinux attributes to the values
> configured by my Installer.
>
> Also, if you think it might be an SELinux problem, you
> can switch it into "permissive" mode by
>
> setenforce permissive
>
> systemctl restart httpd
>
> systemctl restart clamd at scan
>
> To switch it back to "enforcing", you then do
>
> setenforce enforcing
>
> systemctl restart httpd
>
> systemctl restart clamd at scan
>
> Cheers,
>
> Jules.
>
> On 25/10/2018 14:31, Gray McCord via ZendTo wrote:
>
> I’ve seen that message as well. Check the file
> permissions on the /opt/zendto directories. Seems
> like I needed to make them writeable by the apache
> user, but I could be mistaken.
>
> Gray McCord
>
> /Adapt, Mutate, Migrate, or Die/
>
> -C. Darwin
>
> *From:*ZendTo <zendto-bounces at zend.to>
> <mailto:zendto-bounces at zend.to>*On Behalf Of *Ken
> Etter via ZendTo
> *Sent:* Thursday, October 25, 2018 8:26 AM
> *To:* ZendTo List <zendto at zend.to>
> <mailto:zendto at zend.to>
> *Cc:* Ken Etter <KLE at msktd.com> <mailto:KLE at msktd.com>
> *Subject:* Re: [ZendTo] Zend.to error during drop-off
>
> Going back through the mailing list archives, I
> see that I am having exactly the same problem as
> Kevin O'Connor in this thread: *MailScanner has
> detected a possible fraud attempt from
> "emea01.safelinks.protection.outlook.com" claiming
> to be*
> http://jul.es/pipermail/zendto/2018-June/003208.html
> <https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjul.es%2Fpipermail%2Fzendto%2F2018-June%2F003208.html&data=01%7C01%7CJules%40ecs.soton.ac.uk%7Ca244c38af7594fe02f4008d63a8489e3%7C4a5378f929f44d3ebe89669d03ada9d8%7C1&sdata=%2FMQVOSO5ZjLwkrQ991eChCvoSfFOLwm3yUcnFSzoRc0%3D&reserved=0>
>
> Files are uploaded, but I get that error message
> and the email is not sent.
>
> There is no stated resolution in that thread. Any
> suggestions or do I have to rebuild a brand new
> Zend.To server?
>
> Zend.To has been fairly solid for me...a bit of a
> pain to find this upgrade to be so fragile.
>
> Ken
>
> >>> Ken Etter via ZendTo <zendto at zend.to <mailto:zendto at zend.to>>
> 10/25/2018 8:38 AM >>>
>
> I am running this on Ubuntu 16.04.5 LTS if that
> matters.
>
>
> Ken
>
> >>> Ken Etter via ZendTo <zendto at zend.to <mailto:zendto at zend.to>>
> 10/25/2018 8:36 AM >>>
>
> Just upgraded my Zend.To installation from 4.x to
> 5.15-1. Everything appeared to go ok. But when I
> click drop-off files, I get an error that states:
> "Sorry, I failed to drop-off your files! Note that
> you cannot drop-off directories, only files." I'm
> not dropping off a directory, just a single file.
> I tried a couple different file types - same error
> each time. Any suggestions for fixing this? Thanks!
>
>
>
>
> *Ken Etter*, System Administrator
>
> Architectural Group
>
> 260.432.9337 | *MailScanner has detected a
> possible fraud attempt from
> "emea01.safelinks.protection.outlook.com" claiming
> to be* msktd.com
> <https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmsktd.com%2F&data=01%7C01%7CJules%40ecs.soton.ac.uk%7Ca244c38af7594fe02f4008d63a8489e3%7C4a5378f929f44d3ebe89669d03ada9d8%7C1&sdata=XsZydsv5daB1usPtdakyqf%2BjPxBLH9n8NbGcrjhC34Y%3D&reserved=0>
>
> <IMAGE.png>
> <https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmsktd.com%2F&data=01%7C01%7CJules%40ecs.soton.ac.uk%7Ca244c38af7594fe02f4008d63a8489e3%7C4a5378f929f44d3ebe89669d03ada9d8%7C1&sdata=XsZydsv5daB1usPtdakyqf%2BjPxBLH9n8NbGcrjhC34Y%3D&reserved=0>
>
> _______________________________________________
>
> ZendTo mailing list
>
> ZendTo at zend.to <mailto:ZendTo at zend.to>
>
> https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjul.es%2Fmailman%2Flistinfo%2Fzendto&data=01%7C01%7CJules%40ecs.soton.ac.uk%7Ca244c38af7594fe02f4008d63a8489e3%7C4a5378f929f44d3ebe89669d03ada9d8%7C1&sdata=xP3P4EW7oR3QO73%2Bha6sE0Qt7F6lTIDgT%2B09ppjkZZ0%3D&reserved=0
>
> Jules
>
> --
>
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> 'The past is supposed to be a place of reference, not
> a place of
>
> residence! There is a reason why your car has a big
> windshield and
>
> a small rearview mirror. You are supposed to keep your
> eyes on where
>
> you are going, and just occasionally check out where
> you have been.'
>
> - Willie Jolley
>
> www.Zend.To <http://www.Zend.To>
>
> Twitter: @JulesFM
>
> Jules
>
> --
>
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> IMPORTANT: This email is intended for the use of the
> individual
>
> addressee(s) named above and may contain information that is
>
> confidential, privileged or unsuitable for overly
> sensitive persons
>
> with low self-esteem, no sense of humour or irrational
> religious
>
> beliefs. If you are not the intended recipient, any
> dissemination,
>
> distribution or copying of this email is not authorised
> (either
>
> explicitly or implicitly) and constitutes an irritating
> social faux
>
> pas.
>
> Unless the word absquatulation has been used in its
> correct context
>
> somewhere other than in this warning, it does not have any
> legal
>
> or no grammatical use and may be ignored. No animals were
> harmed
>
> in the transmission of this email, although the kelpie
> next door
>
> is living on borrowed time, let me tell you. Those of you
> with an
>
> overwhelming fear of the unknown will be gratified to
> learn that
>
> there is no hidden message revealed by reading this
> warning backwards,
>
> so just ignore that Alert Notice from Microsoft.
>
> However, by pouring a complete circle of salt around
> yourself and
>
> your computer you can ensure that no harm befalls you and
> your pets.
>
> If you have received this email in error, please add some
> nutmeg
>
> and egg whites, whisk and place in a warm oven for 40 minutes.
>
> www.Zend.To <http://www.Zend.To>
>
> Twitter: @JulesFM
>
> Jules
>
>
>
> --
>
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
>
>
> 'It's very unlikely indeed he will ever recover consciousness, and
>
> if he does he won't be the Julian you knew.'
>
> - A hospital consultant I proved very wrong in 2007 :-)
>
>
>
> www.Zend.To <http://www.Zend.To>
>
> Twitter: @JulesFM
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to <mailto:ZendTo at zend.to>
> http://jul.es/mailman/listinfo/zendto
>
> _______________________________________________
>
> ZendTo mailing list
>
> ZendTo at zend.to <mailto:ZendTo at zend.to>
>
> http://jul.es/mailman/listinfo/zendto
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> 'If I were a Brazilian without land or money or the means to feed
> my children, I would be burning the rain forest too.' - Sting
>
> www.Zend.To <http://www.Zend.To>
> Twitter: @JulesFM
>
> _______________________________________________ ZendTo mailing list
> ZendTo at zend.to http://jul.es/mailman/listinfo/zendto
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'There is one thing stronger than all the armies in the world;
and that is an idea whose time has come.'
www.Zend.To
Twitter: @JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20181112/d3f7d9b1/attachment-0001.html>
More information about the ZendTo
mailing list