diff --git a/debian/rmilter.init b/debian/rmilter.init index 800f610..ddc2350 100644 --- a/debian/rmilter.init +++ b/debian/rmilter.init @@ -13,8 +13,6 @@ # Description: another spam-defense service ### END INIT INFO - - # Based on skeleton by Miquel van Smoorenburg and Ian Murdock PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin @@ -25,8 +23,7 @@ DESC="Rmilter Mail Filter Daemon" PIDFILE="/var/run/$NAME.pid" PNAME="rmilter" USER="rmilter" -SOCKET=/var/lib/rmilter/rmilter.sock - +SOCKET=/var/spool/postfix/rmilter/rmilter.sock [ -x $DAEMON ] || DAEMON=/usr/sbin/rmilter [ -x $DAEMON ] || exit 0 @@ -68,7 +65,7 @@ set -e case "$1" in start) echo -n "Starting $DESC: " - rm -f /var/lib/rmilter/rmilter.sock + rm -f $SOCKET start-stop-daemon --start --background --make-pidfile --pidfile $PIDFILE \ --chuid $USER --name $PNAME $NICE --oknodo --startas $DAEMON -- \ $OPTIONS $DOPTIONS @@ -78,27 +75,21 @@ case "$1" in stop) echo -n "Stopping $DESC: " start-stop-daemon --stop --pidfile $PIDFILE --name $PNAME --oknodo - rm -f /var/lib/rmilter/rmilter.sock + rm -f $SOCKET echo "$NAME." ;; - restart|force-reload) - echo -n "Restarting $DESC: " - start-stop-daemon --stop --pidfile $PIDFILE --name $PNAME \ - --retry 5 --oknodo - rm -f /var/lib/rmilter/rmilter.sock - start-stop-daemon --start --background --make-pidfile --pidfile $PIDFILE \ - --chuid $USER --name $PNAME $NICE --oknodo --startas $DAEMON -- \ - $OPTIONS $DOPTIONS - + reload) + echo -n "Reloading $DESC: " + kill -HUP `cat $PIDFILE` echo "$NAME." ;; - reload) + restart|force-reload) echo -n "Restarting $DESC: " start-stop-daemon --stop --pidfile $PIDFILE --name $PNAME \ --retry 5 --oknodo - rm -f /var/lib/rmilter/rmilter.sock + rm -f $SOCKET start-stop-daemon --start --background --make-pidfile --pidfile $PIDFILE \ --chuid $USER --name $PNAME $NICE --oknodo --startas $DAEMON -- \ $OPTIONS $DOPTIONS diff --git a/include/cfg_file.h b/include/cfg_file.h index 1d172e3..7a800d9 100644 --- a/include/cfg_file.h +++ b/include/cfg_file.h @@ -248,10 +248,12 @@ struct config_file { char *temp_dir; char *sock_cred; + unsigned int sock_cred_mode; size_t sizelimit; struct clamav_server clamav_servers[MAX_CLAMAV_SERVERS]; size_t clamav_servers_num; + unsigned int clamav_file_mode; unsigned int clamav_error_time; unsigned int clamav_dead_time; unsigned int clamav_maxerrors; diff --git a/src/cfg_file.l b/src/cfg_file.l index 2d56529..c1593d7 100644 --- a/src/cfg_file.l +++ b/src/cfg_file.l @@ -189,6 +189,7 @@ spam_server return SPAM_SERVER; error_time return ERROR_TIME; dead_time return DEAD_TIME; maxerrors return MAXERRORS; +file_mode return FILE_MODE; connect_timeout return CONNECT_TIMEOUT; port_timeout return PORT_TIMEOUT; results_timeout return RESULTS_TIMEOUT; @@ -223,6 +224,7 @@ sha256 return DKIM_SHA256; protocol return PROTOCOL; spf_domains return SPF; bind_socket return BINDSOCK; +bind_socket_mode return BINDSOCK_MODE; max_size return MAXSIZE; use_dcc return USEDCC; greylisting return GREYLISTING; @@ -270,10 +272,11 @@ yes|YES|no|NO|[yY]|[nN] yylval.flag=parse_flag(yytext); return FLAG; \n /* ignore EOL */; [ \t]+ /* ignore whitespace */; \".+\" yylval.string=strdup(yytext); return QUOTEDSTRING; -[0-9]+ yylval.number=strtol(yytext, NULL, 10); return NUMBER; +[1-9][0-9]+ yylval.number=strtol(yytext, NULL, 10); return NUMBER; +0[xX][0-9a-fA-F]+|0[0-7]+ yylval.number=strtoul(yytext, NULL, 0); return NUMBER; [0-9]+\.[0-9]* yylval.frac=strtod(yytext, NULL); return FLOAT; [0-9]+[kKmMgG]? yylval.limit=parse_limit(yytext); return SIZELIMIT; -[0-9]+[sShHdD]|[0-9]+[mM][sS] yylval.seconds=parse_seconds(yytext); return SECONDS; +[0-9]+[sSmMhHdD]? yylval.seconds=parse_seconds(yytext); return SECONDS; [0-9]+:[0-9]+[.]?[0-9]* parse_bucket(yytext, &yylval.bucket); return BUCKET; unix:[a-zA-Z0-9\/.-]+ yylval.string=strdup(yytext); return SOCKCRED; local:[a-zA-Z0-9\/.-]+ yylval.string=strdup(yytext); return SOCKCRED; diff --git a/src/cfg_file.y b/src/cfg_file.y index 0c90a64..cc94e25 100644 --- a/src/cfg_file.y +++ b/src/cfg_file.y @@ -58,8 +58,8 @@ uint8_t cur_flags = 0; %token CONNECT HELO ENVFROM ENVRCPT HEADER MACRO BODY %token AND OR NOT %token TEMPDIR LOGFILE PIDFILE RULE CLAMAV SERVERS ERROR_TIME DEAD_TIME MAXERRORS CONNECT_TIMEOUT PORT_TIMEOUT RESULTS_TIMEOUT SPF DCC -%token FILENAME REGEXP QUOTE SEMICOLON OBRACE EBRACE COMMA EQSIGN -%token BINDSOCK SOCKCRED DOMAIN_STR IPADDR IPNETWORK HOSTPORT NUMBER GREYLISTING WHITELIST TIMEOUT EXPIRE EXPIRE_WHITE +%token FILE_MODE FILENAME REGEXP QUOTE SEMICOLON OBRACE EBRACE COMMA EQSIGN +%token BINDSOCK BINDSOCK_MODE SOCKCRED DOMAIN_STR IPADDR IPNETWORK HOSTPORT NUMBER GREYLISTING WHITELIST TIMEOUT EXPIRE EXPIRE_WHITE %token MAXSIZE SIZELIMIT SECONDS BUCKET USEDCC MEMCACHED PROTOCOL AWL_ENABLE AWL_POOL AWL_TTL AWL_HITS SERVERS_WHITE SERVERS_LIMITS SERVERS_GREY %token LIMITS LIMIT_TO LIMIT_TO_IP LIMIT_TO_IP_FROM LIMIT_WHITELIST LIMIT_WHITELIST_RCPT LIMIT_BOUNCE_ADDRS LIMIT_BOUNCE_TO LIMIT_BOUNCE_TO_IP %token SPAMD REJECT_MESSAGE SERVERS_ID ID_PREFIX GREY_PREFIX WHITE_PREFIX RSPAMD_METRIC ALSO_CHECK DIFF_DIR CHECK_SYMBOLS SYMBOLS_DIR @@ -102,6 +102,7 @@ command : | spamd | spf | bindsock + | bindsock_mode | maxsize | usedcc | memcached @@ -313,6 +314,7 @@ clamavbody: clamavcmd: clamav_servers + | clamav_file_mode | clamav_connect_timeout | clamav_port_timeout | clamav_results_timeout @@ -371,6 +373,11 @@ clamav_maxerrors: cfg->clamav_maxerrors = $3; } ; +clamav_file_mode: + FILE_MODE EQSIGN NUMBER { + cfg->clamav_file_mode = $3; + } + ; clamav_connect_timeout: CONNECT_TIMEOUT EQSIGN SECONDS { cfg->clamav_connect_timeout = $3; @@ -805,6 +812,12 @@ bindsock: } ; +bindsock_mode: + BINDSOCK_MODE EQSIGN NUMBER { + cfg->sock_cred_mode = $3; + } + ; + maxsize: MAXSIZE EQSIGN SIZELIMIT { cfg->sizelimit = $3; diff --git a/src/libclamc.c b/src/libclamc.c index 0911b85..b644ef8 100644 --- a/src/libclamc.c +++ b/src/libclamc.c @@ -166,6 +166,7 @@ clamscan_socket(const char *file, const struct clamav_server *srv, char *strres, msg_warn("clamav: realpath, %d: %m", errno); return -1; } + /* unix socket, use 'SCAN ' command on clamd */ r = snprintf(buf, sizeof(buf), "SCAN %s\n", path); diff --git a/src/main.c b/src/main.c index 898574e..95a59e4 100644 --- a/src/main.c +++ b/src/main.c @@ -252,12 +252,9 @@ main(int argc, char *argv[]) srand (time (NULL)); #endif - /* - * Hack to set milter unix socket permissions, but it also affect - * temporary file too :( temporary directory shuld be owned by user - * rmilter-clam and have permissions 700 - */ - umask(0007); + /* Set unix socket permissions if specified in config */ + if (cfg->sock_cred_mode) + umask(0777 & ~cfg->sock_cred_mode); smfi_setconn(cfg->sock_cred); if (smfi_register(smfilter) == MI_FAILURE) { diff --git a/src/rmilter.c b/src/rmilter.c index 5d4342b..20e24d3 100644 --- a/src/rmilter.c +++ b/src/rmilter.c @@ -172,6 +172,11 @@ create_temp_file (struct mlfi_priv *priv) msg_warn ("create_temp_file: %s: can't open tempfile, %d: %m", priv->mlfi_id, errno); return -1; } + + /* Set temp file permissions if them specified in config */ + if (cfg->clamav_file_mode) + chmod(priv->file, cfg->clamav_file_mode); + fprintf (priv->fileh, "Received: from %s (%s [%s]) by localhost (Postfix) with ESMTP id 0000000;\r\n", priv->priv_helo, priv->priv_hostname, priv->priv_ip);