2
* Copyright (C) 2007-2009 Sourcefire, Inc.
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License version 2 as
8
* published by the Free Software Foundation.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
22
#include "clamav-config.h"
33
#include <sys/resource.h>
35
#include <sys/types.h>
48
#if defined(USE_SYSLOG) && !defined(C_AIX)
53
#include <sys/resource.h>
56
#include <openssl/ssl.h>
57
#include <openssl/err.h>
58
#include "libclamav/crypto.h"
62
#include "libclamav/clamav.h"
63
#include "libclamav/others.h"
64
#include "libclamav/matcher-ac.h"
65
#include "libclamav/readdb.h"
67
#include "shared/output.h"
68
#include "shared/optparser.h"
69
#include "shared/misc.h"
72
#include "tcpserver.h"
73
#include "localserver.h"
78
short debug_mode = 0, logok = 0;
82
char *get_hostid(void *cbdata);
84
static void help(void)
87
printf(" Clam AntiVirus Daemon %s\n", get_version());
88
printf(" By The ClamAV Team: http://www.clamav.net/team\n");
89
printf(" (C) 2007-2009 Sourcefire, Inc.\n\n");
91
printf(" --help -h Show this help.\n");
92
printf(" --version -V Show version number.\n");
93
printf(" --debug Enable debug mode.\n");
94
printf(" --config-file=FILE -c FILE Read configuration from FILE.\n\n");
97
static struct optstruct *opts;
99
/* When running under valgrind and daemonizing, valgrind incorrectly reports
100
* leaks from the engine, because it can't see that all the memory is still
101
* reachable (some pointers are stored mangled in the JIT).
102
* So free the engine on exit from the parent too (during daemonize)
104
static struct cl_engine *gengine = NULL;
105
static void free_engine(void)
108
cl_engine_free(gengine);
113
int main(int argc, char **argv)
115
static struct cl_engine *engine = NULL;
116
const struct optstruct *opt;
118
struct passwd *user = NULL;
123
const char *dbdir, *cfgfile;
124
char *pua_cats = NULL, *pt;
125
int ret, tcpsock = 0, localsock = 0, i, min_port, max_port;
126
unsigned int sigs = 0;
128
unsigned int nlsockets = 0;
129
unsigned int dboptions = 0;
138
memset(&sa, 0, sizeof(sa));
139
sa.sa_handler = SIG_IGN;
140
sigaction(SIGHUP, &sa, NULL);
141
sigaction(SIGUSR2, &sa, NULL);
144
cl_initialize_crypto();
146
if((opts = optparse(NULL, argc, argv, 1, OPT_CLAMD, 0, NULL)) == NULL) {
147
mprintf("!Can't parse command line options\n");
151
if(optget(opts, "help")->enabled) {
157
if(optget(opts, "debug")->enabled) {
159
/* njh@bandsman.co.uk: create a dump if needed */
160
rlim.rlim_cur = rlim.rlim_max = RLIM_INFINITY;
161
if(setrlimit(RLIMIT_CORE, &rlim) < 0)
167
/* parse the config file */
168
cfgfile = optget(opts, "config-file")->strarg;
169
pt = strdup(cfgfile);
170
if((opts = optparse(cfgfile, 0, NULL, 1, OPT_CLAMD, 0, opts)) == NULL) {
171
fprintf(stderr, "ERROR: Can't open/parse the config file %s\n", pt);
177
if(optget(opts, "version")->enabled) {
178
print_version(optget(opts, "DatabaseDirectory")->strarg);
183
/* drop privileges */
185
if(geteuid() == 0 && (opt = optget(opts, "User"))->enabled) {
186
if((user = getpwnam(opt->strarg)) == NULL) {
187
fprintf(stderr, "ERROR: Can't get information about user %s.\n", opt->strarg);
192
if(optget(opts, "AllowSupplementaryGroups")->enabled) {
193
#ifdef HAVE_INITGROUPS
194
if(initgroups(opt->strarg, user->pw_gid)) {
195
fprintf(stderr, "ERROR: initgroups() failed.\n");
200
mprintf("!AllowSupplementaryGroups: initgroups() is not available, please disable AllowSupplementaryGroups in %s\n", cfgfile);
205
#ifdef HAVE_SETGROUPS
206
if(setgroups(1, &user->pw_gid)) {
207
fprintf(stderr, "ERROR: setgroups() failed.\n");
214
if(setgid(user->pw_gid)) {
215
fprintf(stderr, "ERROR: setgid(%d) failed.\n", (int) user->pw_gid);
220
if(setuid(user->pw_uid)) {
221
fprintf(stderr, "ERROR: setuid(%d) failed.\n", (int) user->pw_uid);
228
/* initialize logger */
229
logg_lock = !optget(opts, "LogFileUnlock")->enabled;
230
logg_time = optget(opts, "LogTime")->enabled;
231
logok = optget(opts, "LogClean")->enabled;
232
logg_size = optget(opts, "LogFileMaxSize")->numarg;
233
logg_verbose = mprintf_verbose = optget(opts, "LogVerbose")->enabled;
235
logg_rotate = optget(opts, "LogRotate")->enabled;
236
mprintf_send_timeout = optget(opts, "SendBufTimeout")->numarg;
238
do { /* logger initialized */
239
if((opt = optget(opts, "LogFile"))->enabled) {
241
logg_file = opt->strarg;
242
if(!cli_is_abspath(logg_file)) {
243
fprintf(stderr, "ERROR: LogFile requires full path.\n");
248
if(logg("#+++ Started at %s", cli_ctime(&currtime, timestr, sizeof(timestr)))) {
249
fprintf(stderr, "ERROR: Can't initialize the internal logger\n");
257
if (optget(opts,"DevLiblog")->enabled)
258
cl_set_clcb_msg(msg_callback);
260
if((ret = cl_init(CL_INIT_DEFAULT))) {
261
logg("!Can't initialize libclamav: %s\n", cl_strerror(ret));
266
if(optget(opts, "Debug")->enabled) {
267
/* enable debug messages in libclamav */
272
#if defined(USE_SYSLOG) && !defined(C_AIX)
273
if(optget(opts, "LogSyslog")->enabled) {
274
int fac = LOG_LOCAL6;
276
opt = optget(opts, "LogFacility");
277
if((fac = logg_facility(opt->strarg)) == -1) {
278
logg("!LogFacility: %s: No such facility.\n", opt->strarg);
283
openlog("clamd", LOG_PID, fac);
290
if(CLAMSTAT("/proc", &sb) != -1 && !sb.st_size)
294
/* check socket type */
296
if(optget(opts, "TCPSocket")->enabled)
299
if(optget(opts, "LocalSocket")->enabled)
302
if(!tcpsock && !localsock) {
303
logg("!Please define server type (local and/or TCP).\n");
308
logg("#clamd daemon %s (OS: "TARGET_OS_TYPE", ARCH: "TARGET_ARCH_TYPE", CPU: "TARGET_CPU_TYPE")\n", get_version());
312
logg("#Running as user %s (UID %u, GID %u)\n", user->pw_name, user->pw_uid, user->pw_gid);
315
#if defined(RLIMIT_DATA) && defined(C_BSD)
316
if (getrlimit(RLIMIT_DATA, &rlim) == 0) {
318
* On 32-bit FreeBSD if you set ulimit -d to >2GB then mmap() will fail
319
* too soon (after ~120 MB).
320
* Set limit lower than 2G if on 32-bit */
321
uint64_t lim = rlim.rlim_cur;
322
if (sizeof(void*) == 4 &&
323
lim > (1ULL << 31)) {
324
rlim.rlim_cur = 1ULL << 31;
325
if (setrlimit(RLIMIT_DATA, &rlim) < 0)
326
logg("!setrlimit(RLIMIT_DATA) failed: %s\n", strerror(errno));
328
logg("Running on 32-bit system, and RLIMIT_DATA > 2GB, lowering to 2GB!\n");
335
logg("#Log file size limited to %u bytes.\n", logg_size);
337
logg("#Log file size limit disabled.\n");
339
min_port = optget(opts, "StreamMinPort")->numarg;
340
max_port = optget(opts, "StreamMaxPort")->numarg;
341
if (min_port < 1024 || min_port > max_port || max_port > 65535) {
342
logg("!Invalid StreamMinPort/StreamMaxPort: %d, %d\n", min_port, max_port);
347
if(!(engine = cl_engine_new())) {
348
logg("!Can't initialize antivirus engine\n");
353
if (optget(opts, "disable-cache")->enabled)
354
cl_engine_set_num(engine, CL_ENGINE_DISABLE_CACHE, 1);
356
/* load the database(s) */
357
dbdir = optget(opts, "DatabaseDirectory")->strarg;
358
logg("#Reading databases from %s\n", dbdir);
360
if(optget(opts, "DetectPUA")->enabled) {
361
dboptions |= CL_DB_PUA;
363
if((opt = optget(opts, "ExcludePUA"))->enabled) {
364
dboptions |= CL_DB_PUA_EXCLUDE;
366
logg("#Excluded PUA categories:");
369
if(!(pua_cats = realloc(pua_cats, i + strlen(opt->strarg) + 3))) {
370
logg("!Can't allocate memory for pua_cats\n");
371
cl_engine_free(engine);
376
logg("# %s", opt->strarg);
378
sprintf(pua_cats + i, ".%s", opt->strarg);
379
i += strlen(opt->strarg) + 1;
392
if((opt = optget(opts, "IncludePUA"))->enabled) {
394
logg("!ExcludePUA and IncludePUA cannot be used at the same time\n");
400
dboptions |= CL_DB_PUA_INCLUDE;
402
logg("#Included PUA categories:");
404
if(!(pua_cats = realloc(pua_cats, i + strlen(opt->strarg) + 3))) {
405
logg("!Can't allocate memory for pua_cats\n");
410
logg("# %s", opt->strarg);
412
sprintf(pua_cats + i, ".%s", opt->strarg);
413
i += strlen(opt->strarg) + 1;
427
if((ret = cl_engine_set_str(engine, CL_ENGINE_PUA_CATEGORIES, pua_cats))) {
428
logg("!cli_engine_set_str(CL_ENGINE_PUA_CATEGORIES) failed: %s\n", cl_strerror(ret));
436
logg("#Not loading PUA signatures.\n");
439
if (optget(opts, "StatsEnabled")->enabled) {
440
cl_engine_stats_enable(engine);
443
if (optget(opts, "StatsPEDisabled")->enabled) {
444
cl_engine_set_num(engine, CL_ENGINE_DISABLE_PE_STATS, 1);
447
if (optget(opts, "StatsTimeout")->enabled) {
448
cl_engine_set_num(engine, CL_ENGINE_STATS_TIMEOUT, optget(opts, "StatsTimeout")->numarg);
451
if (optget(opts, "StatsHostID")->enabled) {
452
char *p = optget(opts, "StatsHostID")->strarg;
454
if (strcmp(p, "default")) {
455
if (!strcmp(p, "none")) {
456
cl_engine_set_clcb_stats_get_hostid(engine, NULL);
457
} else if (!strcmp(p, "anonymous")) {
458
strcpy(hostid, STATS_ANON_UUID);
460
if (strlen(p) > 36) {
461
logg("!Invalid HostID\n");
462
cl_engine_set_clcb_stats_submit(engine, NULL);
463
cl_engine_free(engine);
471
cl_engine_set_clcb_stats_get_hostid(engine, get_hostid);
475
if(optget(opts, "OfficialDatabaseOnly")->enabled) {
476
dboptions |= CL_DB_OFFICIAL_ONLY;
477
logg("#Only loading official signatures.\n");
480
/* set the temporary dir */
481
if((opt = optget(opts, "TemporaryDirectory"))->enabled) {
482
if((ret = cl_engine_set_str(engine, CL_ENGINE_TMPDIR, opt->strarg))) {
483
logg("!cli_engine_set_str(CL_ENGINE_TMPDIR) failed: %s\n", cl_strerror(ret));
489
cl_engine_set_clcb_hash(engine, hash_callback);
491
if(optget(opts, "LeaveTemporaryFiles")->enabled)
492
cl_engine_set_num(engine, CL_ENGINE_KEEPTMP, 1);
494
if(optget(opts, "ForceToDisk")->enabled)
495
cl_engine_set_num(engine, CL_ENGINE_FORCETODISK, 1);
497
if(optget(opts, "PhishingSignatures")->enabled)
498
dboptions |= CL_DB_PHISHING;
500
logg("#Not loading phishing signatures.\n");
502
if(optget(opts,"Bytecode")->enabled) {
503
dboptions |= CL_DB_BYTECODE;
504
if((opt = optget(opts,"BytecodeSecurity"))->enabled) {
505
enum bytecode_security s;
507
if (!strcmp(opt->strarg, "TrustSigned")) {
508
s = CL_BYTECODE_TRUST_SIGNED;
509
logg("#Bytecode: Security mode set to \"TrustSigned\".\n");
510
} else if (!strcmp(opt->strarg, "Paranoid")) {
511
s = CL_BYTECODE_TRUST_NOTHING;
512
logg("#Bytecode: Security mode set to \"Paranoid\".\n");
514
logg("!Unable to parse bytecode security setting:%s\n",
520
if ((ret = cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, s))) {
521
logg("^Invalid bytecode security setting %s: %s\n", opt->strarg, cl_strerror(ret));
526
if((opt = optget(opts,"BytecodeUnsigned"))->enabled) {
527
dboptions |= CL_DB_BYTECODE_UNSIGNED;
528
logg("#Bytecode: Enabled support for unsigned bytecode.\n");
531
if((opt = optget(opts,"BytecodeMode"))->enabled) {
532
enum bytecode_mode mode;
534
if (!strcmp(opt->strarg, "ForceJIT"))
535
mode = CL_BYTECODE_MODE_JIT;
536
else if(!strcmp(opt->strarg, "ForceInterpreter"))
537
mode = CL_BYTECODE_MODE_INTERPRETER;
538
else if(!strcmp(opt->strarg, "Test"))
539
mode = CL_BYTECODE_MODE_TEST;
541
mode = CL_BYTECODE_MODE_AUTO;
542
cl_engine_set_num(engine, CL_ENGINE_BYTECODE_MODE, mode);
545
if((opt = optget(opts,"BytecodeTimeout"))->enabled) {
546
cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg);
549
logg("#Bytecode support disabled.\n");
552
if(optget(opts,"PhishingScanURLs")->enabled)
553
dboptions |= CL_DB_PHISHING_URLS;
555
logg("#Disabling URL based phishing detection.\n");
557
if(optget(opts,"DevACOnly")->enabled) {
558
logg("#Only using the A-C matcher.\n");
559
cl_engine_set_num(engine, CL_ENGINE_AC_ONLY, 1);
562
if((opt = optget(opts, "DevACDepth"))->enabled) {
563
cl_engine_set_num(engine, CL_ENGINE_AC_MAXDEPTH, opt->numarg);
564
logg("#Max A-C depth set to %u\n", (unsigned int) opt->numarg);
567
if((ret = cl_load(dbdir, engine, &sigs, dboptions))) {
568
logg("!%s\n", cl_strerror(ret));
573
if (optget(opts, "DisableCertCheck")->enabled)
574
engine->dconf->pe |= PE_CONF_DISABLECERT;
576
logg("#Loaded %u signatures.\n", sigs);
578
if((ret = cl_engine_compile(engine)) != 0) {
579
logg("!Database initialization error: %s\n", cl_strerror(ret));
587
opt = optget(opts, "TCPAddr");
591
while (opt && opt->strarg) {
592
char *ipaddr = (!strcmp(opt->strarg, "all") ? NULL : opt->strarg);
594
if (tcpserver(&lsockets, &nlsockets, ipaddr, opts) == -1) {
606
if (tcpserver(&lsockets, &nlsockets, NULL, opts) == -1) {
615
mode_t sock_mode, umsk = umask(0777); /* socket is created with 000 to avoid races */
617
t = realloc(lsockets, sizeof(int) * (nlsockets + 1));
624
if ((lsockets[nlsockets] = localserver(opts)) == -1) {
629
umask(umsk); /* restore umask */
631
if(optget(opts, "LocalSocketGroup")->enabled) {
632
char *gname = optget(opts, "LocalSocketGroup")->strarg, *end;
633
gid_t sock_gid = strtol(gname, &end, 10);
636
struct group *pgrp = getgrnam(gname);
639
logg("!Unknown group %s\n", gname);
644
sock_gid = pgrp->gr_gid;
646
if(chown(optget(opts, "LocalSocket")->strarg, -1, sock_gid)) {
647
logg("!Failed to change socket ownership to group %s\n", gname);
652
if(optget(opts, "LocalSocketMode")->enabled) {
655
sock_mode = strtol(optget(opts, "LocalSocketMode")->strarg, &end, 8);
658
logg("!Invalid LocalSocketMode %s\n", optget(opts, "LocalSocketMode")->strarg);
663
sock_mode = 0777 /* & ~umsk*/; /* conservative default: umask was 0 in clamd < 0.96 */
666
if(chmod(optget(opts, "LocalSocket")->strarg, sock_mode & 0666)) {
667
logg("!Cannot set socket permission to %s\n", optget(opts, "LocalSocketMode")->strarg);
675
/* fork into background */
676
if(!optget(opts, "Foreground")->enabled) {
678
/* workaround for OpenBSD bug, see https://wwws.clamav.net/bugzilla/show_bug.cgi?id=885 */
679
for(ret=0;ret<nlsockets;ret++) {
680
if (fcntl(lsockets[ret], F_SETFL, fcntl(lsockets[ret], F_GETFL) | O_NONBLOCK) == -1) {
681
logg("!fcntl for lsockets[] failed\n");
682
close(lsockets[ret]);
690
if(daemonize() == -1) {
691
logg("!daemonize() failed: %s\n", strerror(errno));
697
for(ret=0;ret<nlsockets;ret++) {
698
if (fcntl(lsockets[ret], F_SETFL, fcntl(lsockets[ret], F_GETFL) & ~O_NONBLOCK) == -1) {
699
logg("!fcntl for lsockets[] failed\n");
700
close(lsockets[ret]);
708
logg("^Can't change current working directory to root\n");
715
if (nlsockets == 0) {
716
logg("!Not listening on any interfaces\n");
721
ret = recvloop_th(lsockets, nlsockets, engine, dboptions, opts);
725
logg("*Closing the main socket%s.\n", (nlsockets > 1) ? "s" : "");
727
for (i = 0; i < nlsockets; i++) {
728
closesocket(lsockets[i]);
732
if(nlsockets && localsock) {
733
opt = optget(opts, "LocalSocket");
735
if(unlink(opt->strarg) == -1)
736
logg("!Can't unlink the socket file %s\n", opt->strarg);
738
logg("Socket file removed.\n");
752
int is_valid_hostid(void)
756
if (strlen(hostid) != 36)
760
for (i=0; i < 36; i++)
761
if (hostid[i] == '-')
767
if (hostid[8] != '-' || hostid[13] != '-' || hostid[18] != '-' || hostid[23] != '-')
773
char *get_hostid(void *cbdata)
775
if (!strcmp(hostid, "none"))
778
if (!is_valid_hostid())
779
return strdup(STATS_ANON_UUID);
781
return strdup(hostid);