2
* Copyright (C) 2007-2009 Sourcefire, Inc.
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License version 2 as
8
* published by the Free Software Foundation.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
22
#include "clamav-config.h"
33
#include <sys/resource.h>
35
#include <sys/types.h>
48
#if defined(USE_SYSLOG) && !defined(C_AIX)
53
#include <sys/resource.h>
58
#include "libclamav/clamav.h"
59
#include "libclamav/others.h"
60
#include "libclamav/matcher-ac.h"
61
#include "libclamav/readdb.h"
63
#include "shared/output.h"
64
#include "shared/optparser.h"
65
#include "shared/misc.h"
68
#include "tcpserver.h"
69
#include "localserver.h"
74
short debug_mode = 0, logok = 0;
75
short foreground = -1;
78
char *get_hostid(void *cbdata);
79
int is_valid_hostid(void);
81
static void help(void)
84
printf(" Clam AntiVirus Daemon %s\n", get_version());
85
printf(" By The ClamAV Team: http://www.clamav.net/about.html#credits\n");
86
printf(" (C) 2007-2009 Sourcefire, Inc.\n\n");
88
printf(" --help -h Show this help.\n");
89
printf(" --version -V Show version number.\n");
90
printf(" --debug Enable debug mode.\n");
91
printf(" --config-file=FILE -c FILE Read configuration from FILE.\n\n");
94
static struct optstruct *opts;
96
/* When running under valgrind and daemonizing, valgrind incorrectly reports
97
* leaks from the engine, because it can't see that all the memory is still
98
* reachable (some pointers are stored mangled in the JIT).
99
* So free the engine on exit from the parent too (during daemonize)
101
static struct cl_engine *gengine = NULL;
102
static void free_engine(void)
105
cl_engine_free(gengine);
110
int main(int argc, char **argv)
112
static struct cl_engine *engine = NULL;
113
const struct optstruct *opt;
115
struct passwd *user = NULL;
120
const char *dbdir, *cfgfile;
121
char *pua_cats = NULL, *pt;
122
int ret, tcpsock = 0, localsock = 0, min_port, max_port;
123
unsigned int sigs = 0;
125
unsigned int nlsockets = 0;
126
unsigned int dboptions = 0;
136
memset(&sa, 0, sizeof(sa));
137
sa.sa_handler = SIG_IGN;
138
sigaction(SIGHUP, &sa, NULL);
139
sigaction(SIGUSR2, &sa, NULL);
142
if((opts = optparse(NULL, argc, argv, 1, OPT_CLAMD, 0, NULL)) == NULL) {
143
mprintf("!Can't parse command line options\n");
147
if(optget(opts, "help")->enabled) {
153
if(optget(opts, "debug")->enabled) {
155
/* njh@bandsman.co.uk: create a dump if needed */
156
rlim.rlim_cur = rlim.rlim_max = RLIM_INFINITY;
157
if(setrlimit(RLIMIT_CORE, &rlim) < 0)
163
/* check foreground option from command line to override config file */
165
for(j = 0; j < argc; j += 1)
167
if ((memcmp(argv[j], "--foreground", 12) == 0) || (memcmp(argv[j], "-F", 2) == 0))
176
if(optget(opts, "Foreground")->enabled)
186
int num_fd = sd_listen_fds(0);
188
/* parse the config file */
189
cfgfile = optget(opts, "config-file")->strarg;
190
pt = strdup(cfgfile);
191
if((opts = optparse(cfgfile, 0, NULL, 1, OPT_CLAMD, 0, opts)) == NULL) {
192
fprintf(stderr, "ERROR: Can't open/parse the config file %s\n", pt);
198
if(optget(opts, "version")->enabled) {
199
print_version(optget(opts, "DatabaseDirectory")->strarg);
204
/* drop privileges */
206
if(geteuid() == 0 && (opt = optget(opts, "User"))->enabled) {
207
if((user = getpwnam(opt->strarg)) == NULL) {
208
fprintf(stderr, "ERROR: Can't get information about user %s.\n", opt->strarg);
213
if(optget(opts, "AllowSupplementaryGroups")->enabled) {
214
#ifdef HAVE_INITGROUPS
215
if(initgroups(opt->strarg, user->pw_gid)) {
216
fprintf(stderr, "ERROR: initgroups() failed.\n");
221
mprintf("!AllowSupplementaryGroups: initgroups() is not available, please disable AllowSupplementaryGroups in %s\n", cfgfile);
226
#ifdef HAVE_SETGROUPS
227
if(setgroups(1, &user->pw_gid)) {
228
fprintf(stderr, "ERROR: setgroups() failed.\n");
235
if(setgid(user->pw_gid)) {
236
fprintf(stderr, "ERROR: setgid(%d) failed.\n", (int) user->pw_gid);
241
if(setuid(user->pw_uid)) {
242
fprintf(stderr, "ERROR: setuid(%d) failed.\n", (int) user->pw_uid);
249
/* initialize logger */
250
logg_lock = !optget(opts, "LogFileUnlock")->enabled;
251
logg_time = optget(opts, "LogTime")->enabled;
252
logok = optget(opts, "LogClean")->enabled;
253
logg_size = optget(opts, "LogFileMaxSize")->numarg;
254
logg_verbose = mprintf_verbose = optget(opts, "LogVerbose")->enabled;
256
logg_rotate = optget(opts, "LogRotate")->enabled;
257
mprintf_send_timeout = optget(opts, "SendBufTimeout")->numarg;
259
do { /* logger initialized */
260
if((opt = optget(opts, "LogFile"))->enabled) {
262
logg_file = opt->strarg;
263
if(!cli_is_abspath(logg_file)) {
264
fprintf(stderr, "ERROR: LogFile requires full path.\n");
269
if(logg("#+++ Started at %s", cli_ctime(&currtime, timestr, sizeof(timestr)))) {
270
fprintf(stderr, "ERROR: Can't initialize the internal logger\n");
278
if (optget(opts,"DevLiblog")->enabled)
279
cl_set_clcb_msg(msg_callback);
281
if((ret = cl_init(CL_INIT_DEFAULT))) {
282
logg("!Can't initialize libclamav: %s\n", cl_strerror(ret));
287
if(optget(opts, "Debug")->enabled) {
288
/* enable debug messages in libclamav */
293
#if defined(USE_SYSLOG) && !defined(C_AIX)
294
if(optget(opts, "LogSyslog")->enabled) {
295
int fac = LOG_LOCAL6;
297
opt = optget(opts, "LogFacility");
298
if((fac = logg_facility(opt->strarg)) == -1) {
299
logg("!LogFacility: %s: No such facility.\n", opt->strarg);
304
openlog("clamd", LOG_PID, fac);
311
if(CLAMSTAT("/proc", &sb) != -1 && !sb.st_size)
315
/* check socket type */
317
if(optget(opts, "TCPSocket")->enabled)
320
if(optget(opts, "LocalSocket")->enabled)
323
logg("#Received %d file descriptor(s) from systemd.\n", num_fd);
325
if(!tcpsock && !localsock && num_fd == 0) {
326
logg("!Please define server type (local and/or TCP).\n");
331
logg("#clamd daemon %s (OS: "TARGET_OS_TYPE", ARCH: "TARGET_ARCH_TYPE", CPU: "TARGET_CPU_TYPE")\n", get_version());
335
logg("#Running as user %s (UID %u, GID %u)\n", user->pw_name, user->pw_uid, user->pw_gid);
338
#if defined(RLIMIT_DATA) && defined(C_BSD)
339
if (getrlimit(RLIMIT_DATA, &rlim) == 0) {
341
* On 32-bit FreeBSD if you set ulimit -d to >2GB then mmap() will fail
342
* too soon (after ~120 MB).
343
* Set limit lower than 2G if on 32-bit */
344
uint64_t lim = rlim.rlim_cur;
345
if (sizeof(void*) == 4 &&
346
lim > (1ULL << 31)) {
347
rlim.rlim_cur = 1ULL << 31;
348
if (setrlimit(RLIMIT_DATA, &rlim) < 0)
349
logg("!setrlimit(RLIMIT_DATA) failed: %s\n", strerror(errno));
351
logg("Running on 32-bit system, and RLIMIT_DATA > 2GB, lowering to 2GB!\n");
358
logg("#Log file size limited to %u bytes.\n", logg_size);
360
logg("#Log file size limit disabled.\n");
362
min_port = optget(opts, "StreamMinPort")->numarg;
363
max_port = optget(opts, "StreamMaxPort")->numarg;
364
if (min_port < 1024 || min_port > max_port || max_port > 65535) {
365
logg("!Invalid StreamMinPort/StreamMaxPort: %d, %d\n", min_port, max_port);
370
if(!(engine = cl_engine_new())) {
371
logg("!Can't initialize antivirus engine\n");
376
if (optget(opts, "disable-cache")->enabled)
377
cl_engine_set_num(engine, CL_ENGINE_DISABLE_CACHE, 1);
379
/* load the database(s) */
380
dbdir = optget(opts, "DatabaseDirectory")->strarg;
381
logg("#Reading databases from %s\n", dbdir);
383
if(optget(opts, "DetectPUA")->enabled) {
384
dboptions |= CL_DB_PUA;
386
if((opt = optget(opts, "ExcludePUA"))->enabled) {
387
dboptions |= CL_DB_PUA_EXCLUDE;
389
logg("#Excluded PUA categories:");
392
if(!(pua_cats = realloc(pua_cats, i + strlen(opt->strarg) + 3))) {
393
logg("!Can't allocate memory for pua_cats\n");
394
cl_engine_free(engine);
399
logg("# %s", opt->strarg);
401
sprintf(pua_cats + i, ".%s", opt->strarg);
402
i += strlen(opt->strarg) + 1;
415
if((opt = optget(opts, "IncludePUA"))->enabled) {
417
logg("!ExcludePUA and IncludePUA cannot be used at the same time\n");
423
dboptions |= CL_DB_PUA_INCLUDE;
425
logg("#Included PUA categories:");
427
if(!(pua_cats = realloc(pua_cats, i + strlen(opt->strarg) + 3))) {
428
logg("!Can't allocate memory for pua_cats\n");
433
logg("# %s", opt->strarg);
435
sprintf(pua_cats + i, ".%s", opt->strarg);
436
i += strlen(opt->strarg) + 1;
450
if((ret = cl_engine_set_str(engine, CL_ENGINE_PUA_CATEGORIES, pua_cats))) {
451
logg("!cli_engine_set_str(CL_ENGINE_PUA_CATEGORIES) failed: %s\n", cl_strerror(ret));
459
logg("#Not loading PUA signatures.\n");
462
if (optget(opts, "StatsEnabled")->enabled) {
463
cl_engine_stats_enable(engine);
466
if (optget(opts, "StatsPEDisabled")->enabled) {
467
cl_engine_set_num(engine, CL_ENGINE_DISABLE_PE_STATS, 1);
470
if (optget(opts, "StatsTimeout")->enabled) {
471
cl_engine_set_num(engine, CL_ENGINE_STATS_TIMEOUT, optget(opts, "StatsTimeout")->numarg);
474
if (optget(opts, "StatsHostID")->enabled) {
475
char *p = optget(opts, "StatsHostID")->strarg;
477
if (strcmp(p, "default")) {
478
if (!strcmp(p, "none")) {
479
cl_engine_set_clcb_stats_get_hostid(engine, NULL);
480
} else if (!strcmp(p, "anonymous")) {
481
strcpy(hostid, STATS_ANON_UUID);
483
if (strlen(p) > 36) {
484
logg("!Invalid HostID\n");
485
cl_engine_set_clcb_stats_submit(engine, NULL);
486
cl_engine_free(engine);
494
cl_engine_set_clcb_stats_get_hostid(engine, get_hostid);
498
if(optget(opts, "OfficialDatabaseOnly")->enabled) {
499
dboptions |= CL_DB_OFFICIAL_ONLY;
500
logg("#Only loading official signatures.\n");
503
/* set the temporary dir */
504
if((opt = optget(opts, "TemporaryDirectory"))->enabled) {
505
if((ret = cl_engine_set_str(engine, CL_ENGINE_TMPDIR, opt->strarg))) {
506
logg("!cli_engine_set_str(CL_ENGINE_TMPDIR) failed: %s\n", cl_strerror(ret));
512
cl_engine_set_clcb_hash(engine, hash_callback);
514
if(optget(opts, "LeaveTemporaryFiles")->enabled)
515
cl_engine_set_num(engine, CL_ENGINE_KEEPTMP, 1);
517
if(optget(opts, "ForceToDisk")->enabled)
518
cl_engine_set_num(engine, CL_ENGINE_FORCETODISK, 1);
520
if(optget(opts, "PhishingSignatures")->enabled)
521
dboptions |= CL_DB_PHISHING;
523
logg("#Not loading phishing signatures.\n");
525
if(optget(opts,"Bytecode")->enabled) {
526
dboptions |= CL_DB_BYTECODE;
527
if((opt = optget(opts,"BytecodeSecurity"))->enabled) {
528
enum bytecode_security s;
530
if (!strcmp(opt->strarg, "TrustSigned")) {
531
s = CL_BYTECODE_TRUST_SIGNED;
532
logg("#Bytecode: Security mode set to \"TrustSigned\".\n");
533
} else if (!strcmp(opt->strarg, "Paranoid")) {
534
s = CL_BYTECODE_TRUST_NOTHING;
535
logg("#Bytecode: Security mode set to \"Paranoid\".\n");
537
logg("!Unable to parse bytecode security setting:%s\n",
543
if ((ret = cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, s))) {
544
logg("^Invalid bytecode security setting %s: %s\n", opt->strarg, cl_strerror(ret));
549
if((opt = optget(opts,"BytecodeUnsigned"))->enabled) {
550
dboptions |= CL_DB_BYTECODE_UNSIGNED;
551
logg("#Bytecode: Enabled support for unsigned bytecode.\n");
554
if((opt = optget(opts,"BytecodeMode"))->enabled) {
555
enum bytecode_mode mode;
557
if (!strcmp(opt->strarg, "ForceJIT"))
558
mode = CL_BYTECODE_MODE_JIT;
559
else if(!strcmp(opt->strarg, "ForceInterpreter"))
560
mode = CL_BYTECODE_MODE_INTERPRETER;
561
else if(!strcmp(opt->strarg, "Test"))
562
mode = CL_BYTECODE_MODE_TEST;
564
mode = CL_BYTECODE_MODE_AUTO;
565
cl_engine_set_num(engine, CL_ENGINE_BYTECODE_MODE, mode);
568
if((opt = optget(opts,"BytecodeTimeout"))->enabled) {
569
cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg);
572
logg("#Bytecode support disabled.\n");
575
if(optget(opts,"PhishingScanURLs")->enabled)
576
dboptions |= CL_DB_PHISHING_URLS;
578
logg("#Disabling URL based phishing detection.\n");
580
if(optget(opts,"DevACOnly")->enabled) {
581
logg("#Only using the A-C matcher.\n");
582
cl_engine_set_num(engine, CL_ENGINE_AC_ONLY, 1);
585
if((opt = optget(opts, "DevACDepth"))->enabled) {
586
cl_engine_set_num(engine, CL_ENGINE_AC_MAXDEPTH, opt->numarg);
587
logg("#Max A-C depth set to %u\n", (unsigned int) opt->numarg);
590
if((ret = cl_load(dbdir, engine, &sigs, dboptions))) {
591
logg("!%s\n", cl_strerror(ret));
596
if (optget(opts, "DisableCertCheck")->enabled)
597
engine->dconf->pe |= PE_CONF_DISABLECERT;
599
logg("#Loaded %u signatures.\n", sigs);
601
if((ret = cl_engine_compile(engine)) != 0) {
602
logg("!Database initialization error: %s\n", cl_strerror(ret));
607
if(tcpsock || num_fd > 0) {
610
opt = optget(opts, "TCPAddr");
614
while (opt && opt->strarg) {
615
char *ipaddr = (!strcmp(opt->strarg, "all") ? NULL : opt->strarg);
617
if (tcpserver(&lsockets, &nlsockets, ipaddr, opts) == -1) {
629
if (tcpserver(&lsockets, &nlsockets, NULL, opts) == -1) {
636
if(localsock && num_fd == 0) {
638
mode_t sock_mode, umsk = umask(0777); /* socket is created with 000 to avoid races */
640
t = realloc(lsockets, sizeof(int) * (nlsockets + 1));
647
if ((lsockets[nlsockets] = localserver(opts)) == -1) {
652
umask(umsk); /* restore umask */
654
if(optget(opts, "LocalSocketGroup")->enabled) {
655
char *gname = optget(opts, "LocalSocketGroup")->strarg, *end;
656
gid_t sock_gid = strtol(gname, &end, 10);
659
struct group *pgrp = getgrnam(gname);
662
logg("!Unknown group %s\n", gname);
667
sock_gid = pgrp->gr_gid;
669
if(chown(optget(opts, "LocalSocket")->strarg, -1, sock_gid)) {
670
logg("!Failed to change socket ownership to group %s\n", gname);
675
if(optget(opts, "LocalSocketMode")->enabled) {
678
sock_mode = strtol(optget(opts, "LocalSocketMode")->strarg, &end, 8);
681
logg("!Invalid LocalSocketMode %s\n", optget(opts, "LocalSocketMode")->strarg);
686
sock_mode = 0777 /* & ~umsk*/; /* conservative default: umask was 0 in clamd < 0.96 */
689
if(chmod(optget(opts, "LocalSocket")->strarg, sock_mode & 0666)) {
690
logg("!Cannot set socket permission to %s\n", optget(opts, "LocalSocketMode")->strarg);
698
/* check for local sockets passed by systemd */
702
t = realloc(lsockets, sizeof(int) * (nlsockets + 1));
709
lsockets[nlsockets] = localserver(opts);
710
if (lsockets[nlsockets] == -1)
715
else if (lsockets[nlsockets] > 0)
721
/* fork into background */
722
if (foreground == -1)
724
if (optget(opts, "Foreground")->enabled)
736
/* workaround for OpenBSD bug, see https://wwws.clamav.net/bugzilla/show_bug.cgi?id=885 */
737
for(ret=0;(unsigned int)ret<nlsockets;ret++) {
738
if (fcntl(lsockets[ret], F_SETFL, fcntl(lsockets[ret], F_GETFL) | O_NONBLOCK) == -1) {
739
logg("!fcntl for lsockets[] failed\n");
740
close(lsockets[ret]);
748
if(daemonize() == -1) {
749
logg("!daemonize() failed: %s\n", strerror(errno));
755
for(ret=0;(unsigned int)ret<nlsockets;ret++) {
756
if (fcntl(lsockets[ret], F_SETFL, fcntl(lsockets[ret], F_GETFL) & ~O_NONBLOCK) == -1) {
757
logg("!fcntl for lsockets[] failed\n");
758
close(lsockets[ret]);
766
logg("^Can't change current working directory to root\n");
771
if (nlsockets == 0) {
772
logg("!Not listening on any interfaces\n");
777
ret = recvloop_th(lsockets, nlsockets, engine, dboptions, opts);
783
logg("*Closing the main socket%s.\n", (nlsockets > 1) ? "s" : "");
785
for (i = 0; i < nlsockets; i++) {
786
closesocket(lsockets[i]);
789
if(nlsockets && localsock) {
790
opt = optget(opts, "LocalSocket");
792
if(unlink(opt->strarg) == -1)
793
logg("!Can't unlink the socket file %s\n", opt->strarg);
795
logg("Socket file removed.\n");
810
int is_valid_hostid(void)
814
if (strlen(hostid) != 36)
818
for (i=0; i < 36; i++)
819
if (hostid[i] == '-')
825
if (hostid[8] != '-' || hostid[13] != '-' || hostid[18] != '-' || hostid[23] != '-')
831
char *get_hostid(void *cbdata)
835
if (!strcmp(hostid, "none"))
838
if (!is_valid_hostid())
839
return strdup(STATS_ANON_UUID);
841
return strdup(hostid);