Bug#609097: RFP: scannedonly -- scalable samba anti-virus module
On Thu, Jan 6, 2011 at 1:11 PM, Falk Hackenberger
>> BTW and OT this behavior is racy, could be better to add an xattr with
>> the last scanning time to the file and compare it ?
> http://olivier.sessink.nl/scannedonly/faq.html says:
> Extended filesystem attributes could have been an option. They take as
> much space as the 0 byte .scanned: files, and a lookup is quick and has
> little overhead. However, lots of filesystems do not support extended
> attributes, so this would limit the usability of the module.
Ok I understand but it is insecure at least create a random secret
extension. And filter this extension. A malicious user could try to
race with the daemon, creating a .scanned file and an infected file.
sometime it will succeed and the file will be declared sane whereas it
is not sane.
It is really bad for a security tool to create a false sense of security...
And this behavior could be enforced like this:
fd = open(somefille...)
errno = 0;
s = flistxattr(fd,...)
if(errno == ENOTSUP && notstrictsaned)
check the availlibilty of a .sanedXXXXX file where XXXX is a secret on