[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#609097: RFP: scannedonly -- scalable samba anti-virus module

On Thu, Jan 6, 2011 at 1:11 PM, Falk Hackenberger
<debian@spam.huckley.de> wrote:
>> BTW and OT this behavior is racy, could be better to add an xattr with
>> the last scanning time to the file and compare it ?
>
> http://olivier.sessink.nl/scannedonly/faq.html says:
> Extended filesystem attributes could have been an option. They take as
> much space as the 0 byte .scanned: files, and a lookup is quick and has
> little overhead. However, lots of filesystems do not support extended
> attributes, so this would limit the usability of the module.

Ok I understand but it is insecure at least create a random secret
extension. And filter this extension. A malicious user could try to
race with the daemon, creating a .scanned file and an infected file.
sometime it will succeed and the file will be declared sane whereas it
is not sane.

It is really bad for a security tool to create a false sense of security...

And this behavior could be enforced like this:
fd = open(somefille...)
errno = 0;
s = flistxattr(fd,...)
if(errno == ENOTSUP && notstrictsaned)
   fallbacktosandefile(fd);

with fallbacktosanedfile(fd)
check the availlibilty of a .sanedXXXXX file where XXXX is a secret on
the server

Bastien
Reply to: