Bug 149698 - kmail_clamav.sh tempfile not accessible to clamd
Summary: kmail_clamav.sh tempfile not accessible to clamd
Status: RESOLVED INTENTIONAL
Alias: None
Product: kmail
Classification: Applications
Component: filtering (show other bugs)
Version: 1.9.6
Platform: Mandriva RPMs Linux
: NOR normal
Target Milestone: ---
Assignee: kdepim bugs
URL:
Keywords: triaged
Depends on:
Blocks:
 
Reported: 2007-09-09 12:59 UTC by Mark Atkinson
Modified: 2009-08-29 11:29 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Atkinson 2007-09-09 12:59:41 UTC
Version:           1.9.6 (using KDE KDE 3.5.6)
Installed from:    Mandriva RPMs
OS:                Linux

The TEMPFILE created to allow clamd to analyse an email is not accessible to clamd.  Mandriva added something similar to the bugfix 86090 but it did not take into account that the first line would succeed but still not be accessible to clamd as sole user clamav.  On my system $TMPDIR is set to $HOME/tmp.  So with the following I get a temporary file in $HOME/tmp that becomes world readable (-rw-r--r--) before the scan but $HOME/tmp itself is drw-------.

TEMPFILE=`mktemp`
if [ $? != 0 ] ; then
    TEMPFILE=`mktemp /tmp/kmail.XXXXXX`
fi

In some cases I received an lstat() error other times an Access Permission denied message when run from the console.

Presently, I think there is little alternative to creating the temp file in /tmp.  I am of course asking another user (ClamAV) to scan my temporary file so it seems kosher. Is there an efficient test one user can do to ensure another user can access a file?

In lieu of that I suggest we adopt the following as the default. 

TEMPFILE=`mktemp /tmp/kmail.XXXXXX`

Alternatively, provide the tempfile directory location as an input parameter for those with particular needs.
Comment 1 Martin Koller 2009-08-29 11:29:53 UTC
The provided script has a behavior which might be ok for most setups.
Forcing /tmp as TMPDIR is not a solution.
If you have a special setup, why not simply change the script or set the TMPDIR (e.g. for kmail only) to some directory which clamd can access.

Also, you can allow the clamd user only the access to this TMPDIR by using ACL (access control list) setting on your filesystem (see: man setfacl)