fail check upload files with directive DefaultRoot

[willyamcts]

I'am attempt using mod_clamav via socket file, but occurent errors related a permissions.

In using directive DefaultRoot from jail user in your home (consider your home with root / and he not access / from system), mod_clamav return in /var/log/syslog:

    2020-09-03T15:43:10.955436-03:00 deb1 proftpd[7733]: deb1 (10.1.1.100[10.1.1.100]) - mod_clamav/0.14rc2: error: Cannot connect to Clamd (2): No such file or directory

    2020-09-03T15:43:10.955448-03:00 deb1 proftpd[7733]: deb1 (10.1.1.100[10.1.1.100]) - mod_clamav/0.14rc2: error: Cannot re-connect to Clamd (2): No such file or directory

And in client CLI i attempt upload from file eicar by test and he return:

    ftp> put Downloads/eicar_com.zip ./test.txt
    local: Downloads/eicar_com.zip remote: ./test.txt
    200 PORT command successful
    150 Opening BINARY mode data connection for ./test.txt
    550 ./test.txt: Operation not permitted
    184 bytes sent in 0.00 secs (4.1780 MB/s)
    ftp> pwd
    257 "/" is the current directory

If i remove or comment directive "DefaultRoot ~" mod_clamav worked normally. Below content files and result the commands from help:

############### ###############

# cat /etc/issue
Debian GNU/Linux 6.0 \n \l

# proftpd.conf:

ServerName                     "FTP Test"
ServerType                     standalone
UseIPv6                        off
ServerIdent                     on ""
DeferWelcome                    off
MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on
TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     3600
DisplayLogin                    .welcome
DisplayChdir                    .message
ListOptions                     "-l"
RequireValidShell               off
RootLogin                       off
DenyFilter                      \*.*/

Port                            21
PassivePorts                    50000 50100
AuthUserFile /usr/local/proftpd/etc/ftpd.passwd
AuthGroupFile /usr/local/proftpd/etc/ftpd.group


AllowOverwrite                  on
DefaultRoot ~

<IfModule mod_clamav.c>
 ClamAV on
 ClamLocalSocket /var/run/clamav/clamd.sock
</IfModule>

# /usr/local/proftpd/sbin/proftpd -V

Compile-time Settings:
  Version: 1.3.7a (maint)
  Platform: LINUX [Linux 5.6.14 x86_64]
  Built: Qui Set 3 2020 13:07:41 -03
  Built With:
    configure  '--prefix=/usr/local/proftpd'

  CFLAGS: -g2 -O2 -Wall -fno-omit-frame-pointer
  LDFLAGS: -L$(top_srcdir)/lib -L$(top_builddir)/lib  -rdynamic
  LIBS:  -lpam -lsupp -lcrypt -ldl

  Files:
    Configuration File:
      /usr/local/proftpd/etc/proftpd.conf
    Pid File:
      /usr/local/proftpd/var/proftpd.pid
    Scoreboard File:
      /usr/local/proftpd/var/proftpd.scoreboard

  Info:
    + Max supported UID: 4294967295
    + Max supported GID: 4294967295

  Features:
    - Autoshadow support
    - Controls support
    + curses support
    - Developer support
    - DSO support
    + IPv6 support
    + Largefile support
    - Lastlog support
    - Memcache support
    + ncurses support
    - NLS support
    - OpenSSL support
    - PCRE support
    - POSIX ACL support
    - Redis support
    + Sendfile support
    + Shadow file support
    - Sodium support
    + Trace support
    + xattr support

  Tunable Options:
    PR_TUNABLE_BUFFER_SIZE = 1024
    PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
    PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
    PR_TUNABLE_ENV_MAX = 2048
    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
    PR_TUNABLE_HASH_TABLE_SIZE = 40
    PR_TUNABLE_LOGIN_MAX = 256
    PR_TUNABLE_NEW_POOL_SIZE = 512
    PR_TUNABLE_PATH_MAX = 4096
    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
    PR_TUNABLE_SELECT_TIMEOUT = 30
    PR_TUNABLE_TIMEOUTIDENT = 10
    PR_TUNABLE_TIMEOUTIDLE = 600
    PR_TUNABLE_TIMEOUTLINGER = 10
    PR_TUNABLE_TIMEOUTLOGIN = 300
    PR_TUNABLE_TIMEOUTNOXFER = 300
    PR_TUNABLE_TIMEOUTSTALLED = 3600
    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

[jbenden]

Hi,

You cannot use DefaultRoot ~ with mod_clamav, because it is a chroot environment. The net effect is that the location of your Clamd socket is outside of the chroot and thus it is not present.

A possible fix is to enable TCP-based Clamd and set ClamServer, ClamPort, and maybe the ClamStream options.

Best regards,
-Joe

[willyamcts]

Hi @jbenden , very thaks your fastly response

Via FTP it was solved by changing from local socket to stream. I compiled the proFTPD with mod_clamav and the modules: mod_sftp and mod_vroot. Via FTP clamav + vroot works normally, but when using sftp the clamav seems to use the relative path from file to make the transfer via stream. The relative path is: "/ my_file" (I'm using the "DefaultRoot ~" directive) and full path is: "/home/.../my_file".

So the file supposedly copied via stream has a size of 0 (because no copy efftively) and for that reason it returns to the sftp client: "Couldn't close file: Permission denied". Below the output of proFTPD in debug mode:

# ./proftpd -n d10:

2020-09-15` 11:05:10,367 deb1 proftpd[23560] 0.0.0.0 (deb1[10.1.1.10]): mod_clamav/0.14rc2: Clamd return unknown response to PING: 'INSTREAM size limit exceeded. E'
2020-09-15 11:05:10,367 deb1 proftpd[23560] 0.0.0.0 (deb1[10.1.1.10]): mod_clamav/0.14rc2: Clamd did not respond to fgets (2): No such file or directory
2020-09-15 11:05:10,368 deb1 proftpd[23560] 0.0.0.0 (deb1[10.1.1.10]): ROOT PRIVS at mod_clamav.c:372
2020-09-15 11:05:10,368 deb1 proftpd[23560] 0.0.0.0 (deb1[10.1.1.10]): RELINQUISH PRIVS at mod_clamav.c:430
2020-09-15 11:05:10,368 deb1 proftpd[23560] 0.0.0.0 (deb1[10.1.1.10]): RELINQUISH PRIVS: ID switching disabled
2020-09-15 11:05:10,368 deb1 proftpd[23560] 0.0.0.0 (deb1[10.1.1.10]): mod_clamav/0.14rc2: Successfully reconnected to Clamd.
2020-09-15 11:05:10,368 deb1 proftpd[23560] 0.0.0.0 (deb1[10.1.1.10]): mod_clamav/0.14rc2: Cannot open file '/eicar_com.zip' errno=2.
2020-09-15 11:05:10,368 deb1 proftpd[23560] 0.0.0.0 (deb1[10.1.1.10]): mod_clamav/0.14rc2: removing failed upload of filename = '/home/ftp/eicar_com.zip' with relative filename = '/eicar_com.zip'.

I did the test by placing a file in the root of the system with the same name as the file that was being uploaded via sftp and really clamav is considering the relative path of the file to transfer via stream.

[jbenden]

If you increase the debugging, mod_clamav will output a ton of information about how the filename/filepath was translated. This is key to understanding what happened.

Additionally, I would need to build a test case for this problem, so I can then fix it. :)

[willyamcts]

Relative the mod_clamav it is only these. It doesn't even send a file via stream, but a file with size 0 is created in the temporary folder defined in the clamav settings.

Complete debug of the moment of sending the file: *

2020-09-15 15:39:26,824 deb1 proftpd[29039] deb1: scrubbing scoreboard
2020-09-15 15:39:26,825 deb1 proftpd[29039] deb1: ROOT PRIVS at scoreboard.c:1433
2020-09-15 15:39:26,825 deb1 proftpd[29039] deb1: RELINQUISH PRIVS at scoreboard.c:1436
2020-09-15 15:39:26,825 deb1 proftpd[29039] deb1: ROOT PRIVS at scoreboard.c:1477
2020-09-15 15:39:26,825 deb1 proftpd[29039] deb1: RELINQUISH PRIVS at scoreboard.c:1586
2020-09-15 15:39:26,825 deb1 proftpd[29039] deb1: finished scrubbing scoreboard
2020-09-15 15:39:30,723 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching PRE_CMD command 'STOR /eicar_com.zip' to mod_exec
2020-09-15 15:39:30,723 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching PRE_CMD command 'STOR /eicar_com.zip' to mod_core
2020-09-15 15:39:30,723 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching PRE_CMD command 'STOR /eicar_com.zip' to mod_core
2020-09-15 15:39:30,723 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching PRE_CMD command 'STOR /eicar_com.zip' to mod_xfer
2020-09-15 15:39:30,723 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): in dir_check_full(): path = '/eicar_com.zip', fullpath = '/eicar_com.zip'
2020-09-15 15:39:30,723 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): in dir_check_full(): setting umask to 0022 (was 0022)
2020-09-15 15:39:30,724 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): in dir_check_full(): path = '/eicar_com.zip', fullpath = '/eicar_com.zip'
2020-09-15 15:39:30,724 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): in dir_check_full(): setting umask to 0022 (was 0022)
2020-09-15 15:39:30,724 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching POST_CMD command 'OPEN /eicar_com.zip' to mod_exec
2020-09-15 15:39:30,724 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching LOG_CMD command 'OPEN /eicar_com.zip' to mod_log
2020-09-15 15:39:30,725 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): in dir_check_full(): path = '/eicar_com.zip', fullpath = '/eicar_com.zip'
2020-09-15 15:39:30,725 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): in dir_check_full(): setting umask to 0022 (was 0022)
2020-09-15 15:39:30,725 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching POST_CMD command 'WRITE 8703781900469ba5 0 184' to mod_exec
2020-09-15 15:39:30,725 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching LOG_CMD command 'WRITE 8703781900469ba5 0 184' to mod_log
2020-09-15 15:39:30,728 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): mod_clamav/0.14rc2: Clamd return unknown response to PING: 'COMMAND READ TIMED OUT
'
2020-09-15 15:39:30,728 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): mod_clamav/0.14rc2: Clamd did not respond to fgets (2): No such file or directory
2020-09-15 15:39:30,728 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): ROOT PRIVS at mod_clamav.c:372
2020-09-15 15:39:30,728 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): RELINQUISH PRIVS at mod_clamav.c:430
2020-09-15 15:39:30,728 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): RELINQUISH PRIVS: ID switching disabled
2020-09-15 15:39:30,729 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): mod_clamav/0.14rc2: Successfully reconnected to Clamd.
2020-09-15 15:39:30,729 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): mod_clamav/0.14rc2: Cannot open file '/eicar_com.zip' errno=2.
2020-09-15 15:39:30,729 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): mod_clamav/0.14rc2: removing failed upload of filename = '/home/ftp/eicar_com.zip' with relative filename = '/eicar_com.zip'.
2020-09-15 15:39:30,729 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching POST_CMD_ERR command 'STOR /eicar_com.zip' to mod_exec
2020-09-15 15:39:30,729 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching POST_CMD_ERR command 'STOR /eicar_com.zip' to mod_vroot
2020-09-15 15:39:30,729 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching LOG_CMD_ERR command 'STOR /eicar_com.zip' to mod_log
2020-09-15 15:39:30,729 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching LOG_CMD_ERR command 'STOR /eicar_com.zip' to mod_xfer
2020-09-15 15:39:30,729 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching POST_CMD_ERR command 'CLOSE 8703781900469ba5' to mod_exec
2020-09-15 15:39:30,729 deb1 proftpd[29136] 0.0.0.0 (deb1[10.1.1.10]): dispatching LOG_CMD_ERR command 'CLOSE 8703781900469ba5' to mod_log

If I can help with something else, i available. See you

[willyamcts]

Hi @jbenden

it seems that the problem is with mod_vroot which changes variables when "VRootEngine on". I open issue in mod_vroot. If you want to follow: Castaglia/proftpd-mod_vroot#issue23.

Probably the directive VRootEngine changes variables, that are used by mod_clamav

Regards.

[willyamcts]

Hi @jbenden ,

I inserted some additional logs in the file mod_clamav.c and this is the result of the transfer via FTP and SFTP. I changed the abs_path variable to the global scope to access it from outside the "clamav_fsio_close" function and include it in the log output. Changing abs_path to global, the problem started via FTP and via SFTP everything works fine (more details in the logs below).

Following are the changes made to mod_clamav.c:

diff [email protected] mod_clamav.c 
28a29,31
>  * 
>  * Changed to debug
>  * 
61a65,66
> char *abs_path;
> 
217c222,223
<     pr_log_debug(DEBUG4, MOD_CLAMAV_VERSION ": Successfully reconnected to Clamd.");
---
>     pr_log_debug(DEBUG4, MOD_CLAMAV_VERSION ": Successfully reconnected to Clamd.\n\n vars = \
>     \n\t- pr_fs_getcwd(): %s \n\t- session.chroot_path: %s\n\t- abs_path: %s \n\n", pr_fs_getcwd(), session.chroot_path, abs_path);
441c447,448
<   char *abs_path = NULL, *rel_path = NULL;
---
>   abs_path = NULL;
>   char *rel_path = NULL;
527a535,537
>   pr_log_debug(DEBUG4, MOD_CLAMAV_VERSION ": VIA STREAM: \n\t* abs_path = %s \n\t* rel_path = %s \n\t* fh->fh_path=%s \n\t* buf=%s \n\t* pr_fs_getvwd()=%s\n\n", abs_path, rel_path, fh->fh_path, buf, pr_fs_getvwd());
> 
> 
568c578
<     res = clamavd_scan_stream(clamd_sockd, abs_path, rel_path);
---
>     res = clamavd_scan_stream(clamd_sockd, abs_path, abs_path);
585a596,597
>   pr_log_debug(DEBUG4, MOD_CLAMAV_VERSION ": SEND VIA STREAM: clamavd_scan_stream(%s) - rel_path=%s.", abs_path, rel_path);
> 
587c599
<     pr_log_debug(DEBUG4, MOD_CLAMAV_VERSION ": No virus detected in filename = '%s'.", abs_path);
---
>     pr_log_debug(DEBUG4, MOD_CLAMAV_VERSION ": No virus detected in filename = '%s'.", rel_path);

I don't know if there is a solution because VRoot directly affects the environment variables.

Directories and paths:

• The user's default directory is: /home/ftp/user
• The parent directory of the symbolic link is: /home/public_path
• The symbolic link is: /lodging -> /home/public_path/lodging
• Full path of the symbolic link: /home/public_path/lodging

The use case is

using mod_sftp + mod_vroot (VRootEngine on) + mod_clamav + directive "DefaultRoot ~" the behavior of mod_clamav is as follows:

SFTP upload in home e directories from user::

2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: VIA STREAM: 
	* abs_path = /home/ftp/user/ei.txt 
	* rel_path = /ei.txt 
	* fh->fh_path=/ei.txt 
	* buf=/home/ftp/user 


2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: SEND VIA STREAM: clamavd_scan_stream(/home/ftp/user/ei.txt) - rel_path=/ei.txt.
2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): ROOT PRIVS at mod_clamav.c:379
2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): ROOT PRIVS: ID switching disabled
2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS at mod_clamav.c:437
2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS: ID switching disabled
2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Successfully reconnected to Clamd.

 vars = 
	- pr_fs_getcwd(): / 
	- session.chroot_path: / 
	- abs_path: /home/ftp/user/ei.txt 


2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Streaming 69 bytes (1157627904, 4) to Clamd.
2020-09-23 05:50:51,456 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Virus 'Eicar-Signature' found in '/home/ftp/user/ei.txt'
2020-09-23 05:50:51,456 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: No virus detected in filename = '/ei.txt'.

SFTP upload in symbolic link:

2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: VIA STREAM: 
	* abs_path = /home/ftp/user/ei.txt 
	* rel_path = /ei.txt 
	* fh->fh_path=/ei.txt 
	* buf=/home/ftp/user 


2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: SEND VIA STREAM: clamavd_scan_stream(/home/ftp/user/ei.txt) - rel_path=/ei.txt.
2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): ROOT PRIVS at mod_clamav.c:379
2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): ROOT PRIVS: ID switching disabled
2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS at mod_clamav.c:437
2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS: ID switching disabled
2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Successfully reconnected to Clamd.

 vars = 
	- pr_fs_getcwd(): / 
	- session.chroot_path: / 
	- abs_path: /home/ftp/user/ei.txt 


2020-09-23 05:50:51,454 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Streaming 69 bytes (1157627904, 4) to Clamd.
2020-09-23 05:50:51,456 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Virus 'Eicar-Signature' found in '/home/ftp/user/ei.txt'
2020-09-23 05:50:51,456 deb1 proftpd[12076] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: No virus detected in filename = '/ei.txt'.

FTP upload in home e directories from user:

2020-09-23 05:53:07,804 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): passive data connection opened - local  : 10.1.1.1:50095
2020-09-23 05:53:07,804 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): passive data connection opened - remote : 10.1.1.50:42853
2020-09-23 05:53:07,805 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: VIA STREAM: 
	* abs_path = /home/ftp/user/home/ftp/user/ei.txt 
	* rel_path = /home/ftp/user/ei.txt 
	* fh->fh_path=/home/ftp/user/ei.txt 
	* buf=/home/ftp/user 


2020-09-23 05:53:07,806 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: SEND VIA STREAM: clamavd_scan_stream(/home/ftp/user/home/ftp/user/ei.txt) - rel_path=/home/ftp/user/ei.txt.
2020-09-23 05:53:07,806 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): ROOT PRIVS at mod_clamav.c:379
2020-09-23 05:53:07,806 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): ROOT PRIVS: ID switching disabled
2020-09-23 05:53:07,806 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS at mod_clamav.c:437
2020-09-23 05:53:07,806 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS: ID switching disabled
2020-09-23 05:53:07,806 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Successfully reconnected to Clamd.

 vars = 
	- pr_fs_getcwd(): / 
	- session.chroot_path: / 
	- abs_path: /home/ftp/user/home/ftp/user/ei.txt 


2020-09-23 05:53:07,806 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Cannot open file '/home/ftp/user/home/ftp/user/ei.txt' errno=2.
2020-09-23 05:53:07,806 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): notice: error closing '(null)': Operation not permitted

FTP upload in symbolic link:

2020-09-23 05:54:08,131 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): passive data connection opened - local  : 10.1.1.1:50058
2020-09-23 05:54:08,131 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): passive data connection opened - remote : 10.1.1.50:43315
2020-09-23 05:54:08,132 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: VIA STREAM: 
	* abs_path = /home/public_path/home/ftp/user/lodging/ei.txt 
	* rel_path = /home/ftp/user/lodging/ei.txt 
	* fh->fh_path=/home/ftp/user/lodging/ei.txt 
	* buf=/home/public_path 


2020-09-23 05:54:08,132 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: SEND VIA STREAM: clamavd_scan_stream(/home/public_path/home/ftp/user/lodging/ei.txt) - rel_path=/home/ftp/user/lodging/ei.txt.
2020-09-23 05:54:08,132 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Clamd return unknown response to PING: 'COMMAND READ TIMED OUT
'
2020-09-23 05:54:08,132 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Clamd did not respond to fgets (2): No such file or directory
2020-09-23 05:54:08,132 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): ROOT PRIVS at mod_clamav.c:379
2020-09-23 05:54:08,133 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS at mod_clamav.c:437
2020-09-23 05:54:08,133 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS: ID switching disabled
2020-09-23 05:54:08,133 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Successfully reconnected to Clamd.

 vars = 
	- pr_fs_getcwd(): /lodging 
	- session.chroot_path: / 
	- abs_path: /home/public_path/home/ftp/user/lodging/ei.txt 


2020-09-23 05:54:08,133 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Cannot open file '/home/public_path/home/ftp/user/lodging/ei.txt' errno=2.
2020-09-23 05:54:08,133 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): notice: error closing '(null)': Operation not permitted
2020-09-23 05:54:08,133 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): Transfer aborted after 69 bytes in 0.00 seconds
2020-09-23 05:54:08,133 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching POST_CMD_ERR command 'STOR ei.txt' to mod_vroot
2020-09-23 05:54:08,133 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching LOG_CMD_ERR command 'STOR ei.txt' to mod_log
2020-09-23 05:54:08,133 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching LOG_CMD_ERR command 'STOR ei.txt' to mod_xfer
2020-09-23 05:54:08,137 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching PRE_CMD command 'TYPE I' to mod_core
2020-09-23 05:54:08,137 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching PRE_CMD command 'TYPE I' to mod_core
2020-09-23 05:54:08,137 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching CMD command 'TYPE I' to mod_xfer
2020-09-23 05:54:08,137 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching LOG_CMD command 'TYPE I' to mod_log
2020-09-23 05:54:08,138 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching PRE_CMD command 'PASV' to mod_core
2020-09-23 05:54:08,138 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching PRE_CMD command 'PASV' to mod_core
2020-09-23 05:54:08,138 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching CMD command 'PASV' to mod_core
2020-09-23 05:54:08,138 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): in dir_check_full(): path = '/lodging', fullpath = '/lodging'
2020-09-23 05:54:08,138 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): Entering Passive Mode (10,1,1,1,195,135).
2020-09-23 05:54:08,138 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching LOG_CMD command 'PASV' to mod_log
2020-09-23 05:54:08,138 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching PRE_CMD command 'LIST' to mod_core
2020-09-23 05:54:08,138 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching PRE_CMD command 'LIST' to mod_core
2020-09-23 05:54:08,139 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): dispatching CMD command 'LIST' to mod_ls
2020-09-23 05:54:08,139 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): passive data connection opened - local  : 10.1.1.1:50055
2020-09-23 05:54:08,139 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): passive data connection opened - remote : 10.1.1.50:52157
2020-09-23 05:54:08,139 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): in dir_check_full(): path = '/lodging', fullpath = '/lodging'
2020-09-23 05:54:08,139 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): in dir_check_full(): path = '/lodging/ei.txt', fullpath = '/lodging/ei.txt'
2020-09-23 05:54:08,139 deb1 proftpd[13332] deb1 (10.1.1.50[10.1.1.50]): in dir_check_full(): path = '/lodging/subdir', fullpath = '/lodging/subdir'

I tried to make a work around but the verification in some of the points still fails. We continued talking, the disposition.

---

proftpd.conf:

[...]
<IfModule mod_dso.c>
  LoadModule mod_clamav.c
</IfModule>


<Global>

 ShowSymlinks                    on
 RootLogin                       off

 Umask                           0022 0022
 DefaultRoot ~
 AllowOverwrite                  on
 RequireValidShell               off

[...]

<IfModule mod_clamav.c>
  ClamAV        on
  ClamStream    on
  ClamServer    127.0.0.1
  ClamPort      3310
  ClamFailsafe  false
</IfModule>

<IfModule mod_vroot.c>
  VRootEngine on
  VRootOptions allowSymlinks
</IfModule>


<IfModule mod_sftp.c>
  <VirtualHost 0.0.0.0>
    SFTPEngine         on
    Port               2221
    SFTPCompression    delayed

    [...]

    SFTPOptions  IgnoreSFTPSetPerms IgnoreSCPUploadPerms
    SFTPLog        /var/log/proftpd/sftp.log
  </VirtualHost>
</IfModule mod_sftp.c>

</Global>

proftpd -vv

ProFTPD Version: 1.3.7a (maint)
  Scoreboard Version: 01040003
  Built: Ter Set 22 2020 13:05:09 -03

Loaded modules:
  mod_clamav/0.14rc2
  mod_vroot/0.9.8
  mod_sftp/1.0.1
  mod_auth_pam/1.2
  mod_dso/0.5
  mod_facts/0.6
  mod_delay/0.7
  mod_site.c
  mod_log/1.0
  mod_ls.c
  mod_auth.c
  mod_auth_file/1.0
  mod_auth_unix.c
  mod_rlimit/1.0
  mod_xfer.c
  mod_core.c

[jbenden]

Thank you for all you've looked into!

So, we probably need some sort of answer or advice from @Castaglia on this.

But, would you re-run tests with logging the output of pr_fs_getvwd() during VIA STREAM? In looking at mod_vroot source code, it seems this is now used. If this can give us the information we need, we might be good to go.

Thanks,
-Joe

[willyamcts]

Hi Joe,

Just check only pr_fs_getvwd () of mod_vroot in streaming stream?

[jbenden]

Hello!

I was hoping you could add it to the logging performed in the line pr_log_debug(DEBUG4, MOD_CLAMAV_VERSION ": VIA STREAM:...

Thanks!
-Joe

[willyamcts]

Hi benden,

sorry delay, I remounted the environment.

FTP upload in home e directories from user:

2020-10-15 21:05:50,912 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): in dir_check_full(): path = '/ei.txt', fullpath = '/ei.txt'
2020-10-15 21:05:50,912 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): in dir_check_full(): setting umask to 0022 (was 0022)
2020-10-15 21:05:50,912 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): dispatching CMD command 'STOR ei.txt' to mod_vroot
2020-10-15 21:05:50,912 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): dispatching CMD command 'STOR ei.txt' to mod_xfer
2020-10-15 21:05:50,912 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): passive data connection opened - local  : 10.1.1.1:50088
2020-10-15 21:05:50,912 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): passive data connection opened - remote : 10.1.1.50:55569
2020-10-15 21:05:50,913 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: VIA STREAM: 
	* abs_path = /home/ftp/user/home/ftp/user/ei.txt 
	* rel_path = /home/ftp/user/ei.txt 
	* fh->fh_path=/home/ftp/user/ei.txt 
	* buf=/home/ftp/user 
	* pr_fs_getvwd()=/


2020-10-15 21:05:50,913 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Clamd return unknown response to PING: 'INSTREAM size limit exceeded. E'
2020-10-15 21:05:50,913 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Clamd did not respond to fgets (2): No such file or directory
2020-10-15 21:05:50,913 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): ROOT PRIVS at mod_clamav.c:378
2020-10-15 21:05:50,914 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS at mod_clamav.c:436
2020-10-15 21:05:50,914 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS: ID switching disabled
2020-10-15 21:05:50,914 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Successfully reconnected to Clamd.

 vars =     
	- pr_fs_getcwd(): / 
	- session.chroot_path: /
	- abs_path: /home/ftp/user/home/ftp/user/ei.txt 


2020-10-15 21:05:50,914 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Cannot open file '/home/ftp/user/home/ftp/user/ei.txt' errno=2.
2020-10-15 21:05:50,914 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: removing failed upload of filename = '/home/ftp/user/home/ftp/user/ei.txt' with relative filename = '/home/ftp/user/ei.txt'.
2020-10-15 21:05:50,915 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): notice: error closing '(null)': Operation not permitted
2020-10-15 21:05:50,915 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): Transfer aborted after 69 bytes in 0.00 seconds
2020-10-15 21:05:50,915 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): dispatching POST_CMD_ERR command 'STOR ei.txt' to mod_exec

FTP upload in symbolic link:

2020-10-15 21:06:22,349 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): in dir_check_full(): path = '/lodging/ei.txt', fullpath = '/lodging/ei.txt'
2020-10-15 21:06:22,349 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): in dir_check_full(): setting umask to 0022 (was 0022)
2020-10-15 21:06:22,349 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): dispatching CMD command 'STOR ei.txt' to mod_vroot
2020-10-15 21:06:22,349 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): dispatching CMD command 'STOR ei.txt' to mod_xfer
2020-10-15 21:06:22,350 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): passive data connection opened - local  : 10.1.1.1:50027
2020-10-15 21:06:22,350 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): passive data connection opened - remote : 10.1.1.50:49477
2020-10-15 21:06:22,350 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: VIA STREAM: 
	* abs_path = /home/public_path/lodging/home/ftp/user/lodging/ei.txt 
	* rel_path = /home/ftp/user/lodging/ei.txt 
	* fh->fh_path=/home/ftp/user/lodging/ei.txt 
	* buf=/home/public_path/lodging 
	* pr_fs_getvwd()=/lodging


2020-10-15 21:06:22,351 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Clamd return unknown response to PING: 'INSTREAM size limit exceeded. E'
2020-10-15 21:06:22,351 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Clamd did not respond to fgets (2): No such file or directory
2020-10-15 21:06:22,351 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): ROOT PRIVS at mod_clamav.c:378
2020-10-15 21:06:22,351 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS at mod_clamav.c:436
2020-10-15 21:06:22,351 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS: ID switching disabled
2020-10-15 21:06:22,351 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Successfully reconnected to Clamd.

 vars =     
	- pr_fs_getcwd(): /lodging 
	- session.chroot_path: /
	- abs_path: /home/public_path/lodging/home/ftp/user/lodging/ei.txt 


2020-10-15 21:06:22,352 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Cannot open file '/home/public_path/lodging/home/ftp/user/lodging/ei.txt' errno=2.
2020-10-15 21:06:22,352 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: removing failed upload of filename = '/home/public_path/lodging/home/ftp/user/lodging/ei.txt' with relative filename = '/home/ftp/user/lodging/ei.txt'.
2020-10-15 21:06:22,352 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): notice: error closing '(null)': Operation not permitted
2020-10-15 21:06:22,352 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): Transfer aborted after 69 bytes in 0.00 seconds
2020-10-15 21:06:22,352 deb1 proftpd[22070] deb1 (10.1.1.50[10.1.1.50]): dispatching POST_CMD_ERR command 'STOR ei.txt' to mod_exec

SFTP upload in home e directories from user:

2020-10-15 21:05:02,458 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): in dir_check_full(): path = '/ei.txt', fullpath = '/ei.txt'
2020-10-15 21:05:02,458 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): in dir_check_full(): setting umask to 0022 (was 0022)
2020-10-15 21:05:02,458 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): dispatching POST_CMD command 'WRITE 49b9e676bcbc3619 0 69' to mod_exec
2020-10-15 21:05:02,458 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): dispatching LOG_CMD command 'WRITE 49b9e676bcbc3619 0 69' to mod_log
2020-10-15 21:05:02,459 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: VIA STREAM: 
	* abs_path = /home/ftp/user/ei.txt 
	* rel_path = /ei.txt 
	* fh->fh_path=/ei.txt 
	* buf=/home/ftp/user 
	* pr_fs_getvwd()=/


2020-10-15 21:05:02,459 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): ROOT PRIVS at mod_clamav.c:378
2020-10-15 21:05:02,459 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): ROOT PRIVS: ID switching disabled
2020-10-15 21:05:02,460 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS at mod_clamav.c:436
2020-10-15 21:05:02,460 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS: ID switching disabled
2020-10-15 21:05:02,460 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Successfully reconnected to Clamd.

 vars =     
	- pr_fs_getcwd(): / 
	- session.chroot_path: /
	- abs_path: /home/ftp/user/ei.txt 


2020-10-15 21:05:02,460 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Streaming 69 bytes (1157627904, 4) to Clamd.
2020-10-15 21:05:02,468 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Virus 'Eicar-Signature' found in '/home/ftp/user/ei.txt'
2020-10-15 21:05:02,468 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: SEND VIA STREAM: clamavd_scan_stream(/home/ftp/user/ei.txt) - rel_path=/ei.txt.
2020-10-15 21:05:02,468 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: No virus detected in filename = '/ei.txt'.
2020-10-15 21:05:02,468 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): dispatching POST_CMD command 'STOR /ei.txt' to mod_exec
2020-10-15 21:05:02,474 deb1 proftpd[21966] 0.0.0.0 (10.1.1.50[10.1.1.50]): REVOKE PRIVS at mod_exec.c:489
2020-10-15 21:05:02,474 deb1 proftpd[21966] 0.0.0.0 (10.1.1.50[10.1.1.50]): REVOKE PRIVS: unable to seteuid(): Operation not permitted
2020-10-15 21:05:02,475 deb1 proftpd[21590] 0.0.0.0 (10.1.1.50[10.1.1.50]): dispatching POST_CMD command 'STOR /ei.txt' to mod_xfer

SFTP upload in symbolic link:

2020-10-15 21:03:49,153 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): in dir_check_full(): path = '/lodging/ei.txt', fullpath = '/lodging/ei.txt'
2020-10-15 21:03:49,153 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): in dir_check_full(): setting umask to 0022 (was 0022)
2020-10-15 21:03:49,153 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): dispatching POST_CMD command 'WRITE bf2f73cf2990492b 0 69' to mod_exec
2020-10-15 21:03:49,153 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): dispatching LOG_CMD command 'WRITE bf2f73cf2990492b 0 69' to mod_log
2020-10-15 21:03:49,154 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: VIA STREAM: 
	* abs_path = /home/ftp/user/lodging/ei.txt 
	* rel_path = /lodging/ei.txt 
	* fh->fh_path=/lodging/ei.txt 
	* buf=/home/ftp/user 
	* pr_fs_getvwd()=/


2020-10-15 21:03:49,155 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Clamd did not accept PING (32): Broken pipe
2020-10-15 21:03:49,155 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): ROOT PRIVS at mod_clamav.c:378
2020-10-15 21:03:49,155 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS at mod_clamav.c:436
2020-10-15 21:03:49,155 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): RELINQUISH PRIVS: ID switching disabled
2020-10-15 21:03:49,155 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Successfully reconnected to Clamd.

 vars =     
	- pr_fs_getcwd(): / 
	- session.chroot_path: /
	- abs_path: /home/ftp/user/lodging/ei.txt 


2020-10-15 21:03:49,156 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Streaming 69 bytes (1157627904, 4) to Clamd.
2020-10-15 21:03:49,158 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: Virus 'Eicar-Signature' found in '/home/ftp/user/lodging/ei.txt'
2020-10-15 21:03:49,159 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: SEND VIA STREAM: clamavd_scan_stream(/home/ftp/user/lodging/ei.txt) - rel_path=/lodging/ei.txt.
2020-10-15 21:03:49,159 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): mod_clamav/0.14rc2: No virus detected in filename = '/lodging/ei.txt'.
2020-10-15 21:03:49,159 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): dispatching POST_CMD command 'STOR /lodging/ei.txt' to mod_exec
2020-10-15 21:03:49,159 deb1 proftpd[21055] 0.0.0.0 (10.1.1.50[10.1.1.50]): REVOKE PRIVS at mod_exec.c:489
2020-10-15 21:03:49,160 deb1 proftpd[21055] 0.0.0.0 (10.1.1.50[10.1.1.50]): REVOKE PRIVS: unable to seteuid(): Operation not permitted
2020-10-15 21:03:49,161 deb1 proftpd[21021] 0.0.0.0 (10.1.1.50[10.1.1.50]): dispatching POST_CMD command 'STOR /lodging/ei.txt' to mod_xfer

[jbenden]

Thank you for running the tests, @willyamcts !

Unfortunately, I don't see a solution on my end. To fix this, I'd really need @Castaglia to help and find a workable solution for both his module and any downstream modules.

Thanks,
-Joe

[Castaglia]

What I find most interesting, in the provided logs (thank you!), are the fh->fh_path differences between the FTP and SFTP uploads. Those are used, by mod_clamav, as the rel_path values -- and I assume that the incorrect SFTP rel_path is currently the problem?

[jbenden]

@Castaglia Well, it's been awhile so I'm a bit rusty on the problems... But yes. Your module does not seem to set all the components of the path properly, thus mine is completely unable to reconstruct an absolute path to the file.

[willyamcts]

Hi @jbenden,

Castaglia has recently committed a possible fix for this issue. @Castaglia I will test and see the result.

Anyway I made a change in mod_clamav.c to work around the mentioned problem, but I understand that there may be problems with future updates.

If the Cataglia change doesn't work correctly, I open a pull request with my change for you to evaluate.

[offsides]

I'm playing with mod_clamav with the current versions of ProFTPd and mod_vroot, and I've found the following:

For vrooted DefaultRoot file uploads, the relpath is the correct filesystem path, and the abspath is /abspath - so that the path begins with //... For those files, STREAM scanning works properly, but not SCAN scanning.

Here's a bit from the tracelog:

2023-05-15 13:26:55,377 [331453] <fsio:8>: using clamav close() for path '/data/ftp/jsmsftptest/Makefi
le'
2023-05-15 13:26:55,378 [331453] <fsio:8>: using system fstat() for path '/data/ftp/jsmsftptest/Makefi
le'
2023-05-15 13:26:55,378 [331453] <clamav:8>: fail-safe mode is ON.
2023-05-15 13:26:55,378 [331453] <clamav:8>: vwd=/ fh_path=/data/ftp/jsmsftptest/Makefile chroot=/ cwd
=/ buf=/data/ftp/jsmsftptest
2023-05-15 13:26:55,378 [331453] <clamav:6>: absolute path is '/data/ftp/jsmsftptest/data/ftp/jsmsftpt
est/Makefile' and relative path is '/data/ftp/jsmsftptest/Makefile'.
2023-05-15 13:26:55,378 [331453] <clamav:6>: ClamMinSize=0 ClamMaxSize=25165824 Filesize=10465
2023-05-15 13:26:55,378 [331453] <clamav:1>: Going to virus scan absolute filename of '/data/ftp/jsmsftptest/data/ftp/jsmsftptest/Makefile' and a relative filename of '/data/ftp/jsmsftptest/Makefile'.
2023-05-15 13:26:55,378 [331453] <clamav:6>: clamavd_connect_check (sockd -1)
2023-05-15 13:26:55,378 [331453] <clamav:4>: Connecting to local ClamAV scanner on unix socket '/run/clamd.scan/clamd.sock'.
2023-05-15 13:26:55,378 [331453] <signal:5>: signals blocked
2023-05-15 13:26:55,378 [331453] <signal:5>: signals unblocked
2023-05-15 13:26:55,378 [331453] <signal:5>: signals blocked
2023-05-15 13:26:55,378 [331453] <signal:5>: signals unblocked
2023-05-15 13:26:55,379 [331453] <clamav:1>: clamavd_result (sockd 30, abs_filename '/data/ftp/jsmsftptest/data/ftp/jsmsftptest/Makefile', rel_filename '/data/ftp/jsmsftptest/Makefile')

Looking at those logs and mod_clamav.c line 507-525, fsio has the correct path, and both fh_path (abs_path) and buf (getcwd()) are also correct, but since cwd (pr_fs_getcwd()) is not the same as buf (getcwd()), it prepends buf to abs_path to get what it thinks is the non-chrooted abs_path. But since chroot (session.chroot_path) is '/', there's no need to prepend anything. I don't know mod_vroot at all, but I suspect that there needs to be a check to see if session.chroot_path is '/', and if so don't modify abs_path. Let me know if you think this is the correct solution, and I'll test it on my end as I'd really prefer to use SCAN scanning rather than STREAM for speed purposes.

[offsides]

Addendum: turning vroot engine off results in the following tracelog, and proftpd was unable to connect to the clamd socket (because of the chroot, I'm assuming). So I suspect that a check for session.chroot_path may be the way to go since the pathing here was correct.

2023-05-15 19:07:18,260 [332234] <fsio:8>: using clamav close() for path '/Makefile'
2023-05-15 19:07:18,261 [332234] <fsio:8>: using system fstat() for path '/Makefile'
2023-05-15 19:07:18,261 [332234] <clamav:8>: fail-safe mode is ON.
2023-05-15 19:07:18,261 [332234] <clamav:8>: vwd=/ fh_path=/Makefile chroot=/data/ftp/jsmsftptest cwd=
/ buf=/
2023-05-15 19:07:18,261 [332234] <clamav:6>: absolute path is '/data/ftp/jsmsftptest/Makefile' and rel
ative path is '/Makefile'.
2023-05-15 19:07:18,261 [332234] <clamav:6>: ClamMinSize=0 ClamMaxSize=25165824 Filesize=10465
2023-05-15 19:07:18,261 [332234] <clamav:1>: Going to virus scan absolute filename of '/data/ftp/jsmsf
tptest/Makefile' and a relative filename of '/Makefile'.
2023-05-15 19:07:18,261 [332234] <clamav:6>: clamavd_connect_check (sockd -1)
2023-05-15 19:07:18,261 [332234] <clamav:4>: Connecting to local ClamAV scanner on unix socket '/run/c
lamd.scan/clamd.sock'.
2023-05-15 19:07:18,261 [332234] <signal:5>: signals blocked
2023-05-15 19:07:18,261 [332234] <signal:5>: signals unblocked
2023-05-15 19:07:18,261 [332234] <signal:5>: signals blocked
2023-05-15 19:07:18,261 [332234] <signal:5>: signals unblocked
2023-05-15 19:07:18,261 [332234] <fsio:8>: using system unlink() for path '/Makefile'

[offsides]

I patched mod_clamav so that it checks if session.chroot_path is set and not '/' before doing the the check for buf vs pr_fs_getcwd(), and that now works for doing SCAN rather than STREAM scans even with DefaultRoot set. The patch I used is this:

--- contrib/mod_clamav.c.orig   2023-05-15 15:13:20.932899880 -0400
+++ contrib/mod_clamav.c        2023-05-15 15:16:01.307138149 -0400
@@ -511,11 +511,13 @@
     (void) pr_trace_msg("clamav", 8, "vwd=%s fh_path=%s chroot=%s cwd=%s buf=%s",
                         pr_fs_getvwd(), abs_path, session.chroot_path, pr_fs_getcwd(),
                         buf);
-    if (strcmp(buf, pr_fs_getcwd()) != 0) {
-      if (strcmp(pr_fs_getcwd(), "/") != 0) {
-        char *pos = strstr(buf, pr_fs_getcwd());
-        if (pos) {
-          *pos = 0;
+    if (session.chroot_path && strcmp(session.chroot_path, "/") != 0) {
+      if (strcmp(buf, pr_fs_getcwd()) != 0) {
+        if (strcmp(pr_fs_getcwd(), "/") != 0) {
+          char *pos = strstr(buf, pr_fs_getcwd());
+          if (pos) {
+            *pos = 0;
+          }
         }
       }

[offsides]

The above mentioned patch is now PR #21.