On 11/07/2012 03:53 PM, David Raynor wrote:
> On Wed, Nov 7, 2012 at 3:20 AM, Philipp Schwaha <phil...@schwaha.net> wrote:
>
>> hi everybody!
>>
>> I recently set up a combination of exim and clamav which was working
>> very nicely until clamav seemingly started to choke. Switching
>> debugging on I obtained the following:
>>
>> Wed Nov 7 01:52:06 2012 -> Received POLLIN|POLLHUP on fd 4
>> Wed Nov 7 01:52:06 2012 -> Got new connection, FD 9
>> Wed Nov 7 01:52:06 2012 -> Received POLLIN|POLLHUP on fd 5
>> Wed Nov 7 01:52:06 2012 -> fds_poll_recv: timeout after 5 seconds
>> Wed Nov 7 01:52:06 2012 -> Received POLLIN|POLLHUP on fd 9
>> Wed Nov 7 01:52:06 2012 -> got command SCAN
>> /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml (63, 5),
>> argument: /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml
>> Wed Nov 7 01:52:06 2012 -> mode -> MODE_WAITREPLY
>> Wed Nov 7 01:52:06 2012 -> Breaking command loop, mode is no longer
>> MODE_COMMAND
>> Wed Nov 7 01:52:06 2012 -> Consumed entire command
>> Wed Nov 7 01:52:06 2012 -> THRMGR: queue (single) crossed low
>> threshold -> signaling
>> Wed Nov 7 01:52:06 2012 -> THRMGR: queue (bulk) crossed low threshold
>> -> signaling
>> Wed Nov 7 01:52:06 2012 -> Number of file descriptors polled: 1 fds
>> Wed Nov 7 01:52:06 2012 -> fds_poll_recv: timeout after 600 seconds
>> Wed Nov 7 01:52:06 2012 ->
>> /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml: Can't
>> create temporary directory ERROR
>> Wed Nov 7 01:52:06 2012 -> Finished scanthread
>> Wed Nov 7 01:52:06 2012 -> Scanthread: connection shut down (FD 9)
>> Wed Nov 7 01:52:06 2012 -> THRMGR: queue (single) crossed low
>> threshold -> signaling
>> Wed Nov 7 01:52:06 2012 -> THRMGR: queue (bulk) crossed low threshold
>> -> signaling
>>
>> This seems very odd, since it seems that it wants to create a
>> temporary file which has exactly the same name as the input file and
>> hence little probability of success. Am I interpreting the error
>> message incorrectly?
>> Or is this maybe some other issue?
>>
>> I have now tried with clamav versions 0.97.4, 0.97.5 and 0.97.6. Exim
>> is at version 4.80. Its log file contains the corresponding message:
>>
>> 1TVtsE-0006lJ-9m malware acl condition: clamd: ClamAV returned:
>> /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml: Can't
>> create temporary directory ERROR
>>
>> Of note is that it happens for all mails, even the most simplistic
>> ones (e.g., generated by swaks), where there is nothing to unpack. The
>> description I found here:
>> http://lurker.clamav.net/message/20120618.182545.25960b6a.en.html lets
>> me think that the error message might not be quite ok?
>>
>> I have also tried with different settings of 'TemporaryDirectory'
>> going through several useful settings such as /tmp or /var/tmp and
>> also obviously broken directories, just in order to see if anything
>> changes. So far I have not had any luck to change clamav's behaviour
>> at all.
>>
>> Do you have any suggestions how to further track down and hopefully
>> fix this issue?
>>
>> cheers
>> Philipp
>>
>>
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>> http://www.clamav.net/support/ml
>>
>
> This a result message. It is starting with the file it was asked to scan,
> not the directory it is trying to create. The message it is printing is
> because the scanning result has a value of CL_ETMPDIR somewhere within the
> scanning attempt and that bubbled up to be the final result. One of the
> first things ClamAV does within the mail scanning is create a folder to
> dump attachments to as temporary files for scanning. That is probably where
> it is happening.
>
> But it looks as if you only have debug level logging for the server thread
> and not for the actual scanning thread. The scanning library should be
> printing out a line that will tell you what directory it failed to create.
> Everywhere that the CL_ETMPDIR return code is initially returned, it is
> printing a message (frequently at debug level) to say what directory it
> could not create. In the case of the mail message related failure I am
> guessing above [inside function cli_scanmail()] it will look like this:
> Mail: Can't create temporary directory /dir/name/goes/here
>
> That would tell you what folder it failed to create. So you need to get
> that message printed, which means checking the config. Can you share your
> clamd.conf file?
Thank you very much!
Sorry for misunderstanding the error message. After enabling more output
(and browsing through the code a bit) I found the problem and could fix
it (a bad set of default acls were set for / which then got propagated
to all the temporary files).
thank you very much
Philipp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
