Debian Bug report logs - #609097
RFP: scannedonly -- scalable samba anti-virus module

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Falk Hackenberger <debian@spam.huckley.de>

Date: Thu, 6 Jan 2011 09:00:01 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, wnpp@debian.org:
Bug#609097; Package wnpp. (Thu, 06 Jan 2011 09:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Falk Hackenberger <debian@spam.huckley.de>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, wnpp@debian.org. (Thu, 06 Jan 2011 09:00:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Falk Hackenberger <debian@spam.huckley.de>
To: submit@bugs.debian.org
Subject: RFP: scannedonly -- scalable samba anti-virus module
Date: Thu, 06 Jan 2011 09:48:43 +0100
Package: wnpp
Severity: wishlist
X-Debbugs-CC: debian-devel@lists.debian.org

--- Please fill out the fields below. ---

   Package name: scannedonly
        Version: 0.21
Upstream Author: Olivier sessink oli4@users.sourceforge.net]
            URL: http://olivier.sessink.nl/scannedonly
        License: GPL version 2
    Description: Scannedonly is a samba VFS module and a scanning daemon
that ensure that only files that have been scanned for viruses are
visible and accessible to the end user.

Scannedonly was developed because of scalability problems with
samba-vscan: high server loads when (the same) files were requested
often, and timeouts when large zip files were requested. Scannedonly
doesn't have these problems, but it does introduce some other issues.
Choose the product that suits you best.

As samba since samba-3.5.0 have always incleded the VFS modul you need
only daemon. The default daemon uses clamav.




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#609097; Package wnpp. (Thu, 06 Jan 2011 09:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 06 Jan 2011 09:27:05 GMT) Full text and rfc822 format available.

Message #10 received at 609097@bugs.debian.org (full text, mbox):

From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
To: Falk Hackenberger <debian@spam.huckley.de>, 609097@bugs.debian.org
Subject: Re: Bug#609097: RFP: scannedonly -- scalable samba anti-virus module
Date: Thu, 6 Jan 2011 10:23:27 +0100
On Thu, Jan 6, 2011 at 9:48 AM, Falk Hackenberger
<debian@spam.huckley.de> wrote:
> Package: wnpp
> Severity: wishlist
> X-Debbugs-CC: debian-devel@lists.debian.org
>
> --- Please fill out the fields below. ---
>
>   Package name: scannedonly
>        Version: 0.21
> Upstream Author: Olivier sessink oli4@users.sourceforge.net]
>            URL: http://olivier.sessink.nl/scannedonly
>        License: GPL version 2
>    Description: Scannedonly is a samba VFS module and a scanning daemon
> that ensure that only files that have been scanned for viruses are
> visible and accessible to the end user.
>
> Scannedonly was developed because of scalability problems with
> samba-vscan: high server loads when (the same) files were requested
> often, and timeouts when large zip files were requested. Scannedonly
> doesn't have these problems, but it does introduce some other issues.
> Choose the product that suits you best.
>
> As samba since samba-3.5.0 have always incleded the VFS modul you need
                                                                  ^^ included ?
> only daemon. The default daemon uses clamav.
>
 Could you clarify the last sentence ? It seems to imply that we do
not need this package

And redirect to a README.Debian for the issue

Bastien




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#609097; Package wnpp. (Thu, 06 Jan 2011 11:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Falk Hackenberger <debian@spam.huckley.de>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 06 Jan 2011 11:33:03 GMT) Full text and rfc822 format available.

Message #15 received at 609097@bugs.debian.org (full text, mbox):

From: Falk Hackenberger <debian@spam.huckley.de>
To: Bastien ROUCARIES <roucaries.bastien@gmail.com>
Cc: 609097@bugs.debian.org
Subject: Re: Bug#609097: RFP: scannedonly -- scalable samba anti-virus module
Date: Thu, 06 Jan 2011 12:25:32 +0100
Hello,

I think the package is useful.

you have to understand How does scannedonly work?

Scannedonly comes in two parts: a samba vfs module (included in samba
since samba-3.5.0) and (one or more) daemons. The daemon scans files. If
a certain file is clean, a second file is created with prefix .scanned:.
The samba module simply looks if such a .scanned: file exists, and is
newer than the pertinent file. If this is the case, the file is shown to
the user. If this is not the case, the file is not returned in any
directory listing, and cannot be opened. The samba vfs module will also
tell the daemon to scan this file.

the vfs module we have in the samba package, but it is useless without
the daemon.
So we should package the scannedonly daemon and utils all is fine.


Falk




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#609097; Package wnpp. (Thu, 06 Jan 2011 11:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 06 Jan 2011 11:48:03 GMT) Full text and rfc822 format available.

Message #20 received at 609097@bugs.debian.org (full text, mbox):

From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
To: Falk Hackenberger <debian@spam.huckley.de>
Cc: 609097@bugs.debian.org
Subject: Re: Bug#609097: RFP: scannedonly -- scalable samba anti-virus module
Date: Thu, 6 Jan 2011 12:45:47 +0100
On Thu, Jan 6, 2011 at 12:25 PM, Falk Hackenberger
<debian@spam.huckley.de> wrote:
> Hello,
>
> I think the package is useful.
>
> you have to understand How does scannedonly work?
>
> Scannedonly comes in two parts: a samba vfs module (included in samba
> since samba-3.5.0) and (one or more) daemons. The daemon scans files. If
> a certain file is clean, a second file is created with prefix .scanned:.
> The samba module simply looks if such a .scanned: file exists, and is
> newer than the pertinent file. If this is the case, the file is shown to
> the user. If this is not the case, the file is not returned in any
> directory listing, and cannot be opened. The samba vfs module will also
> tell the daemon to scan this file.
>
> the vfs module we have in the samba package, but it is useless without
> the daemon.
> So we should package the scannedonly daemon and utils all is fine.

Ok but it will help the description to add more detail.

BTW and OT this behavior is racy, could be better to add an xattr with
the last scanning time to the file and compare it ?

Bastien

>
> Falk
>




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#609097; Package wnpp. (Thu, 06 Jan 2011 12:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Falk Hackenberger <debian@spam.huckley.de>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 06 Jan 2011 12:15:06 GMT) Full text and rfc822 format available.

Message #25 received at 609097@bugs.debian.org (full text, mbox):

From: Falk Hackenberger <debian@spam.huckley.de>
To: Bastien ROUCARIES <roucaries.bastien@gmail.com>
Cc: 609097@bugs.debian.org
Subject: Re: Bug#609097: RFP: scannedonly -- scalable samba anti-virus module
Date: Thu, 06 Jan 2011 13:11:48 +0100
> BTW and OT this behavior is racy, could be better to add an xattr with
> the last scanning time to the file and compare it ?

http://olivier.sessink.nl/scannedonly/faq.html says:
Extended filesystem attributes could have been an option. They take as
much space as the 0 byte .scanned: files, and a lookup is quick and has
little overhead. However, lots of filesystems do not support extended
attributes, so this would limit the usability of the module.




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#609097; Package wnpp. (Thu, 06 Jan 2011 12:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 06 Jan 2011 12:24:03 GMT) Full text and rfc822 format available.

Message #30 received at 609097@bugs.debian.org (full text, mbox):

From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
To: Falk Hackenberger <debian@spam.huckley.de>
Cc: 609097@bugs.debian.org
Subject: Re: Bug#609097: RFP: scannedonly -- scalable samba anti-virus module
Date: Thu, 6 Jan 2011 13:21:54 +0100
On Thu, Jan 6, 2011 at 1:11 PM, Falk Hackenberger
<debian@spam.huckley.de> wrote:
>> BTW and OT this behavior is racy, could be better to add an xattr with
>> the last scanning time to the file and compare it ?
>
> http://olivier.sessink.nl/scannedonly/faq.html says:
> Extended filesystem attributes could have been an option. They take as
> much space as the 0 byte .scanned: files, and a lookup is quick and has
> little overhead. However, lots of filesystems do not support extended
> attributes, so this would limit the usability of the module.

Ok I understand but it is insecure at least create a random secret
extension. And filter this extension. A malicious user could try to
race with the daemon, creating a .scanned file and an infected file.
sometime it will succeed and the file will be declared sane whereas it
is not sane.

It is really bad for a security tool to create a false sense of security...

And this behavior could be enforced like this:
fd = open(somefille...)
errno = 0;
s = flistxattr(fd,...)
if(errno == ENOTSUP && notstrictsaned)
   fallbacktosandefile(fd);

with fallbacktosanedfile(fd)
check the availlibilty of a .sanedXXXXX file where XXXX is a secret on
the server

Bastien




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#609097; Package wnpp. (Wed, 20 Mar 2013 16:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mathieu Parent <math.parent@gmail.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 20 Mar 2013 16:54:04 GMT) Full text and rfc822 format available.

Message #35 received at 609097@bugs.debian.org (full text, mbox):

From: Mathieu Parent <math.parent@gmail.com>
To: 609097@bugs.debian.org, Bastien ROUCARIES <roucaries.bastien@gmail.com>
Cc: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>, Falk Hackenberger <debian@spam.huckley.de>
Subject: About scannedonly packaging
Date: Wed, 20 Mar 2013 17:52:14 +0100
Hi all,

I have setup a basic package for scannedonly, I don't intend to upload
it yet as:
- I have to test it more carefully (basic function works)
- I will only upload it if I use it myself

It's here:
http://anonscm.debian.org/gitweb/?p=pkg-samba/scannedonly.git

Bastien ROUCARIES said:
> Ok I understand but it is insecure at least create a random secret
> extension. And filter this extension. A malicious user could try to
> race with the daemon, creating a .scanned file and an infected file.
> sometime it will succeed and the file will be declared sane whereas it
> is not sane.

I have tested and couldn't do as you said:
- the file is prefixed with ".scanned:", as it contains ":", it can't
be routed thru cifs (I tested with smbclient)
- the".scanned:FILENAME" file is checked for mtime (mtime should be
later than mtime of FILENAME)

please provide a real exploit.

PS: I'm cc-ing pkg-samba, for info and feedback.

Regards
--
Mathieu Parent



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#609097; Package wnpp. (Wed, 20 Mar 2013 17:54:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 20 Mar 2013 17:54:08 GMT) Full text and rfc822 format available.

Message #40 received at 609097@bugs.debian.org (full text, mbox):

From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
To: Mathieu Parent <math.parent@gmail.com>
Cc: 609097@bugs.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>, Falk Hackenberger <debian@spam.huckley.de>
Subject: Re: About scannedonly packaging
Date: Wed, 20 Mar 2013 18:51:02 +0100
On Wed, Mar 20, 2013 at 5:52 PM, Mathieu Parent <math.parent@gmail.com> wrote:
> Hi all,
>
> I have setup a basic package for scannedonly, I don't intend to upload
> it yet as:
> - I have to test it more carefully (basic function works)
> - I will only upload it if I use it myself
>
> It's here:
> http://anonscm.debian.org/gitweb/?p=pkg-samba/scannedonly.git
>
> Bastien ROUCARIES said:
>> Ok I understand but it is insecure at least create a random secret
>> extension. And filter this extension. A malicious user could try to
>> race with the daemon, creating a .scanned file and an infected file.
>> sometime it will succeed and the file will be declared sane whereas it
>> is not sane.
>
> I have tested and couldn't do as you said:
> - the file is prefixed with ".scanned:", as it contains ":", it can't
> be routed thru cifs (I tested with smbclient)

.file are hidded not vetoed. It work if you vetoed .* file

> - the".scanned:FILENAME" file is checked for mtime (mtime should be
> later than mtime of FILENAME)

depending of the mtime granualarity of the file system it could be problematic.

> please provide a real exploit.

If you share your directory by both a samba and a nfs server exploit
are trivial to write. If you only use samba and trust local user it
could be valuable.

I maintain that using xattr is a better route to this kind of scanner.
>
> PS: I'm cc-ing pkg-samba, for info and feedback.
>
> Regards
> --
> Mathieu Parent



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#609097; Package wnpp. (Wed, 20 Mar 2013 18:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mathieu Parent <math.parent@gmail.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 20 Mar 2013 18:27:04 GMT) Full text and rfc822 format available.

Message #45 received at 609097@bugs.debian.org (full text, mbox):

From: Mathieu Parent <math.parent@gmail.com>
To: Bastien ROUCARIES <roucaries.bastien@gmail.com>
Cc: 609097@bugs.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>, Falk Hackenberger <debian@spam.huckley.de>
Subject: Re: About scannedonly packaging
Date: Wed, 20 Mar 2013 19:25:18 +0100
2013/3/20 Bastien ROUCARIES <roucaries.bastien@gmail.com>:
> On Wed, Mar 20, 2013 at 5:52 PM, Mathieu Parent <math.parent@gmail.com> wrote:
>> Hi all,
>>
>> I have setup a basic package for scannedonly, I don't intend to upload
>> it yet as:
>> - I have to test it more carefully (basic function works)
>> - I will only upload it if I use it myself
>>
>> It's here:
>> http://anonscm.debian.org/gitweb/?p=pkg-samba/scannedonly.git
>>
>> Bastien ROUCARIES said:
>>> Ok I understand but it is insecure at least create a random secret
>>> extension. And filter this extension. A malicious user could try to
>>> race with the daemon, creating a .scanned file and an infected file.
>>> sometime it will succeed and the file will be declared sane whereas it
>>> is not sane.
>>
>> I have tested and couldn't do as you said:
>> - the file is prefixed with ".scanned:", as it contains ":", it can't
>> be routed thru cifs (I tested with smbclient)
>
> .file are hidded not vetoed. It work if you vetoed .* file

This is not what I have:

$ touch .scanned:eicar_com.zip
$ smbclient //samba/share -UDOMAIN\\login
Enter DOMAIN\login's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.6.6]
smb: \> cd Everybody\
smb: \Everybody\> put .scanned:eicar_com.zip
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file
\Everybody\.scanned:eicar_com.zip

(and the file is not created remotely)

>> - the".scanned:FILENAME" file is checked for mtime (mtime should be
>> later than mtime of FILENAME)
>
> depending of the mtime granualarity of the file system it could be problematic.

But as former item is not possible...

>> please provide a real exploit.
>
> If you share your directory by both a samba and a nfs server exploit
> are trivial to write. If you only use samba and trust local user it
> could be valuable.

Yes, this should be written in the README. We don't provide local or
NFS access to our Samba servers.

You can't ensure xattr are safe also unless you use trusted or
security namespace. And xattr won't be checked from sftp or NFS
anyway.

> I maintain that using xattr is a better route to this kind of scanner.

This is a better route, but the current route is safe enough (IMO) if
you oly access files thru Samba.
If you propose a xattr patch, I will apply it and test (I may also
write it myself).

Regards
--
Mathieu Parent



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:20:36 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.