1 /*
2 * Copyright (C) 2013-2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
3 * Copyright (C) 2007-2013 Sourcefire, Inc.
4 *
5 * Authors: Tomasz Kojm
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
19 * MA 02110-1301, USA.
20 */
21
22 #if HAVE_CONFIG_H
23 #include "clamav-config.h"
24 #endif
25
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #ifdef HAVE_UNISTD_H
30 #include <unistd.h>
31 #endif
32 #ifndef _WIN32
33 #include <sys/time.h>
34 #include <sys/resource.h>
35 #endif
36 #include <sys/types.h>
37 #include <sys/stat.h>
38 #include <fcntl.h>
39 #include <time.h>
40 #ifdef HAVE_PWD_H
41 #include <pwd.h>
42 #endif
43 #ifdef HAVE_GRP_H
44 #include <grp.h>
45 #endif
46 #include <signal.h>
47 #include <errno.h>
48 #include <locale.h>
49
50 #if defined(USE_SYSLOG) && !defined(C_AIX)
51 #include <syslog.h>
52 #endif
53
54 #ifdef C_LINUX
55 #include <sys/resource.h>
56 #endif
57
58 #include "target.h"
59
60 // libclamav
61 #include "clamav.h"
62 #include "others.h"
63 #include "matcher-ac.h"
64 #include "readdb.h"
65
66 // shared
67 #include "output.h"
68 #include "optparser.h"
69 #include "misc.h"
70
71 #include "server.h"
72 #include "tcpserver.h"
73 #include "localserver.h"
74 #include "clamd_others.h"
75 #include "shared.h"
76 #include "scanner.h"
77
78 #include <sys/types.h>
79 #ifndef WIN32
80 #include <sys/wait.h>
81 #endif
82
83 short debug_mode = 0, logok = 0;
84 short foreground = -1;
85
help(void)86 static void help(void)
87 {
88 printf("\n");
89 printf(" Clam AntiVirus: Daemon %s\n", get_version());
90 printf(" By The ClamAV Team: https://www.clamav.net/about.html#credits\n");
91 printf(" (C) 2022 Cisco Systems, Inc.\n");
92 printf("\n");
93 printf(" clamd [options]\n");
94 printf("\n");
95 printf(" --help -h Show this help\n");
96 printf(" --version -V Show version number\n");
97 printf(" --foreground -F Run in foreground; do not daemonize\n");
98 printf(" --debug Enable debug mode\n");
99 printf(" --config-file=FILE -c FILE Read configuration from FILE\n");
100 printf("\n");
101 printf("Pass in - as the filename for stdin.\n");
102 printf("\n");
103 }
104
105 static struct optstruct *opts;
106
107 /* When running under valgrind and daemonizing, valgrind incorrectly reports
108 * leaks from the engine, because it can't see that all the memory is still
109 * reachable (some pointers are stored mangled in the JIT).
110 * So free the engine on exit from the parent too (during daemonize)
111 */
112 static struct cl_engine *gengine = NULL;
free_engine(void)113 static void free_engine(void)
114 {
115 if (gengine) {
116 cl_engine_free(gengine);
117 gengine = NULL;
118 }
119 }
120
main(int argc,char ** argv)121 int main(int argc, char **argv)
122 {
123 static struct cl_engine *engine = NULL;
124 const struct optstruct *opt;
125 #ifndef _WIN32
126 struct passwd *user = NULL;
127 struct sigaction sa;
128 struct rlimit rlim;
129 int dropPrivRet = 0;
130 #endif
131 time_t currtime;
132 const char *dbdir, *cfgfile;
133 char *pua_cats = NULL, *pt;
134 int ret, tcpsock = 0, localsock = 0, min_port, max_port;
135 unsigned int sigs = 0;
136 int *lsockets = NULL;
137 unsigned int nlsockets = 0;
138 unsigned int dboptions = 0;
139 unsigned int i;
140 int j;
141 int num_fd;
142 pid_t parentPid = getpid();
143 #ifdef C_LINUX
144 STATBUF sb;
145 #endif
146 pid_t mainpid = 0;
147 mode_t old_umask = 0;
148 const char *user_name = NULL;
149
150 if (check_flevel())
151 exit(1);
152
153 #ifndef _WIN32
154 memset(&sa, 0, sizeof(sa));
155 sa.sa_handler = SIG_IGN;
156 sigaction(SIGHUP, &sa, NULL);
157 sigaction(SIGUSR2, &sa, NULL);
158 if (!setlocale(LC_CTYPE, "")) {
159 mprintf("^Failed to set locale\n");
160 }
161 #endif
162
163 if ((opts = optparse(NULL, argc, argv, 1, OPT_CLAMD, 0, NULL)) == NULL) {
164 mprintf("!Can't parse command line options\n");
165 return 1;
166 }
167
168 if (optget(opts, "help")->enabled) {
169 help();
170 optfree(opts);
171 return 0;
172 }
173
174 if (optget(opts, "debug")->enabled) {
175 #if defined(C_LINUX)
176 /* njh@bandsman.co.uk: create a dump if needed */
177 rlim.rlim_cur = rlim.rlim_max = RLIM_INFINITY;
178 if (setrlimit(RLIMIT_CORE, &rlim) < 0)
179 perror("setrlimit");
180 #endif
181 debug_mode = 1;
182 }
183
184 /* check foreground option from command line to override config file */
185 for (j = 0; j < argc; j += 1) {
186 if ((memcmp(argv[j], "--foreground", 12) == 0) || (memcmp(argv[j], "-F", 2) == 0)) {
187 /* found */
188 break;
189 }
190 }
191
192 if (j < argc) {
193 if (optget(opts, "Foreground")->enabled) {
194 foreground = 1;
195 } else {
196 foreground = 0;
197 }
198 }
199
200 num_fd = sd_listen_fds(0);
201
202 /* parse the config file */
203 cfgfile = optget(opts, "config-file")->strarg;
204 pt = strdup(cfgfile);
205 if (pt == NULL) {
206 fprintf(stderr, "ERROR: Unable to allocate memory for config file\n");
207 return 1;
208 }
209 if ((opts = optparse(cfgfile, 0, NULL, 1, OPT_CLAMD, 0, opts)) == NULL) {
210 fprintf(stderr, "ERROR: Can't open/parse the config file %s\n", pt);
211 free(pt);
212 return 1;
213 }
214 free(pt);
215
216 if ((opt = optget(opts, "User"))->enabled) {
217 user_name = opt->strarg;
218 }
219
220 if (optget(opts, "version")->enabled) {
221 print_version(optget(opts, "DatabaseDirectory")->strarg);
222 optfree(opts);
223 return 0;
224 }
225
226 /* initialize logger */
227 logg_lock = !optget(opts, "LogFileUnlock")->enabled;
228 logg_time = optget(opts, "LogTime")->enabled;
229 logok = optget(opts, "LogClean")->enabled;
230 logg_size = optget(opts, "LogFileMaxSize")->numarg;
231 logg_verbose = mprintf_verbose = optget(opts, "LogVerbose")->enabled;
232 if (logg_size)
233 logg_rotate = optget(opts, "LogRotate")->enabled;
234 mprintf_send_timeout = optget(opts, "SendBufTimeout")->numarg;
235
236 if ((opt = optget(opts, "LogFile"))->enabled) {
237 char timestr[32];
238 logg_file = opt->strarg;
239 if (!cli_is_abspath(logg_file)) {
240 fprintf(stderr, "ERROR: LogFile requires full path.\n");
241 ret = 1;
242 return ret;
243 }
244 time(&currtime);
245 if (logg("#+++ Started at %s", cli_ctime(&currtime, timestr, sizeof(timestr)))) {
246 fprintf(stderr, "ERROR: Can't initialize the internal logger\n");
247 ret = 1;
248 return ret;
249 }
250 } else {
251 logg_file = NULL;
252 }
253
254 #ifndef WIN32
255 /* fork into background */
256 if (foreground == -1) {
257 if (optget(opts, "Foreground")->enabled) {
258 foreground = 1;
259 } else {
260 foreground = 0;
261 }
262 }
263 if (foreground == 0) {
264 int daemonizeRet = 0;
265 #ifdef C_BSD
266 /* workaround for OpenBSD bug, see https://wwws.clamav.net/bugzilla/show_bug.cgi?id=885 */
267 for (ret = 0; (unsigned int)ret < nlsockets; ret++) {
268 if (fcntl(lsockets[ret], F_SETFL, fcntl(lsockets[ret], F_GETFL) | O_NONBLOCK) == -1) {
269 logg("!fcntl for lsockets[] failed\n");
270 close(lsockets[ret]);
271 ret = 1;
272 break;
273 }
274 }
275 #endif
276 gengine = engine;
277 atexit(free_engine);
278 daemonizeRet = daemonize_parent_wait(user_name, logg_file);
279 if (daemonizeRet < 0) {
280 logg("!daemonize() failed: %s\n", strerror(errno));
281 return 1;
282 }
283 gengine = NULL;
284 #ifdef C_BSD
285 for (ret = 0; (unsigned int)ret < nlsockets; ret++) {
286 if (fcntl(lsockets[ret], F_SETFL, fcntl(lsockets[ret], F_GETFL) & ~O_NONBLOCK) == -1) {
287 logg("!fcntl for lsockets[] failed\n");
288 close(lsockets[ret]);
289 ret = 1;
290 break;
291 }
292 }
293 #endif
294 }
295
296 #endif
297
298 /* save the PID */
299 mainpid = getpid();
300 if ((opt = optget(opts, "PidFile"))->enabled) {
301 FILE *fd;
302 old_umask = umask(0002);
303 if ((fd = fopen(opt->strarg, "w")) == NULL) {
304 //logg("!Can't save PID in file %s\n", opt->strarg);
305 logg("!Can't save PID to file %s: %s\n", opt->strarg, strerror(errno));
306 exit(2);
307 } else {
308 if (fprintf(fd, "%u\n", (unsigned int)mainpid) < 0) {
309 logg("!Can't save PID to file %s: %s\n", opt->strarg, strerror(errno));
310 //logg("!Can't save PID in file %s\n", opt->strarg);
311 fclose(fd);
312 exit(2);
313 }
314 fclose(fd);
315 }
316 umask(old_umask);
317
318 #ifndef _WIN32
319 /*If the file has already been created by a different user, it will just be
320 * rewritten by us, but not change the ownership, so do that explicitly.
321 */
322 if (0 == geteuid()) {
323 struct passwd *pw = getpwuid(0);
324 int ret = lchown(opt->strarg, pw->pw_uid, pw->pw_gid);
325 if (ret) {
326 logg("!Can't change ownership of PID file %s '%s'\n", opt->strarg, strerror(errno));
327 exit(2);
328 }
329 }
330 #endif /* _WIN32 */
331 }
332
333 /* drop privileges */
334 #ifndef _WIN32
335 dropPrivRet = drop_privileges(user_name, logg_file);
336 if (dropPrivRet) {
337 optfree(opts);
338 return dropPrivRet;
339 }
340 #endif /* _WIN32 */
341
342 do { /* logger initialized */
343
344 if (optget(opts, "DevLiblog")->enabled)
345 cl_set_clcb_msg(msg_callback);
346
347 if ((ret = cl_init(CL_INIT_DEFAULT))) {
348 logg("!Can't initialize libclamav: %s\n", cl_strerror(ret));
349 ret = 1;
350 break;
351 }
352
353 if (optget(opts, "Debug")->enabled) {
354 /* enable debug messages in libclamav */
355 cl_debug();
356 logg_verbose = 2;
357 }
358
359 #if defined(USE_SYSLOG) && !defined(C_AIX)
360 if (optget(opts, "LogSyslog")->enabled) {
361 int fac = LOG_LOCAL6;
362
363 opt = optget(opts, "LogFacility");
364 if ((fac = logg_facility(opt->strarg)) == -1) {
365 logg("!LogFacility: %s: No such facility.\n", opt->strarg);
366 ret = 1;
367 break;
368 }
369
370 openlog("clamd", LOG_PID, fac);
371 logg_syslog = 1;
372 }
373 #endif
374
375 #ifdef C_LINUX
376 procdev = 0;
377 if (CLAMSTAT("/proc", &sb) != -1 && !sb.st_size)
378 procdev = sb.st_dev;
379 #endif
380
381 /* check socket type */
382
383 if (optget(opts, "TCPSocket")->enabled)
384 tcpsock = 1;
385
386 if (optget(opts, "LocalSocket")->enabled)
387 localsock = 1;
388
389 logg("#Received %d file descriptor(s) from systemd.\n", num_fd);
390
391 if (!tcpsock && !localsock && num_fd == 0) {
392 logg("!Please define server type (local and/or TCP).\n");
393 ret = 1;
394 break;
395 }
396
397 logg("#clamd daemon %s (OS: " TARGET_OS_TYPE ", ARCH: " TARGET_ARCH_TYPE ", CPU: " TARGET_CPU_TYPE ")\n", get_version());
398
399 #ifndef _WIN32
400 if (user)
401 logg("#Running as user %s (UID %u, GID %u)\n", user->pw_name, user->pw_uid, user->pw_gid);
402 #endif
403
404 #if defined(RLIMIT_DATA) && defined(C_BSD)
405 if (getrlimit(RLIMIT_DATA, &rlim) == 0) {
406 /* bb #1941.
407 * On 32-bit FreeBSD if you set ulimit -d to >2GB then mmap() will fail
408 * too soon (after ~120 MB).
409 * Set limit lower than 2G if on 32-bit */
410 uint64_t lim = rlim.rlim_cur;
411 if (sizeof(void *) == 4 &&
412 lim > (1ULL << 31)) {
413 rlim.rlim_cur = 1ULL << 31;
414 if (setrlimit(RLIMIT_DATA, &rlim) < 0)
415 logg("!setrlimit(RLIMIT_DATA) failed: %s\n", strerror(errno));
416 else
417 logg("Running on 32-bit system, and RLIMIT_DATA > 2GB, lowering to 2GB!\n");
418 }
419 }
420 #endif
421
422 if (logg_size)
423 logg("#Log file size limited to %lld bytes.\n", (long long int)logg_size);
424 else
425 logg("#Log file size limit disabled.\n");
426
427 min_port = optget(opts, "StreamMinPort")->numarg;
428 max_port = optget(opts, "StreamMaxPort")->numarg;
429 if (min_port < 1024 || min_port > max_port || max_port > 65535) {
430 logg("!Invalid StreamMinPort/StreamMaxPort: %d, %d\n", min_port, max_port);
431 ret = 1;
432 break;
433 }
434
435 if (!(engine = cl_engine_new())) {
436 logg("!Can't initialize antivirus engine\n");
437 ret = 1;
438 break;
439 }
440
441 if (optget(opts, "disable-cache")->enabled)
442 cl_engine_set_num(engine, CL_ENGINE_DISABLE_CACHE, 1);
443
444 /* load the database(s) */
445 dbdir = optget(opts, "DatabaseDirectory")->strarg;
446 logg("#Reading databases from %s\n", dbdir);
447
448 if (optget(opts, "DetectPUA")->enabled) {
449 dboptions |= CL_DB_PUA;
450
451 if ((opt = optget(opts, "ExcludePUA"))->enabled) {
452 dboptions |= CL_DB_PUA_EXCLUDE;
453 i = 0;
454 logg("#Excluded PUA categories:");
455
456 while (opt) {
457 if (!(pua_cats = realloc(pua_cats, i + strlen(opt->strarg) + 3))) {
458 logg("!Can't allocate memory for pua_cats\n");
459 cl_engine_free(engine);
460 ret = 1;
461 break;
462 }
463
464 logg("# %s", opt->strarg);
465
466 sprintf(pua_cats + i, ".%s", opt->strarg);
467 i += strlen(opt->strarg) + 1;
468 pua_cats[i] = 0;
469 opt = opt->nextarg;
470 }
471
472 if (ret)
473 break;
474
475 logg("#\n");
476 pua_cats[i] = '.';
477 pua_cats[i + 1] = 0;
478 }
479
480 if ((opt = optget(opts, "IncludePUA"))->enabled) {
481 if (pua_cats) {
482 logg("!ExcludePUA and IncludePUA cannot be used at the same time\n");
483 free(pua_cats);
484 ret = 1;
485 break;
486 }
487
488 dboptions |= CL_DB_PUA_INCLUDE;
489 i = 0;
490 logg("#Included PUA categories:");
491 while (opt) {
492 if (!(pua_cats = realloc(pua_cats, i + strlen(opt->strarg) + 3))) {
493 logg("!Can't allocate memory for pua_cats\n");
494 ret = 1;
495 break;
496 }
497
498 logg("# %s", opt->strarg);
499
500 sprintf(pua_cats + i, ".%s", opt->strarg);
501 i += strlen(opt->strarg) + 1;
502 pua_cats[i] = 0;
503 opt = opt->nextarg;
504 }
505
506 if (ret)
507 break;
508
509 logg("#\n");
510 pua_cats[i] = '.';
511 pua_cats[i + 1] = 0;
512 }
513
514 if (pua_cats) {
515 if ((ret = cl_engine_set_str(engine, CL_ENGINE_PUA_CATEGORIES, pua_cats))) {
516 logg("!cli_engine_set_str(CL_ENGINE_PUA_CATEGORIES) failed: %s\n", cl_strerror(ret));
517 free(pua_cats);
518 ret = 1;
519 break;
520 }
521 free(pua_cats);
522 }
523 } else {
524 logg("#Not loading PUA signatures.\n");
525 }
526
527 if (optget(opts, "OfficialDatabaseOnly")->enabled) {
528 dboptions |= CL_DB_OFFICIAL_ONLY;
529 logg("#Only loading official signatures.\n");
530 }
531
532 /* set the temporary dir */
533 if ((opt = optget(opts, "TemporaryDirectory"))->enabled) {
534 if ((ret = cl_engine_set_str(engine, CL_ENGINE_TMPDIR, opt->strarg))) {
535 logg("!cli_engine_set_str(CL_ENGINE_TMPDIR) failed: %s\n", cl_strerror(ret));
536 ret = 1;
537 break;
538 }
539 }
540
541 cl_engine_set_clcb_hash(engine, hash_callback);
542
543 cl_engine_set_clcb_virus_found(engine, clamd_virus_found_cb);
544
545 if (optget(opts, "LeaveTemporaryFiles")->enabled)
546 cl_engine_set_num(engine, CL_ENGINE_KEEPTMP, 1);
547
548 if (optget(opts, "ForceToDisk")->enabled)
549 cl_engine_set_num(engine, CL_ENGINE_FORCETODISK, 1);
550
551 if (optget(opts, "PhishingSignatures")->enabled)
552 dboptions |= CL_DB_PHISHING;
553 else
554 logg("#Not loading phishing signatures.\n");
555
556 if (optget(opts, "Bytecode")->enabled) {
557 dboptions |= CL_DB_BYTECODE;
558 if ((opt = optget(opts, "BytecodeSecurity"))->enabled) {
559 enum bytecode_security s;
560
561 if (!strcmp(opt->strarg, "TrustSigned")) {
562 s = CL_BYTECODE_TRUST_SIGNED;
563 logg("#Bytecode: Security mode set to \"TrustSigned\".\n");
564 } else if (!strcmp(opt->strarg, "Paranoid")) {
565 s = CL_BYTECODE_TRUST_NOTHING;
566 logg("#Bytecode: Security mode set to \"Paranoid\".\n");
567 } else {
568 logg("!Unable to parse bytecode security setting:%s\n",
569 opt->strarg);
570 ret = 1;
571 break;
572 }
573
574 if ((ret = cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, s))) {
575 logg("^Invalid bytecode security setting %s: %s\n", opt->strarg, cl_strerror(ret));
576 ret = 1;
577 break;
578 }
579 }
580 if ((opt = optget(opts, "BytecodeUnsigned"))->enabled) {
581 dboptions |= CL_DB_BYTECODE_UNSIGNED;
582 logg("#Bytecode: Enabled support for unsigned bytecode.\n");
583 }
584
585 if ((opt = optget(opts, "BytecodeMode"))->enabled) {
586 enum bytecode_mode mode;
587
588 if (!strcmp(opt->strarg, "ForceJIT"))
589 mode = CL_BYTECODE_MODE_JIT;
590 else if (!strcmp(opt->strarg, "ForceInterpreter"))
591 mode = CL_BYTECODE_MODE_INTERPRETER;
592 else if (!strcmp(opt->strarg, "Test"))
593 mode = CL_BYTECODE_MODE_TEST;
594 else
595 mode = CL_BYTECODE_MODE_AUTO;
596 cl_engine_set_num(engine, CL_ENGINE_BYTECODE_MODE, mode);
597 }
598
599 if ((opt = optget(opts, "BytecodeTimeout"))->enabled) {
600 cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg);
601 }
602 } else {
603 logg("#Bytecode support disabled.\n");
604 }
605
606 if (optget(opts, "PhishingScanURLs")->enabled)
607 dboptions |= CL_DB_PHISHING_URLS;
608 else
609 logg("#Disabling URL based phishing detection.\n");
610
611 if (optget(opts, "DevACOnly")->enabled) {
612 logg("#Only using the A-C matcher.\n");
613 cl_engine_set_num(engine, CL_ENGINE_AC_ONLY, 1);
614 }
615
616 if ((opt = optget(opts, "DevACDepth"))->enabled) {
617 cl_engine_set_num(engine, CL_ENGINE_AC_MAXDEPTH, opt->numarg);
618 logg("#Max A-C depth set to %u\n", (unsigned int)opt->numarg);
619 }
620
621 if ((ret = cl_load(dbdir, engine, &sigs, dboptions))) {
622 logg("!%s\n", cl_strerror(ret));
623 ret = 1;
624 break;
625 }
626
627 if ((ret = statinidir(dbdir))) {
628 logg("!%s\n", cl_strerror(ret));
629 ret = 1;
630 break;
631 }
632
633 if (optget(opts, "DisableCertCheck")->enabled)
634 cl_engine_set_num(engine, CL_ENGINE_DISABLE_PE_CERTS, 1);
635
636 logg("#Loaded %u signatures.\n", sigs);
637
638 /* pcre engine limits - required for cl_engine_compile */
639 if ((opt = optget(opts, "PCREMatchLimit"))->active) {
640 if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_MATCH_LIMIT, opt->numarg))) {
641 logg("!cli_engine_set_num(PCREMatchLimit) failed: %s\n", cl_strerror(ret));
642 cl_engine_free(engine);
643 return 1;
644 }
645 }
646
647 if ((opt = optget(opts, "PCRERecMatchLimit"))->active) {
648 if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_RECMATCH_LIMIT, opt->numarg))) {
649 logg("!cli_engine_set_num(PCRERecMatchLimit) failed: %s\n", cl_strerror(ret));
650 cl_engine_free(engine);
651 return 1;
652 }
653 }
654
655 if ((ret = cl_engine_compile(engine)) != 0) {
656 logg("!Database initialization error: %s\n", cl_strerror(ret));
657 ret = 1;
658 break;
659 }
660
661 if (tcpsock || num_fd > 0) {
662 opt = optget(opts, "TCPAddr");
663 if (opt->enabled) {
664 int breakout = 0;
665
666 while (opt && opt->strarg) {
667 char *ipaddr = (!strcmp(opt->strarg, "all") ? NULL : opt->strarg);
668
669 if (tcpserver(&lsockets, &nlsockets, ipaddr, opts) == -1) {
670 ret = 1;
671 breakout = 1;
672 break;
673 }
674
675 opt = opt->nextarg;
676 }
677
678 if (breakout)
679 break;
680 } else {
681 if (tcpserver(&lsockets, &nlsockets, NULL, opts) == -1) {
682 ret = 1;
683 break;
684 }
685 }
686 }
687 #ifndef _WIN32
688 if (localsock && num_fd == 0) {
689 int *t;
690 mode_t sock_mode, umsk = umask(0777); /* socket is created with 000 to avoid races */
691
692 t = realloc(lsockets, sizeof(int) * (nlsockets + 1));
693 if (!(t)) {
694 ret = 1;
695 break;
696 }
697 lsockets = t;
698
699 if ((lsockets[nlsockets] = localserver(opts)) == -1) {
700 ret = 1;
701 umask(umsk);
702 break;
703 }
704 umask(umsk); /* restore umask */
705
706 if (optget(opts, "LocalSocketGroup")->enabled) {
707 char *gname = optget(opts, "LocalSocketGroup")->strarg, *end;
708 gid_t sock_gid = strtol(gname, &end, 10);
709
710 if (*end) {
711 struct group *pgrp = getgrnam(gname);
712
713 if (!pgrp) {
714 logg("!Unknown group %s\n", gname);
715 ret = 1;
716 break;
717 }
718
719 sock_gid = pgrp->gr_gid;
720 }
721 if (chown(optget(opts, "LocalSocket")->strarg, -1, sock_gid)) {
722 logg("!Failed to change socket ownership to group %s\n", gname);
723 ret = 1;
724 break;
725 }
726 }
727 if (optget(opts, "LocalSocketMode")->enabled) {
728 char *end;
729
730 sock_mode = strtol(optget(opts, "LocalSocketMode")->strarg, &end, 8);
731
732 if (*end) {
733 logg("!Invalid LocalSocketMode %s\n", optget(opts, "LocalSocketMode")->strarg);
734 ret = 1;
735 break;
736 }
737 } else {
738 sock_mode = 0777 /* & ~umsk*/; /* conservative default: umask was 0 in clamd < 0.96 */
739 }
740
741 if (chmod(optget(opts, "LocalSocket")->strarg, sock_mode & 0666)) {
742 logg("!Cannot set socket permission to %s\n", optget(opts, "LocalSocketMode")->strarg);
743 ret = 1;
744 break;
745 }
746
747 nlsockets++;
748 }
749
750 /* check for local sockets passed by systemd */
751 if (num_fd > 0) {
752 int *t;
753 t = realloc(lsockets, sizeof(int) * (nlsockets + 1));
754 if (!(t)) {
755 ret = 1;
756 break;
757 }
758 lsockets = t;
759
760 lsockets[nlsockets] = localserver(opts);
761 if (lsockets[nlsockets] == -1) {
762 ret = 1;
763 break;
764 } else if (lsockets[nlsockets] > 0) {
765 nlsockets++;
766 }
767 }
768
769 if (0 == foreground) {
770 if (!debug_mode) {
771 if (chdir("/") == -1) {
772 logg("^Can't change current working directory to root\n");
773 }
774 }
775
776 #ifndef _WIN32
777
778 /*Since some of the logging is written to stderr, and some of it
779 * is written to a log file, close stdin, stderr, and stdout
780 * now, since everything is initialized.*/
781
782 /*signal the parent process.*/
783 if (parentPid != getpid()) {
784 daemonize_signal_parent(parentPid);
785 }
786 #endif
787 }
788
789 #endif
790
791 if (nlsockets == 0) {
792 logg("!Not listening on any interfaces\n");
793 ret = 1;
794 break;
795 }
796
797 ret = recvloop(lsockets, nlsockets, engine, dboptions, opts);
798
799 } while (0);
800
801 if (num_fd == 0) {
802 logg("*Closing the main socket%s.\n", (nlsockets > 1) ? "s" : "");
803
804 for (i = 0; i < nlsockets; i++) {
805 closesocket(lsockets[i]);
806 }
807 #ifndef _WIN32
808 if (nlsockets && localsock) {
809 opt = optget(opts, "LocalSocket");
810
811 if (unlink(opt->strarg) == -1)
812 logg("!Can't unlink the socket file %s\n", opt->strarg);
813 else
814 logg("Socket file removed.\n");
815 }
816 #endif
817 }
818
819 free(lsockets);
820
821 logg_close();
822 optfree(opts);
823
824 return ret;
825 }
826