FRISK Software International

NAME

f-prot.so - F-Prot Antivirus for Linux, Preloadable Library Call Wrapper

 

DESCRIPTION

f-prot.so is a shared object file that complements the Daemon Scanner. It wraps certain library calls so that files are scanned before they are opened.

 

DETAILED DESCRIPTION

This shared object exports symbols for fopen(3)
open(2)
fopen64(), and open64(). Those symbols are wrappers for the real functions which cause file open requests to be scanned using the Daemon Scanner, f-protd(8)
. Each time a file open is requested, the wrappers open a socket and connect to the Daemon Scanner, and request a scan from it. After the scan completes, the wrapper either allows a file to be opened or returns EACCES (Permission denied) error.

This shared object is intended as a tool for system administrators to force scanning of files accessed by the system. This can be accomplished in two ways, by putting the library's pathname in the LD_PRELOAD environment variable and export it to all programs whose file accesses should be scanned. Another way is to put the libraries' pathname in the file /etc/ld.so.preload. That will force all processes who utilize the dynamic loader to load f-prot.so on execution. Be sure to read the WARNINGS section below before using /etc/ld.so.preload.

This shared object is not very suitable for hostile environments -- for example to scan files created and opened by malicious persons who have the privilege of executing commands. It is intended for system administrators who want to be able to scan files served by user space daemons, such as smbd(8)
To cause such behavior, the administrator must put the full path of f-prot.so in the LD_PRELOAD environment variable, and export it to all child processes before running smbd(8)
(See the USAGE EXAMPLES section below.)

Please note that this program only works with dynamically linked programs. To find out if a given program is dynamically linked, use the file(1)
program. If a program is statically linked, that means that all library routines it uses are linked into the programs' object, so it never uses any unresolved external symbols which are handled by the dynamic linker. f-prot.so works if it is loaded, and its symbols mapped, before the dynamic linker loads any other shared objects.

 

CONFIGURATION

Configuration is done via a F-Prot's global configuration file -- /etc/f-prot.conf. Configuration options specific to f-prot.so have names starting with FPROT_SO_*, but f-prot.so also reads several other variables from it, such as the log facility and daemon address. Please read the default config file for explanation of each option.

 

USAGE EXAMPLES

For f-prot.so to work, and actually wrap file-access library calls with scanrequests to the virus scanning daemon, it needs to be loaded before any other shared libraries get loaded by the dynamic loader, ld.so(8)
To accomplish this, users must define and export the LD_PRELOAD environment variable. Or the system administrator can put the full pathname of f-prot.so into /etc/ld.so.preload. Be sure to read the WARNINGS section below before using /etc/ld.so.preload.

Methods of handling environment variables differ between shells. For sh(1)
or bash(1)
the procedure is as follows:

LD_PRELOAD=/usr/local/f-prot/tools/f-prot.so
export LD_PRELOAD
command
The first line defines the LD_PRELOAD environment variable with the value /usr/local/f-prot/tools/f-prot.so. The second line exports that variable to all child processes of the shell.

Another way of doing the same task is:

LD_PRELOAD=/usr/local/f-prot/tools/f-prot.so command
This presets the LD_PRELOAD environment variable to /usr/local/f-prot/tools/f-prot.so for "command" before running it, without actually exporting it to other child processes.

sh(1)
and bash(1)
also have the declare built-in which can be used to set attributes to certain environment variables. the -x flag can be used to mark a variable for export.

LD_PRELOAD=/usr/local/f-prot/tools/f-prot.so
declare -x LD_PRELOAD
command
The first line defines the LD_PRELOAD environment variable as /usr/local/f-prot/tools/f-prot.so. The second line marks the LD_PRELOAD environment variable for export. The third line runs a command which inherits all the exported environment variables.

Another interesting attribute one can set with the declare built-in is -r or read-only. This attribute defines a variable to be read-only in the current context. Variables can unfortunately not be exported with the read-only attribute set.

For csh(1)
and tcsh(1)
the procedure is slightly different:

setenv LD_PRELOAD /usr/local/f-prot/tools/f-prot.so
command
The first line defines the LD_PRELOAD environment variable with the value /usr/local/f-prot/tools/f-prot.so and marks it for export. The second line executes a command which inherits all the LD_PRELOAD variable.

As stated in the section DETAILED DESCRIPTION above, f-prot.so only works when used with dynamically linked programs. To see if a file is dynamically- or statically linked, use the file(1)
program.
Example:

$ file /bin/ls
/bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
$
This tells us, among other things, that /bin/ls is dynamically linked.
$ file /usr/local/f-prot/f-prot
/usr/local/f-prot/f-prot: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
$
This tells us, among other things, that /usr/local/f-prot/f-prot is statically linked.

 

BUGS

* If you're running a SELinux system with an enforcing policy (e.g. Fedora Core 4) you'll get a error message like: 'cannot restore segment prot after reloc: Permission denied' when using f-prot.so. To enable f-prot.so in this environment you must put f-prot.so in an appropriate security context. These differ between distros but in general you should put f-prot.so in the same context as libc.so. For this you use 'chcon -t <context> /path/to/f-prot.so'.

Fedora Core 4 example:

chcon -t lib_t /usr/local/f-prot/tools/f-prot.so

You can also turn SELinux off by

setenforcing 0 as root

* There is a bug in the NPTL (Native POSIX Thread Library) support of the glibc-2.3.2-27.9 package that comes with Red Hat Linux 9. It can cause hangs or crashes. To circumvent the problem, please define the LD_ASSUME_KERNEL environment variable to 2.4.19
Example:

LD_ASSUME_KERNEL="2.4.19" LD_PRELOAD="/usr/local/f-prot/tools/f-prot.so" smbd -D
This causes the dynamic loader to circumvent the NPTL version of glibc.  

WARNINGS

 

/etc/ld.so.preload

Extreme caution should be exercised in the use of /etc/ld.so.preload for system-wide preload of f-prot.so. Making a mistake in its use could result in a disabled system. Using the LD_PRELOAD environment variable instead is strongly recommended. Use of /etc/ld.so.preload in conjunction with f-prot.so should be considered to be for experts only since it is dangerous for the running system, and harder to disable.
o
If /etc/ld.so.preload is used, the path to f-prot.so presented in it must be available at boot time. Otherwise the boot procedure will fail at next boot.
o
Any line in /etc/ld.so.preload pointing to f-prot.so should be removed before removing or overwriting the f-prot.so binary.
o
The f-prot.so shared object should always be tested using the LD_PRELOAD environment variable first, before adding it to /etc/ld.so.preload.
o
The FPROT_SO_REFUSEONERROR option (see /etc/f-prot.conf ) should never be used when loading f-prot.so from /etc/ld.so.preload since f-protd(8)
will not be up and running when many dynamically linked programs on the system are loaded at boot time, and so refusing all requests would render the system unbootable.

 

FILES

 

/etc/f-prot.conf

Contains configuration data for f-prot.so and F-Prot Antivirus in general.

 

PROTECTING YOUR SAMBA SHARES

Exactly how this is done depends on your distribution and how you start the samba server. In general, you will need to edit your samba startup script, usually called /etc/init.d/smb or /etc/init.d/samba and add the string: LD_PRELOAD=/usr/local/f-prot/tools/f-prot.so to the beginning of the line where smbd is started.

RedHat example:

In the file /etc/init.d/smb change the line:

daemon smbd $SMBDOPTIONS

to:

LD_PRELOAD=/usr/local/f-prot/tools/f-prot.so daemon smbd $SMBDOPTIONS

SuSE example (from SuSE 8.2):

In the file /etc/init.d/smb change the line:

startproc -p ${PID_FILE} ${DAEMON_DIR}${BIN_SUFFIX}/${SMBD_BIN} -D -s ${SMB_CONF}

to: LD_PRELOAD=/usr/local/f-prot/tools/f-prot.so startproc -p ${PID_FILE} ${DAEMON_DIR}${BIN_SUFFIX}/${SMBD_BIN} -D -s ${SMB_CONF}

 

LICENSING

For information about Licensing, see the LICENSE file that comes with F-Prot Antivirus.

 

CONTACT INFORMATION

Please direct any feedback to:

http://www.f-prot.com/support/contact_support.html

Updates will be advertised on: http://www.f-prot.com/

 

SEE ALSO

f-prot.conf(5)
f-prot(1)
f-protd(8)
environ(5)
ld.so(8)
file(1)
syslogd(8)

 
F-PROT Antivirus
- for Windows
- for UNIX
- for Exchange
F-PROT AVES
F-PROT Antivirus
- for Windows
- for UNIX
- for Exchange
F-PROT AVES
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Definitions of common antivirus terminology.