NAME
fp.so - F-PROT Antivirus for Linux, Preloadable Library Call WrapperDESCRIPTION
fp.so is a shared object file that complements the Daemon Scanner. It wraps certain library calls so that files are scanned before they are opened.DETAILED DESCRIPTION
This shared object exports symbols for
fopen(3)
open(2)
fopen64(),
and
open64().
Those symbols are wrappers for the real functions which cause file open
requests to be scanned using the fpscand daemon scanner,
fpscand(8)
. Each time a file open is requested, the wrappers open a socket and
connect to fpscand, and request a scan from it. After the scan
completes, the wrapper either allows a file to be opened or returns
EACCES
(Permission denied) error.
This shared object is intended as a tool for system administrators to force scanning of files accessed by the system. This can be accomplished in two ways, by putting the library's pathname in the LD_PRELOAD environment variable and export it to all programs whose file accesses should be scanned. Another way is to put the libraries' pathname in the file /etc/ld.so.preload. That will force all processes who utilize the dynamic loader to load fp.so on execution. Be sure to read the WARNINGS section below before using /etc/ld.so.preload.
This shared object is not very suitable for hostile environments -- for example
to scan files created and opened by malicious persons who have the privilege of
executing commands. It is intended for system administrators who want to be able
to scan files served by user space daemons, such as
smbd(8)
To cause such behavior, the administrator must put the full path of
fp.so
in the LD_PRELOAD environment variable, and export it to all child processes
before running
smbd(8)
(See the
USAGE EXAMPLES
section below.)
Please note that this program only works with dynamically linked programs. To find
out if a given program is dynamically linked, use the
file(1)
program. If a program is statically linked, that means that all library routines
it uses are linked into the programs' object, so it never uses any unresolved
external symbols which are handled by the dynamic linker. fp.so works if it is
loaded, and its symbols mapped, before the dynamic linker loads any other shared
objects.
CONFIGURATION
Configuration is done via a F-PROT's global configuration file -- /etc/f-prot.conf. Configuration options specific to fp.so have names starting with FP_SO_*, but fp.so also reads FPSCAND_LISTEN_ADDRESS to determine how to connect to fpscand. Please read the default config file for explanation of each option.USAGE EXAMPLES
For
fp.so
to work, and actually wrap file-access library calls with scan requests to the
virus scanning daemon, it needs to be loaded before any other shared libraries get
loaded by the dynamic loader,
ld.so(8)
To accomplish this, users must define and export the LD_PRELOAD environment
variable. Or the system administrator can put the full pathname of
fp.so
into
/etc/ld.so.preload.
Be sure to read the
WARNINGS
section below before using
/etc/ld.so.preload.
Methods of handling environment variables differ between shells. For
sh(1)
or
bash(1)
the procedure is as follows:
-
LD_PRELOAD=/opt/f-prot/fstools/fp.so
export LD_PRELOAD
command
Another way of doing the same task is:
- LD_PRELOAD=/opt/f-prot/fstools/fp.so command
sh(1)
and
bash(1)
also have the
declare
built-in which can be used to set attributes to certain environment variables.
the
-x
flag can be used to mark a variable for export.
-
LD_PRELOAD=/opt/f-prot/fstools/fp.so
declare -x LD_PRELOAD
command
Another interesting attribute one can set with the declare built-in is -r or read-only. This attribute defines a variable to be read-only in the current context. Variables can unfortunately not be exported with the read-only attribute set.
For
csh(1)
and
tcsh(1)
the procedure is slightly different:
-
setenv LD_PRELOAD /opt/f-prot/fstools/fp.so
command
As stated in the section
DETAILED DESCRIPTION
above,
fp.so
only works when used with dynamically linked programs. To see if a file is
dynamically- or statically linked, use the
file(1)
program.
Example:
-
$ file /bin/ls
/bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
$
-
$ file /opt/f-prot/fpscan
/opt/f-prot/fpscan: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
$
BUGS
* If you're running a SELinux system with an enforcing policy (e.g. Fedora Core 4) you'll get a error message like: 'cannot restore segment prot after reloc: Permission denied' when using fp.so. To enable fp.so in this environment you must put fp.so in an appropriate security context. These differ between distros but in general you should put fp.so in the same context as libc.so. For this you use 'chcon -t <context> /path/to/fp.so'.Fedora Core 4 example:
- chcon -t lib_t /opt/f-prot/fstools/fp.so
You can also turn SELinux off by
setenforcing 0 as root
* There is a bug in the NPTL (Native POSIX Thread Library) support of the glibc-2.3.2-27.9 package that comes with Red Hat Linux 9. It can cause hangs or crashes. To circumvent the problem, please define the
LD_ASSUME_KERNEL
environment variable to
2.4.19
Example:
- LD_ASSUME_KERNEL="2.4.19" LD_PRELOAD="/opt/f-prot/fstools/fp.so" smbd -D
WARNINGS
/etc/ld.so.preload
Extreme caution should be exercised in the use of /etc/ld.so.preload for system-wide preload of fp.so. Making a mistake in its use could result in a disabled system. Using the LD_PRELOAD environment variable instead is strongly recommended. Use of /etc/ld.so.preload in conjunction with fp.so should be considered to be for experts only since it is dangerous for the running system, and harder to disable.- o
- If /etc/ld.so.preload is used, the path to fp.so presented in it must be available at boot time. Otherwise the boot procedure will fail at next boot.
- o
- Any line in /etc/ld.so.preload pointing to fp.so should be removed before removing or overwriting the fp.so binary.
- o
- The fp.so shared object should always be tested using the LD_PRELOAD environment variable first, before adding it to /etc/ld.so.preload.
- o
-
The
FP_SO_REFUSEONERROR
option (see
/etc/f-prot.conf
) should never be used when loading
fp.so
from
/etc/ld.so.preload
since
fpscand(8)
will not be up and running when many dynamically linked programs on the system are loaded at boot time, and so refusing all requests would render the system unbootable.
FILES
/etc/f-prot.conf
Contains configuration data for fp.so and F-PROT Antivirus in general.PROTECTING YOUR SAMBA SHARES
Exactly how this is done depends on your distribution and how you start the samba server. In general, you will need to edit your samba startup script, usually called /etc/init.d/smb or /etc/init.d/samba and add the string: LD_PRELOAD=/opt/f-prot/fstools/fp.so to the beginning of the line where smbd is started.RedHat example:
In the file /etc/init.d/smb change the line:
daemon smbd $SMBDOPTIONS
to:
LD_PRELOAD=/opt/f-prot/fstools/fp.so daemon smbd $SMBDOPTIONS
SuSE example (from SuSE 8.2):
In the file /etc/init.d/smb change the line:
startproc -p ${PID_FILE} ${DAEMON_DIR}${BIN_SUFFIX}/${SMBD_BIN} -D -s ${SMB_CONF}
to: LD_PRELOAD=/opt/f-prot/fstools/fp.so startproc -p ${PID_FILE} ${DAEMON_DIR}${BIN_SUFFIX}/${SMBD_BIN} -D -s ${SMB_CONF}
LICENSING
For information about Licensing, see the LICENSE file that comes with F-PROT Antivirus.CONTACT INFORMATION
Please direct any feedback to:http://www.f-prot.com/support/contact_support.html
Updates will be advertised on: http://www.f-prot.com/
SEE ALSO
f-prot.conf(5)fpscan(1)
fpscand(8)
fpmon(8)
environ(5)
ld.so(8)
file(1)
syslogd(8)