CentOS 7 and php_uploadscan.sh

zEitEr

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
15,358
Location
www.poralix.com
Hello,

That was noticed on a server with CentOS 7 that all uploads fail with 8 error code:

Value: 8; A PHP extension stopped the file upload.
Click to expand...

http://php.net/manual/en/features.file-upload.errors.php

Going into details I've found out that /usr/local/php*/bin/php_uploadscan.sh fails to get executed on file upload.

I've added this code to the script:

Code: 
echo -n 1 >> /tmp/upload.log

Code: 
touch /tmp/upload.log
chmod 666 /tmp/upload.log

I've tried several PHP versions and all of them had the same result.


Some debug info:

Code: 
[root@server ~]# sudo -u admin stat /usr/local/php56/bin/php_uploadscan.sh
  File: ‘/usr/local/php56/bin/php_uploadscan.sh’
  Size: 115             Blocks: 8          IO Block: 4096   regular file
Device: 902h/2306d      Inode: 266524      Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-10-13 21:05:17.930923246 +0200
Modify: 2014-10-23 09:09:16.133090568 +0200
Change: 2014-10-23 09:09:16.133090568 +0200
 Birth: -
[root@server ~]#
[root@server ~]# sudo -u apache stat /usr/local/php56/bin/php_uploadscan.sh
  File: ‘/usr/local/php56/bin/php_uploadscan.sh’
  Size: 115             Blocks: 8          IO Block: 4096   regular file
Device: 902h/2306d      Inode: 266524      Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-10-13 21:05:17.930923246 +0200
Modify: 2014-10-23 09:09:16.133090568 +0200
Change: 2014-10-23 09:09:16.133090568 +0200
 Birth: -
[root@server ~]#

Am I the only one to face such an issue, or you can see it on your CentOS 7 servers as well?
 
I noticed the same problem on one of our CentOS 7 servers. But whilst trying to fix the problem I discovered a few things.

At first I also tried to modify the script to see if it got executed. And it did, however, it can't seem to write to /tmp so that's why it didn't seem to work for you when you tried to write to /tmp/upload.log.
I then pointed my attention to clamd that gets executed in the script. I noticed the following in /var/log/messages:
Code: 
clamd: WARNING: lstat() failed on: /tmp/phpNderUk
suhosin[8428]: ALERT - fileupload verification script disallows file - file dropped
So it seems clamd also has problems reading files in /tmp. I then tried to just run 'clamdscan /tmp/someexistingfile', but even that throws the error:
Code: 
lstat() failed: No such file or directory. ERROR

So both the script and clamd have trouble with /tmp, but I can't figure out why that is.
 
Thanks, that was indeed the problem. I had to change 'PrivateTmp=True' to False in both php-fpm5x.service and clamd.service. I then had to manually stop and restart the service through systemctl since it didn't seem to take the new settings by doing it through DA.
It now properly scans and blocks harmful files that are uploaded through PHP-FPM :)


I still think it's strange though, when I ran clamdscan (whilst still using 'PrivateTmp=True') on a non-existing file in /tmp it gave the following error:
Code: 
ERROR: Can't access file /tmp/nofile.txt
But when I ran it on an existing file in /tmp it gave this error.
Code: 
/tmp/realfile.txt: lstat() failed: No such file or directory. ERROR
You'd think it shouldn't know about this difference since it is supposed to only know about its own isolated /tmp.
 
Me too have the same error even after changing the 'PrivateTmp=True'

Vaporizer said:
Thanks, that was indeed the problem. I had to change 'PrivateTmp=True' to False in both php-fpm5x.service and clamd.service. I then had to manually stop and restart the service through systemctl since it didn't seem to take the new settings by doing it through DA.
It now properly scans and blocks harmful files that are uploaded through PHP-FPM :)


I still think it's strange though, when I ran clamdscan (whilst still using 'PrivateTmp=True') on a non-existing file in /tmp it gave the following error:
Code: 
ERROR: Can't access file /tmp/nofile.txt
But when I ran it on an existing file in /tmp it gave this error.
Code: 
/tmp/realfile.txt: lstat() failed: No such file or directory. ERROR
You'd think it shouldn't know about this difference since it is supposed to only know about its own isolated /tmp.
Click to expand...


did you get any solution for this? If yes, could you please share it?
 
Bujail said:
did you get any solution for this? If yes, could you please share it?
Click to expand...

Yes, the solution was as described. Setting PrivateTmp to false for both the php and clamd service. This can be done by creating the following files (they won't get overwritten when you rebuild php or clamav):
/etc/systemd/system/clamd.service.d/custom.conf
/etc/systemd/system/php-fpm5x.service.d/custom.conf (replace php-fpm5x with your php version)

Both files should contain the following:
Code: 
[Service]
PrivateTmp = false
 
The instructions from my previous post are no longer necessary as this is incorporated in CB2 now. If you rebuild ClamAV and PHP-FPM it will automatically disable PrivateTmp if you have the upload scan option enabled.

@smtalk
There is currently a small bug in CB2 (1516). For ClamAV it uses
Code: 
perl -pi -e 's#PrivateTmp\=true#PrivateTmp=false#' ${SYSTEMDDIR}/clamd.service
But it should be changed to the following since the default service is using spaces between 'PrivateTmp' and '='
Code: 
perl -pi -e 's#PrivateTmp \= true#PrivateTmp = false#' ${SYSTEMDDIR}/clamd.service
The php-fpmxx.service is correct since that one has no spaces. I haven't check the one for httpd.service.
 
Vaporizer said:
The instructions from my previous post are no longer necessary as this is incorporated in CB2 now. If you rebuild ClamAV and PHP-FPM it will automatically disable PrivateTmp if you have the upload scan option enabled.

@smtalk
There is currently a small bug in CB2 (1516). For ClamAV it uses
Code: 
perl -pi -e 's#PrivateTmp\=true#PrivateTmp=false#' ${SYSTEMDDIR}/clamd.service
But it should be changed to the following since the default service is using spaces between 'PrivateTmp' and '='
Code: 
perl -pi -e 's#PrivateTmp \= true#PrivateTmp = false#' ${SYSTEMDDIR}/clamd.service
The php-fpmxx.service is correct since that one has no spaces. I haven't check the one for httpd.service.
Click to expand...

In my case, there was an another problem too. I was enabled both suhosin upload scan and Clamv scan. That made a redundancy. So i have changed
modsecurity_uploadscan=no
suhosin_php_uploadscan=yes
Click to expand...

in options.conf. And rebuild apache. That solved my problem.
 
You must log in or register to reply here.
Back
Top