-
-
Notifications
You must be signed in to change notification settings - Fork 2
cleanq.8
cleanq - clean up qscanq work directory
cleanq [ -l ] [ -s interval ]
cleanq scans the current working directory, deleting work files no longer in use by qscanq.
cleanq takes only two command-line options:
if invoked with the "-l" option, then cleanq logs a startup message and a record of each of its actions to stdout.
if invoked with the "-s" option, cleanq runs forever doing its activity once every interval seconds.
Users can run cleanq if they want, but it would serve no purpose: cleanq uses no special privileges. It is intended to be run in the scanning directory by supervise, part of the daemontools package.
In the default configuration, cleanq is set to log all actions, and multilog (also part of the daemontools package) is set to ignore startup messages and routine deletions (i.e., removal of non-sticky working directories). These settings can be changed either by editing /service/qscanq/log/run.
qscanq applies the following rules, in order:
Entries named "." or ".." are ignored.
[step]
If cleanq cannot stat the file, then it is ignored and the failure is
logged to stderr.
[step]
If the directory entry is not a subdirectory, cleanq will attempt to
unlink it. If the "-l" option is used, cleanq will also log the filename
to stdout. Failure to unlink the file will be ignored. Note that
non-directories should never be created by qscanq, so presence of this
log entry indicates a potential security breach.
[step]
Any entry not starting with '@' is ignored. If the "-l" option is used,
the filename will be logged to stdout. No such files should ever be
created, so presence of this log entry indicates a potential security
breach.
[step]
If the entry does not have its sticky bit set, then it is removed. This
is the normal operational mode; under normal conditions, this should be
the only action logged by cleanq.
[step]
If the entry does have its sticky bit set, but its ctime is older than
than three times the age specified at compile time in conf-ageout, then
it is removed. By default, this means that entries older than 3 hours
are removed. If the "-l" option is used, and this log entry is found, it
does not indicate a likely security breach, but it does indicate a
possible attack in which some attacker is holding connections to your
mail server.
Removal of an unused working directory--i.e., one whose name begins with "@", and whose sticky bit is unset or whose ctime is greater than three hours--is removed in the following steps:
cleanq changes into the directory, and then changes into its subdirectory named "work".
[step]
cleanq attempts to unlink every directory entry whose name does not
begin with "." in the current working directory.
[step]
cleanq changes directory to ".." and calls rmdir for the "work"
directory.
[step]
cleanq changes directory to ".." again and calls rmdir for the original
directory.
Clearly, an attacker wishing to defeat cleanq and fill up the scanning directory would attempt to violate the rules implied above. Specifically, he would try to create files whose names begin with ".", or to create directories under the "work" subdirectory or elsewhere in the scanning folder.
To accomplish either one, the attacker must subvert either ripmime or the virus scanner. In normal operation, ripmime does not respect filenames provided with MIME attachments, and antivir or clamscan do not leave files or directories behind.
If any of the steps listed under Removal Procedure should fail, the failure is logged to stderr whether or not the "-l" option is used. A sysadmin should quickly detect any breach preventing cleanq from deleting files.