On Access Virus Protection ?

[Juanito]

Yes, by recompiling the kernel - you'd just need to use the existing tinycore .config and change one or more of the acl settings Rich highlighted

[remus]

I do not have

Code: [Select]

/usr/src/linux/.config on my system

Code: [Select]

$ grep _ACL /usr/src/linux/.config
grep: /usr/src/linux/.config: No such file or directory

I've installed linux-headers-3.0.3-tinycore.tcz and the file appeared
running rich's grep command displays same settings.
I'll add the file to .filetools.lst, make changes save, reboot and see what happens.

--> IF <-- messing with ACL permissions gets clamfs working, does that mean its ok to try and release a tc linux extension that makes such a change to other peoples tc linux systems

[curaga]

No, it would be preferable to use a "normal" group scenario for a posted extension.

Grab the kernel config from one of our mirrors:
ftp://ftp.nluug.nl/pub/metalab/distributions/tinycorelinux/4.x/x86/release/src/kernel/

[Juanito]

copy config-3.0.3-tinycore to the unpacked source as .config after "make mrproper"

Don't use linux-headers-3.0.3-tinycore (this is for compiling out of kernel modules), but do use compiletc + perl5 + bash + ncurses-dev

Edited after seeing previous reply

[remus]

No, it would be preferable to use a "normal" group scenario for a posted extension.

It's a bit disappointing that after all this work, the project can't be released to the public...
Ah well, always look for the bright side

If ACL inclussion was only removed because its not used by most people, does that mean its stable and safe ? if so, can its support be included for a future release of tinycore ?

------------------------------------------------------

Juanito
So I'd load (compiletc + perl5 + bash + ncurses-dev) extensions
And following this wiki ? ->http://wiki.tinycorelinux.net/wiki:custom_kernel?s[]=kernel

If I'm not making an extension, I'll have to review your post regarding how to find out where all these source packages got installed, so I can add them to my backup.

[Juanito]

So I'd load (compiletc + perl5 + bash + ncurses-dev) extensions
And following this wiki ? ->http://wiki.tinycorelinux.net/wiki:custom_kernel?s[]=kernel

If I'm not making an extension, I'll have to review your post regarding how to find out where all these source packages got installed, so I can add them to my backup.

The wiki instructions are almost correct - you don't need any patches and it's vmlinuz you need rather than bzImage, but otherwise it looks about right for tc-4.x

You can make your own local extensions rather than making a massive backup

[curaga]

It's a bit disappointing that after all this work, the project can't be released to the public...
Ah well, always look for the bright side

If ACL inclussion was only removed because its not used by most people, does that mean its stable and safe ? if so, can its support be included for a future release of tinycore ?

Your link says both ways should work, ACLs only allow more fine-grained permissions.

I'm afraid even with one user, the ACLs would still be bloat for everyone else and so outside our scope.

[remus]

I've got clamfs to the stage where it allows the eicar test virus file to be copied to the samba file share from windows. But once the file is on the server, clamfs STOPS any other access to the file.
-I can't over write the file.
-I can't open the file.
-I can't copy the file back to windows.
-I can DELETE the file.

This is without messing with ACLs.

I can create an extension out of it as is, and make a link to the tcz file on this forum thread. Giving others who are interested a chance to tinker with it. What do you think curaga ?

[Rich]

Hi remus

Copying the eicar.com test file to a samba share from windows allows the file to be copied
Trying to copy the file again and overwriting the original fails

What happens if you try that same test with a clean file?

[curaga]

Please submit the extension the usual way, binary links aren't allowed.

[Rich]

Hi remus

What happens if you try that same test with a clean file?

Never mind, I found the answer the answer on your post at the Debian User Forums.
It sounds to me like it's working. As I understand it, it does not stop you from writing an infected file
to a directory, rather, it stops you from reading (or executing, which requires reading) the file once
it is there. Prior to saving a file, a test is first done to see if it exists so that you can confirm whether
you wish to overwrite it. If the test is done by attempting to open the file and checking if it exists,
that might trigger clamfs to block the attempt.
Personally, I want to offer you a pat on the back for your perseverance and what you have achieved.
I suggest you package it up into an extension and submit it so that others can do some testing too.
Under  Comments:  in the info file, give a step by step on how to set it up, including an example that
clearly shows which directory is being protected and which is the access point to that directory.
Once again, congratulations on your accomplishment.

[remus]

Thx Rich,

I'll start following the extension creation wiki, and I'll be sure to include details regarding setup.

[remus]

I just got a reply from the clamav mailing list about clamfs letting the eicar test file into a protected mount point, and then stopping read access to the file.
I'm told by a random mailing list user this behavior is by design. And is also how clamav + dazuko works.

[Rich]

Hi remus

about clamfs letting the eicar test file into a protected mount point, and then stopping read access to the file.

Naturally, "Roaches check in, but they don't check out", that way they can't spread.

[remus]

Naturally, "Roaches get in, but they can't get out", that way they can't spread.

Yeah, its better than the samba file server acting as a virus infection source for the windows computers on the network.

I'm about ready to submit my first extension which is one of clamfs deps "RLOG - a C++ logging library" which has no deps of its own. Kind of like a practice run.

find usr -not -type d > rlog.tcz.list

Gave me a handy list of everything that gets installed.
So do I just delete the /tmp/package/usr/local/share/doc/ dir and thats my doc free tcz right ?
And do it in reverse to create the rlog-doc.tcz ?