root/tags/stable/fetch-sanesecurity-sigs

Revision 373, 7.8 KB (checked in by malcolm, 3 years ago)

Tag current version as stable
  • Property svn:executable set to *
  • Property svn:keywords set to Date Revision
Line 
1#!/bin/bash
2#
3# fetch-sanesecurity-sigs
4# by Malcolm Scott, Retrosnub Internet Services
5# <malcolm at retrosnub dot co dot uk>
6#
7# http://www.retrosnub.co.uk/sanesecurity
8# svn://svn.sanesecurity.retrosnub.co.uk/
9#
10# $Revision$
11# $Date$
12#
13# -----------------------------------------------------------------------------
14# Copyright (C) 2009 Malcolm Scott
15#
16# This program is free software; you can redistribute it and/or modify it under
17# the terms of the GNU General Public License version 2 as published by the
18# Free Software Foundation.
19#
20# This program is distributed in the hope that it will be useful, but WITHOUT
21# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
22# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
23#
24# You should have received a copy of the GNU General Public License along with
25# this program; if not, write to the Free Software Foundation, Inc., 59 Temple
26# Place, Suite 330, Boston, MA 02111-1307 USA
27# -----------------------------------------------------------------------------
28#
29# INSTALLATION AND USAGE:
30#
31#  * Ensure that you have wget, gpg and rsync installed (in addition to a
32#    standard set of UNIX tools).
33#  * Configure this script by editing the configuration variables below.
34#  * Set up cron to run this script periodically, at a randomly-selected time
35#    (i.e. not just on the hour unless unavoidable), not more often than once
36#    per hour.  The script should be run either as root or as the user clamd
37#    runs as.  For example, add the following line to /etc/crontab or a file
38#    in /etc/cron.d:
39#         42 * * * *  root  /path/to/fetch-sanesecurity-sigs >/dev/null
40#    (Redirection of the output to /dev/null is recommended when running from
41#    cron as the script is verbose in normal operation.  This will not hide
42#    errors, however.)
43#
44# Note that this script is tailored to the Sanesecurity setup (as of January
45# 2009).  It should replace scripts using the pre-2009 setup (HTTP).  It is
46# not intended to download non-Sanesecurity signatures; use another script
47# for that purpose.
48
49
50### Configuration ###
51
52# ClamAV database location
53clamd_dbdir="/var/lib/clamav"
54
55# ClamAV daemon process ID file
56# (If this is commented out, the daemon will not be reloaded automatically)
57clamd_pidfile="/var/run/clamav/clamd.pid"
58
59# Directory in which this script will keep its persistent data
60data_dir="/var/lib/sanesecurity"
61
62# Directory in which this script will keep its cache
63# (This should not be the same as data_dir.  Any unexpected files in this
64# directory will be deleted!)
65cache_dir="/var/cache/sanesecurity"
66
67# Mirror to use, in a form accepted by rsync
68# (Leave set to the round robin address unless you know what you are doing:
69# forcing the use of one particular mirror will cause excess load for that
70# mirror)
71mirror="rsync://rsync.sanesecurity.net/sanesecurity"
72
73# Extra options for rsync
74# The default, --contimeout=30, makes for faster recovery if a mirror is
75# blocking your connection (e.g. if you connect too frequently).  However
76# this is not available in older versions of rsync so you may need to
77# remove it.
78# Additionally, if you have a slow link you may want to add -z here to
79# enable compression.
80rsync_extra_opts="--contimeout=30"
81
82# Minimum interval between updates, in minutes
83# (Note that the download servers may be configured to drop connections made
84# at too great a rate)
85min_interval="30"
86
87# Randomly sleep before downloading if running noninteractively?
88# (Please leave this enabled, as it reduces peak load on the mirrors)
89random_sleep=1
90
91# URL of the Sanesecurity GnuPG public key
92gpg_key_url="http://www.sanesecurity.net/publickey.gpg"
93
94# Location of GnuPG home directory
95# (If you change this, be sure that you understand the security implications:
96# signatures by *any* key in your public keyring will be accepted)
97gpg_homedir="$data_dir/gnupg"
98
99# Extra options for GnuPG, if required
100gpg_extra_opts=""
101
102# Exclude logical signatures (*.ldb)?
103# These are not supported by versions of ClamAV prior to 0.94.
104# If you use an old version of ClamAV, you should enable this option.
105#exclude_ldb=1
106
107### End of configuration ###
108
109
110umask 0022
111
112# Check the configuration looks sane
113if [ ! -d "$clamd_dbdir" ]
114then
115        echo "clamd_dbdir ($clamd_dbdir) does not exist; aborting" >&2
116        echo "(check your configuration)" >&2
117        exit 1
118fi
119
120mkdir -p "$data_dir" "$cache_dir"
121
122# Set up GnuPG, if necessary
123if [ ! -d "$gpg_homedir" ]
124then
125        echo "GnuPG homedir is nonexistant; initialising" >&2
126        echo "(This should only occur once)" >&2
127        mkdir -p "$gpg_homedir"
128        chmod 0700 "$gpg_homedir"
129        gpg_tmp="$(mktemp -t fetch-sanesecurity-sigs.XXXXXXXXXX)"
130        if ! wget -O "$gpg_tmp" "$gpg_key_url"
131        then
132                echo "ERROR: could not fetch GnuPG public key; aborting" >&2
133                rm -f "$gpg_tmp"
134                exit 4
135        fi
136        if ! gpg --homedir "$gpg_homedir" $gpg_extra_opts --import "$gpg_tmp"
137        then
138                echo "ERROR: could not import GnuPG public key; aborting" >&2
139                rm -f "$gpg_tmp"
140                exit 4
141        fi
142        rm -f "$gpg_tmp"
143fi
144
145# This appears to be the most portable way to find the current timestamp
146# (suggestions on how to avoid calling perl are very welcome)
147time_now="$(perl -le print+time)"
148if [ ! "$time_now" -gt 1 ]
149then
150        echo "Could not find current timestamp -- is perl installed?" >&2
151        exit 5
152fi
153
154# Check that min_interval seconds have elapsed since last run
155if [ -s "$data_dir/update-stamp" ]
156then
157        time_then="$(cat "$data_dir/update-stamp")"
158        minutes_elapsed=$(( (time_now - time_then) / 60 ))
159        if [ "$minutes_elapsed" -lt "$min_interval" ]
160        then
161                echo "Must wait at least $min_interval minutes between updates; aborting" >&2
162                exit 2
163        fi
164fi
165
166# Random sleep (see comment in configuration section)
167if [ "$random_sleep" = "1" ]
168then
169        # Are we running noninteractively, i.e. without a tty on stdin?
170        if ! tty -s
171        then
172                # $RANDOM is between 0 and 32767.
173                # Use this to generate a time between 30 and 32767/200+30 = 193 seconds.
174                sleep_time=$((RANDOM/200+30))
175                echo "Sleeping for $sleep_time seconds."
176                sleep $sleep_time
177        fi
178fi
179
180# Update the cache
181if [ "$exclude_ldb" = "1" ]
182then
183        rsync_extra_opts="$rsync_extra_opts --exclude=*.ldb"
184        rm -f "$cache_dir"/*.ldb
185fi
186if ! rsync --progress --delete -rt $rsync_extra_opts "$mirror/." "$cache_dir/"
187then
188        echo "rsync failed; aborting." >&2
189        exit 3
190fi
191echo "$time_now" > "$data_dir/update-stamp"
192chmod 0644 "$cache_dir"/*
193echo
194
195# Iterate through the databases in the cache
196installed=0
197for db in "$cache_dir"/*.?db "$cache_dir"/*.ftm
198do
199        db_name=$(basename "$db")
200        db_live="$clamd_dbdir/sanesecurity-$db_name"
201
202        # Only pay any attention to this database if it's newer than the installed version
203        if [ -e "$db_live" -a ! "$db" -nt "$db_live" ]
204        then
205                echo "$db_name is already up-to-date; skipping"
206                continue
207        fi
208
209        # Zero-length databases have no value and confuse the test below
210        if [ ! -s "$db" ]
211        then
212                echo "$db_name is zero-length; discarding"
213                continue
214        fi
215
216        # Check that the GnuPG signature is present and correct
217        if ! gpg_out=$(gpg --homedir "$gpg_homedir" $gpg_extra_opts --verify "$db.sig" "$db" 2>&1)
218        then
219                echo "SECURITY ERROR: $db_name has a bad GnuPG signature; discarding:" >&2
220                echo "$gpg_out" >&2
221                continue
222        fi
223
224        # Test the database by asking ClamAV to check something with it
225        if ! clamscan --quiet --tempdir="${TMPDIR:-/tmp}" --database="$db" - < /dev/null
226        then
227                echo "ERROR: $db_name fails a simple test; discarding" >&2
228                continue
229        fi
230
231        # Now we can actually install this database
232        echo "Installing $db_name into $db_live"
233        if rsync -p "$db" "$db_live"
234        then
235                installed=$((installed+1))
236
237                # Clean up stuff left behind by old scripts
238                rm -f "$clamd_dbdir/$db_name"*
239        fi
240done
241
242# Finished; display summary and perhaps reload clamd
243echo
244if [ "$installed" -gt 0 ]
245then
246        if [ "$installed" -eq 1 ]
247        then
248                s=""
249        else
250                s="s"
251        fi
252        echo "Installed $installed database$s"
253
254        # Is clamd running?
255        if [ "$clamd_pidfile" -a -f "$clamd_pidfile" ]
256        then
257                echo "Reloading ClamAV daemon"
258                clamdscan --reload
259        fi
260else
261        echo "No databases installed."
262fi
263
264exit 0
Note: See TracBrowser for help on using the browser.