summaryrefslogtreecommitdiff
path: root/docs-xml/manpages/vfs_scannedonly.8.xml
blob: 7a1c93f27b4137b5dacd53382007ba379fe9ce5f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id="vfs_scannedonly.8">

<refmeta>
	<refentrytitle>vfs_scannedonly</refentrytitle>
	<manvolnum>8</manvolnum>
	<refmiscinfo class="source">Samba</refmiscinfo>
	<refmiscinfo class="manual">System Administration tools</refmiscinfo>
	<refmiscinfo class="version">4.1</refmiscinfo>
</refmeta>


<refnamediv>
	<refname>vfs_scannedonly</refname>
	<refpurpose>Ensures that only files that have been scanned for viruses are
	visible and accessible to the end user.</refpurpose>
</refnamediv>

<refsynopsisdiv>
	<cmdsynopsis>
		<command>vfs objects = scannedonly</command>
	</cmdsynopsis>
</refsynopsisdiv>

<refsect1>
	<title>DESCRIPTION</title>

	<para>This VFS module is part of the
	<citerefentry><refentrytitle>samba</refentrytitle>
	<manvolnum>8</manvolnum></citerefentry> suite.</para>

	<para>The <command>vfs_scannedonly</command> VFS module ensures that
	only files that have been scanned for viruses are visible and accessible
	to the end user. If non-scanned files are found an anti-virus scanning
	daemon is notified. The anti-virus scanning daemon is not part of the
	Samba suite.
	</para>

	<para>Scannedonly comes in two parts: a samba vfs module and (one or
	more) daemons. The daemon scans files. If a certain file is clean,
	a second file is created with prefix <filename>.scanned:</filename>.
	The Samba module simply looks if such a <filename>.scanned:</filename>
	file exists, and is newer than the pertinent file. If this is the case,
	the file is shown to the user. If this is not the case, the file is not
	returned in a directory listing (configurable), and cannot be opened
	(configurable). The Samba vfs module will notify the daemon to scan
	this file.
	</para>

	<para>So what happens for the user in the default configuration. The
	first time a directory is listed, it shows files as 'file is being
	scanned for viruses, but after the first time all files are shown.
	There is a utility scannedonly_prescan that can help you to prescan
	all directories. When new files are written the daemon is notified
	immediately after the file is complete.
	</para>

	<para>If a virus is found by the daemon, a file with a warning message
	is created in the directory of the user, a warning is sent to the logs,
	and the file is renamed to have prefix <filename>.virus:</filename>.
	Files with the <filename>.virus:</filename> prefix are never shown to
	the user and all access is denied.
	</para>

	<para>This module is stackable.</para>

</refsect1>

<refsect1>
	<title>CONFIGURATION</title>

	<para><command>vfs_scannedonly</command> relies on a anti-virus scanning
	daemon that listens on the scannedonly socket (unix domain socket or UDP
	socket).
	</para>
</refsect1>

<refsect1>
        <title>OPTIONS</title>

        <variablelist>
		<varlistentry>
		<term>scannedonly:domain_socket = True </term>
		<listitem>
		<para>Whether to use a unix domain socket or not (false reverts
		to use udp)
		</para>
		</listitem>
	</varlistentry>

	<varlistentry>
		<term>scannedonly:socketname = /var/lib/scannedonly/scan</term>
		<listitem>
		<para>The location of the unix domain socket to connect to</para>
		</listitem>
	</varlistentry>

	<varlistentry>
		<term>scannedonly:portnum = 2020</term>
		<listitem>
		<para>The udp port number to connect to
		</para>
		</listitem>
	</varlistentry>
	<varlistentry><term>scannedonly:scanhost = localhost</term>
		<listitem>
		<para>
		When using UDP the host that runs the scanning daemon (this host
		needs access to the files!)
		</para>
		</listitem>
	</varlistentry>
	<varlistentry><term>scannedonly:show_special_files = True</term>
		<listitem>
		<para>
		Whether sockets, devices and fifo's (all not scanned for
		viruses) should be visible to the user
		</para>
		</listitem>
	</varlistentry>
	<varlistentry><term>scannedonly:rm_hidden_files_on_rmdir = True</term>
		<listitem>
		<para>
		Whether files that are not visible (<filename>.scanned:</filename>
		files, <filename>.failed:</filename> files and <filename>.virus:
		</filename> files) should be deleted if the user tries to remove
		the directory. If false, the user will get the "directory is not
		empty" error.
		</para>
		</listitem>
	</varlistentry>
	<varlistentry><term>scannedonly:hide_nonscanned_files = True</term>
		<listitem>
		<para>
		If false, all non-scanned files are visible in directory listings.
		If such files are found in a directory listing the scanning daemon
		is notified that scanning is required. Access to non-scanned files
		is still denied (see scannedonly:allow_nonscanned_files).
		</para>
		</listitem>
	</varlistentry>
	<varlistentry><term>scannedonly:scanning_message = is being scanned for
	viruses</term>
		<listitem>
		<para>
		If non-scanned files are hidden
		(if scannedonly:hide_nonscanned_files = True), a fake 0 byte file
		is shown. The filename is the original filename with the message
		as suffix.
		</para>
		</listitem>
	</varlistentry>
	<varlistentry><term>scannedonly:recheck_time_open = 50</term>
		<listitem>
		<para>
		If a non-scanned file is opened, the vfs module will wait
		recheck_tries_open times for recheck_time_open milliseconds for
		the scanning daemon to create a <filename>.scanned:</filename>
		file. For small files that are scanned by the daemon within the
		time (tries * time) the behavior will be just like on-access
		scanning.
		</para>
		</listitem>
	</varlistentry>
	<varlistentry><term>scannedonly:recheck_tries_open = 100</term>
		<listitem>
		<para>
		See recheck_time_open.
		</para>
		</listitem>
	</varlistentry>
	<varlistentry><term>scannedonly:recheck_time_readdir = 50</term>
		<listitem>
		<para>
		If a non-scanned file is in a directory listing the vfs module
		notifies the daemon (once for all files that need scanning in
		that directory), and waits recheck_tries_readdir times for
		recheck_time_readdir milliseconds. Only used when
		hide_nonscanned_files is false.
		</para>
		</listitem>
	</varlistentry>
	<varlistentry><term>scannedonly:recheck_tries_readdir = 20</term>
		<listitem>
		<para>
		See recheck_time_readdir.
		</para>
		</listitem>
	</varlistentry>
	<varlistentry><term>scannedonly:allow_nonscanned_files = False</term>
		<listitem>
		<para>
		Allow access to non-scanned files. The daemon is notified,
		however, and special files such as <filename>.scanned:</filename>
		files. <filename>.virus:</filename> files and
		<filename>.failed:</filename> files are not listed.
		</para>
		</listitem>
	</varlistentry>

	</variablelist>
</refsect1>

<refsect1>
	<title>EXAMPLES</title>

	<para>Enable anti-virus scanning:</para>
<programlisting>
        <smbconfsection name="[homes]"/>
	<smbconfoption name="vfs objects">scannedonly</smbconfoption>
	<smbconfoption name="scannedonly:hide_nonscanned_files">False</smbconfoption>
</programlisting>

</refsect1>

<refsect1>
	<title>CAVEATS</title>

	<para>This is not true on-access scanning. However, it is very fast
	for files that have been scanned already.
	</para>
</refsect1>

<refsect1>
	<title>VERSION</title>

	<para>This man page is correct for version 4.0.0 of the Samba suite.
	</para>
</refsect1>

<refsect1>
	<title>AUTHOR</title>

	<para>The original Samba software and related utilities
	were created by Andrew Tridgell. Scannedonly was
	developed for Samba by Olivier Sessink. Samba is now developed
	by the Samba Team as an Open Source project similar
	to the way the Linux kernel is developed.</para>

</refsect1>

</refentry>