1<?xml version="1.0" encoding="iso-8859-1"?> 2<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> 3<refentry id="vfs_scannedonly.8"> 4 5<refmeta> 6 <refentrytitle>vfs_scannedonly</refentrytitle> 7 <manvolnum>8</manvolnum> 8 <refmiscinfo class="source">Samba</refmiscinfo> 9 <refmiscinfo class="manual">System Administration tools</refmiscinfo> 10 <refmiscinfo class="version">3.5</refmiscinfo> 11</refmeta> 12 13 14<refnamediv> 15 <refname>vfs_scannedonly</refname> 16 <refpurpose>Ensures that only files that have been scanned for viruses are 17 visible and accessible to the end user.</refpurpose> 18</refnamediv> 19 20<refsynopsisdiv> 21 <cmdsynopsis> 22 <command>vfs objects = scannedonly</command> 23 </cmdsynopsis> 24</refsynopsisdiv> 25 26<refsect1> 27 <title>DESCRIPTION</title> 28 29 <para>This VFS module is part of the 30 <citerefentry><refentrytitle>samba</refentrytitle> 31 <manvolnum>8</manvolnum></citerefentry> suite.</para> 32 33 <para>The <command>vfs_scannedonly</command> VFS module ensures that 34 only files that have been scanned for viruses are visible and accessible 35 to the end user. If non-scanned files are found an anti-virus scanning 36 daemon is notified. The anti-virus scanning daemon is not part of the 37 Samba suite. 38 </para> 39 40 <para>Scannedonly comes in two parts: a samba vfs module and (one or 41 more) daemons. The daemon scans files. If a certain file is clean, 42 a second file is created with prefix <filename>.scanned:</filename>. 43 The Samba module simply looks if such a <filename>.scanned:</filename> 44 file exists, and is newer than the pertinent file. If this is the case, 45 the file is shown to the user. If this is not the case, the file is not 46 returned in a directory listing (configurable), and cannot be opened 47 (configurable). The Samba vfs module will notify the daemon to scan 48 this file. 49 </para> 50 51 <para>So what happens for the user in the default configuration. The 52 first time a directory is listed, it shows files as 'file is being 53 scanned for viruses, but after the first time all files are shown. 54 There is a utility scannedonly_prescan that can help you to prescan 55 all directories. When new files are written the daemon is notified 56 immediately after the file is complete. 57 </para> 58 59 <para>If a virus is found by the daemon, a file with a warning message 60 is created in the directory of the user, a warning is sent to the logs, 61 and the file is renamed to have prefix <filename>.virus:</filename>. 62 Files with the <filename>.virus:</filename> prefix are never shown to 63 the user and all access is denied. 64 </para> 65 66 <para>This module is stackable.</para> 67 68</refsect1> 69 70<refsect1> 71 <title>CONFIGURATION</title> 72 73 <para><command>vfs_scannedonly</command> relies on a anti-virus scanning 74 daemon that listens on the scannedonly socket (unix domain socket or UDP 75 socket). 76 </para> 77</refsect1> 78 79<refsect1> 80 <title>OPTIONS</title> 81 82 <variablelist> 83 <varlistentry> 84 <term>scannedonly:domain_socket = True </term> 85 <listitem> 86 <para>Whether to use a unix domain socket or not (false reverts 87 to use udp) 88 </para> 89 </listitem> 90 </varlistentry> 91 92 <varlistentry> 93 <term>scannedonly:socketname = /var/lib/scannedonly/scan</term> 94 <listitem> 95 <para>The location of the unix domain socket to connect to</para> 96 </listitem> 97 </varlistentry> 98 99 <varlistentry> 100 <term>scannedonly:portnum = 2020</term> 101 <listitem> 102 <para>The udp port number to connect to 103 </para> 104 </listitem> 105 </varlistentry> 106 <varlistentry><term>scannedonly:scanhost = localhost</term> 107 <listitem> 108 <para> 109 When using UDP the host that runs the scanning daemon (this host 110 needs access to the files!) 111 </para> 112 </listitem> 113 </varlistentry> 114 <varlistentry><term>scannedonly:show_special_files = True</term> 115 <listitem> 116 <para> 117 Whether sockets, devices and fifo's (all not scanned for 118 viruses) should be visible to the user 119 </para> 120 </listitem> 121 </varlistentry> 122 <varlistentry><term>scannedonly:rm_hidden_files_on_rmdir = True</term> 123 <listitem> 124 <para> 125 Whether files that are not visible (<filename>.scanned:</filename> 126 files, <filename>.failed:</filename> files and <filename>.virus: 127 </filename> files) should be deleted if the user tries to remove 128 the directory. If false, the user will get the "directory is not 129 empty" error. 130 </para> 131 </listitem> 132 </varlistentry> 133 <varlistentry><term>scannedonly:hide_nonscanned_files = True</term> 134 <listitem> 135 <para> 136 If false, all non-scanned files are visible in directory listings. 137 If such files are found in a directory listing the scanning daemon 138 is notified that scanning is required. Access to non-scanned files 139 is still denied (see scannedonly:allow_nonscanned_files). 140 </para> 141 </listitem> 142 </varlistentry> 143 <varlistentry><term>scannedonly:scanning_message = is being scanned for 144 viruses</term> 145 <listitem> 146 <para> 147 If non-scanned files are hidden 148 (if scannedonly:hide_nonscanned_files = True), a fake 0 byte file 149 is shown. The filename is the original filename with the message 150 as suffix. 151 </para> 152 </listitem> 153 </varlistentry> 154 <varlistentry><term>scannedonly:recheck_time_open = 50</term> 155 <listitem> 156 <para> 157 If a non-scanned file is opened, the vfs module will wait 158 recheck_tries_open times for recheck_time_open milliseconds for 159 the scanning daemon to create a <filename>.scanned:</filename> 160 file. For small files that are scanned by the daemon within the 161 time (tries * time) the behavior will be just like on-access 162 scanning. 163 </para> 164 </listitem> 165 </varlistentry> 166 <varlistentry><term>scannedonly:recheck_tries_open = 100</term> 167 <listitem> 168 <para> 169 See recheck_time_open. 170 </para> 171 </listitem> 172 </varlistentry> 173 <varlistentry><term>scannedonly:recheck_time_readdir = 50</term> 174 <listitem> 175 <para> 176 If a non-scanned file is in a directory listing the vfs module 177 notifies the daemon (once for all files that need scanning in 178 that directory), and waits recheck_tries_readdir times for 179 recheck_time_readdir milliseconds. Only used when 180 hide_nonscanned_files is false. 181 </para> 182 </listitem> 183 </varlistentry> 184 <varlistentry><term>scannedonly:recheck_tries_readdir = 20</term> 185 <listitem> 186 <para> 187 See recheck_time_readdir. 188 </para> 189 </listitem> 190 </varlistentry> 191 <varlistentry><term>scannedonly:allow_nonscanned_files = False</term> 192 <listitem> 193 <para> 194 Allow access to non-scanned files. The daemon is notified, 195 however, and special files such as <filename>.scanned:</filename> 196 files. <filename>.virus:</filename> files and 197 <filename>.failed:</filename> files are not listed. 198 </para> 199 </listitem> 200 </varlistentry> 201 202 </variablelist> 203</refsect1> 204 205<refsect1> 206 <title>EXAMPLES</title> 207 208 <para>Enable anti-virus scanning:</para> 209<programlisting> 210 <smbconfsection name="[homes]"/> 211 <smbconfoption name="vfs objects">scannedonly</smbconfoption> 212 <smbconfoption name="scannedonly:hide_nonscanned_files">False</smbconfoption> 213</programlisting> 214 215</refsect1> 216 217<refsect1> 218 <title>CAVEATS</title> 219 220 <para>This is not true on-access scanning. However, it is very fast 221 for files that have been scanned already. 222 </para> 223</refsect1> 224 225<refsect1> 226 <title>VERSION</title> 227 228 <para>This man page is correct for version 3.5.0 of the Samba suite. 229 </para> 230</refsect1> 231 232<refsect1> 233 <title>AUTHOR</title> 234 235 <para>The original Samba software and related utilities 236 were created by Andrew Tridgell. Scannedonly was 237 developed for Samba by Olivier Sessink. Samba is now developed 238 by the Samba Team as an Open Source project similar 239 to the way the Linux kernel is developed.</para> 240 241</refsect1> 242 243</refentry> 244