cleanq scans the current working directory, deleting work files no longer in use by qscanq.
cleanq takes only one command-line option: if invoked with the "-l" option, then cleanq logs a startup message and a record of each of its actions to stdout.
Users can run cleanq if they want, but it would serve no purpose: cleanq uses no special privileges. It is intended to be run in the scanning directory by supervise, part of the daemontools package.
In the default configuration, cleanq is set to log all actions, and multilog (also part of the daemontools package) is set to ignore startup messages and routine deletions (i.e., removal of non-sticky working directories). These settings can be changed either by editing conf-cqlog at compile time or by editing /service/qscanq/log/run directly.
Rules for Deletion
qscanq applies the following rules, in order:
Entries named "." or ".." are ignored.
If cleanq cannot stat the file, then it is ignored and the failure is logged to stderr.
If the directory entry is not a subdirectory, cleanq will attempt to unlink it. If the "-l" option is used, cleanq will also log the filename to stdout. Failure to unlink the file will be ignored. Note that non-directories should never be created by qscanq, so presence of this log entry indicates a potential security breach.
Any entry not starting with '@' is ignored. If the "-l" option is used, the filename will be logged to stdout. No such files should ever be created, so presence of this log entry indicates a potential security breach.
If the entry does not have its sticky bit set, then it is removed. This is the normal operational mode; under normal conditions, this should be the only action logged by cleanq.
If the entry does have its sticky bit set, but its ctime is older than than three times the age specified at compile time in conf-ageout, then it is removed. By default, this means that entries older than 3 hours are removed. If the "-l" option is used, and this log entry is found, it does not indicate a likely security breach, but it does indicate a possible attack in which some attacker is holding connections to your mail server.
Removal Procedure
Removal of an unused working directory--i.e., one whose name begins with "@", and whose sticky bit is unset or whose ctime is greater than three hours--is removed in the following steps:
Change into the directory, and then change into the subdirectory named "work". If this step fails, cleanq logs an error message and tries to unlink the working directory.
Execute the command in conf-rm. By default, "rm -rf"
Earlier versions of qscanq did not execute an external program. Unfortunately, MIME unpacking programs are liable to create subdirectories for unpacked files, which implies the need for recursive deletion. So for the time being, we've resumed using /bin/rm.
Security Considerations
Clearly, an attacker wishing to defeat cleanq and fill up the scanning directory would attempt to violate the rules implied above. Specifically, he would try to create files whose names begin with ".", or to create directories under the "work" subdirectory or elsewhere in the scanning folder.
To accomplish either one, the attacker must subvert either ripmime or the virus scanner. In normal operation, ripmime does not respect filenames provided with MIME attachments, and antivir or clamscan do not leave files or directories behind.
If any of the steps listed under Removal Procedure should fail, the failure is logged to stderr whether or not the "-l" option is used. A sysadmin should quickly detect any breach preventing cleanq from deleting files.
