4

I want all new files added to ~/Downloads (and sub-folders) to be scanned with clamscan.

When using Firefox on other OSes/Machines I've noticed that downloaded files sometimes get automatically scanned. While I am specifically running a Debian-based home-roll-ish on this machine, the solution should work for other GNU/Linux distros, in particular the Slackware-based family of distributions where I'd also like to deploy it.

Based on this post "script-to-monitor-folder-for-new-files" I found which was previously answered here, I have the following which doesn't seem to work quite right (I ran it and then made a file using thunar the xfce file-manager and no pop-ups showed up.):

#!/bin/bash   
PATH_TO_WATCH="$(pwd)"
inotifywait -m /$PATH_TO_WATCH -e create -e moved_to |
    while read path action file; do
       CLAMSCAN_OUTPUT="$(clamscan $file)" 
       DIALOG_TEXT= "The file '$file' appeared in directory '$path' via '$action'. Clamscan was run on $file, generating the following output: $OUTPUT"
       echo $DIALOG_TEXT
       zenity --notification --text=$DIALOG_TEXT
    done

I am using zenity to form the popup message because from what I can tell, xdialog has been deprecated according to a comment to here. For reference a copy of the inotifywait manpage is here, and this inoticoming manpage may also be helpful (a post concerning inotifywait I found here had linked to it).

  1. How can I fix this so it runs?
  2. Is this safe? Am I making things worse by running 24/7 a system script like this?
  3. Is there any chance that the output will be executed / should I do some form of regex on the $CLAMSCAN_OUTPUT or $DIALOG_TEXT to protect the system from malformed output?
  4. (I realise this is open-ended, so ignore if it bothers you)Is this the "wrong way" / is there a more secure method recommended?

Update

It turns out that zenity was also crashing.

After I tried to terminate it, I actually got the echo output. The error appears to be similar to that described https://bugzilla.redhat.com/show_bug.cgi?id=740272, and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716717. It is also reproducible on an official Xubuntu 14.04lts new install I have just tested it on. It is unfortunate since --notification is unobtrusive, while --error requires user interaction.

Based on @Anthon and @JigglyNaga 's suggestions to improve it, the following is the new script:

#~ This script watches recursively for changes in a folder and then scans new files/folders.
#!/bin/bash 

#~  which folder to watch, here the current directory is used 
PATH_TO_WATCH="$(pwd)"

#~  While notification would be better, not used because of bug similar to "Debian Bug report logs - #716717"
#~  ZENITY_OUTPUT_METHOD="--notification"
ZENITY_OUTPUT_METHOD="--error"

#~  Initial notification stating the script is now active.   
INIT_OUTPUT="A scanning script is now waiting on '$PATH_TO_WATCH'"
echo $INIT_OUTPUT
zenity $ZENITY_OUTPUT_METHOD --text="'$INIT_OUTPUT'"

#~ Recursively wait for new files/folders then loop through the list and scan them
inotifywait -r -m /$PATH_TO_WATCH -e create -e moved_to |
    while read path action file; do
       PRESCAN_OUTPUT="Now scanning '$file' which appeared in directory '$path' via '$action'."
       echo $PRESCAN_OUTPUT
       zenity $ZENITY_OUTPUT_METHOD --text="'$PRESCAN_OUTPUT'"
       #~   Wait 5 seconds to scan, just in case it is still being created.
       sleep 5s 
       #~   Scan the new file/folder and save the output to display 
       CLAMSCAN_OUTPUT=$(clamscan "$file")
       DIALOG_TEXT="Clamscan was run on $file, generating the following output: $CLAMSCAN_OUTPUT"
       #~   Tell user files have been scaned and show results
       echo $DIALOG_TEXT
       zenity $ZENITY_OUTPUT_METHOD --text="'$DIALOG_TEXT'"
    done
Community
  • 1
ConfusedStack
  • 367
  • 1
    As the file creation on downloads is not instantanious, starting to scan the file on create is too early. I scan my ~/Downloads as well (not with inotify), and wait for a new file to be not changed for 5 seconds (adjustable) before taking action. – Anthon Nov 09 '14 at 07:55
  • 1
    You may want to add the --no-markup option to your zenity commands. Otherwise, if the file name contains a &, for example, some strange behavior can result. – John1024 Nov 09 '14 at 20:12
  • @John1024 ok, that's good to know. What type of behavior might it cause? Is this zenity specific or does it have to do with bash scripting in general? – ConfusedStack Nov 09 '14 at 21:20
  • 1
    @ConfusedStack With a & in the file name, zenity may ignore your text and produce the message "All updates are complete". This is a zenity-specific problem. --no-markup solves it. – John1024 Nov 09 '14 at 21:37

1 Answers1

1

The line setting DIALOG_TEXT has two problems - a leading space, and the wrong variable name. Change it to

DIALOG_TEXT="The file '$file' appeared in directory '$path' via '$action'. Clamscan was run on $file, generating the following output: $CLAMSCAN_OUTPUT"

To handle filenames with spaces, change the quoting as follows:

CLAMSCAN_OUTPUT=$(clamscan "$file")

When Firefox is downloading, it creates an empty placeholder file, and downloads to $filename.part, then renames when complete. You could filter out files ending .part with --exclude '\.part$', but you'll still get an extra scan of the initial empty file.

JigglyNaga
  • 7,886