From nobody Sat Aug 27 13:02:04 2022 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MFH0f00nbz4ZNNd; Sat, 27 Aug 2022 13:02:10 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail.evolve.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MFH0c5Gwyz3H4M; Sat, 27 Aug 2022 13:02:08 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: by mail.evolve.de (OpenSMTPD) with ESMTP id cfa47121; Sat, 27 Aug 2022 13:02:06 +0000 (UTC) Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id 92b474c0 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Sat, 27 Aug 2022 13:02:06 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: security/clamav: /ar/run on TMPFS renders the port broken by design From: Michael Gmelin In-Reply-To: <20220827125405.10194d30@thor.intern.walstatt.dynvpn.de> Date: Sat, 27 Aug 2022 15:02:04 +0200 Cc: FreeBSD CURRENT , FreeBSD Ports , yasu@freebsd.org Message-Id: References: <20220827125405.10194d30@thor.intern.walstatt.dynvpn.de> To: FreeBSD User X-Mailer: iPhone Mail (19G82) X-Rspamd-Queue-Id: 4MFH0c5Gwyz3H4M X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=softfail (mx1.freebsd.org: 213.239.217.29 is neither permitted nor denied by domain of grembo@freebsd.org) smtp.mailfrom=grembo@freebsd.org X-Spamd-Result: default: False [-2.60 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-ports@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; ARC_NA(0.00)[]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all:c]; RCVD_TLS_LAST(0.00)[]; FREEFALL_USER(0.00)[grembo]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[freebsd.org]; RCPT_COUNT_THREE(0.00)[4]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N > On 27. Aug 2022, at 12:54, FreeBSD User wrote: >=20 > =EF=BB=BFAm Sat, 27 Aug 2022 11:21:40 +0200 > Michael Gmelin schrieb: >=20 >>>> On 27. Aug 2022, at 08:31, FreeBSD User wrote:= >>>=20 >>> =EF=BB=BFHello, >>>=20 >>> I'm referencing to Bug 259699 [2] and Bug 259585 [1]. >>>=20 >>> Port security/clamav is without doubt for many of FreeBSD users an impor= tant piece of >>> security software so I assume a widespread usage. >>>=20 >>> It is also a not uncommon use case to use NanoBSD or any kind of low-mem= ory-footprint >>> installation schemes in which /var/run - amongst other system folders - a= re created at boot >>> time as TMPFS and highly volatile. >>>=20 >>> In our case, the boxes running a small security appliance based upon Fre= eBSD is rebooted >>> every 24 hours and so /var/run is vanishing. >>>=20 >>> To make the long story short: >>>=20 >>> The solution for this problem would be a check for existence and take ac= tion addendum in >>> precmd() routine of the rc-script as sketched in Bug 259699. >>> The maintainer rejects such a workaround by arguing this would violate P= OLA (see comment 4 >>> in PR 259699 [2]. The maintainer's argument regaring to mtree's files ar= e sound to me. >>>=20 >>> The question is: how can this issue be solved? >>>=20 >>> It is really hard to always chenge our local repository and patch whenev= er clamav has been >>> patched and modified for what reason ever. >>>=20 >>> Tahanks for reading, >>>=20 >>=20 >> Why don=E2=80=99t you simply add an rc script to your appliance that crea= tes the missing >> directory/directories on boot before clamav is started? >>=20 >> Best >> Michael >>=20 >>=20 >>=20 >=20 > Why not fixing this on a more general basis? It=E2=80=98s a reasonable way forward, given the limitations you described (= you=E2=80=99re removing /var/run, which shouldn=E2=80=99t be removed and the= port maintainer not willing to add code to compensate for this). This would= fix it for you for your specific needs in a reliable way, you would never h= ave to patch the port again and also won=E2=80=99t use other people=E2=80=98= s time to find a general solution to your very specific problem. It=E2=80=99= s a sustainable quick fix to your problem at hand. You can always come up wi= th something grand later, but this would actually work right away. Cheers