Date: Sat, 27 Aug 2022 15:38:44 +0200 From: Juraj Lutter <otis@FreeBSD.org> To: Michael Gmelin <grembo@freebsd.org> Cc: freebsd@oldach.net, freebsd-current@freebsd.org, freebsd-ports@freebsd.org, yasu@freebsd.org, freebsd@walstatt-de.de Subject: Re: security/clamav: /ar/run on TMPFS renders the port broken by design Message-ID: <C908E5B5-3A02-4CB1-9F6F-E58BB2984448@FreeBSD.org> In-Reply-To: <E3110EFB-EF59-40C3-ACBF-496C7F309B49@freebsd.org> References: <202208271318.27RDI9Jd044045@nuc.oldach.net> <E3110EFB-EF59-40C3-ACBF-496C7F309B49@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_20A84A0F-B411-42BA-8CA7-96D01698B8C6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 27 Aug 2022, at 15:27, Michael Gmelin <grembo@freebsd.org> wrote: >=20 >=20 >=20 >> On 27. Aug 2022, at 15:18, freebsd@oldach.net wrote: >>=20 >> =EF=BB=BFMichael Gmelin wrote on Sat, 27 Aug 2022 15:02:04 +0200 = (CEST): >>> (you're removing /var/run, which shouldn't be removed >>=20 >> Not quite. It's actually not uncommon to boot with an empty /var. = Please see /etc/rc.d/var and related. >=20 > That=E2=80=99s a good point. >=20 >> The request that ports/packages should consider this case is not = exactly unreasonable IMO. >>=20 >=20 > If I was the maintainer, I would simply add the code to create the = directory for robustness sake (I for one deleted subdirs in /var/run = more than once and would expect a port to fix this on restart, also to = make sure correct permissions are applied). But since it doesn=E2=80=99t = seem like this is going to happen, adding a custom rc file would be a = viable short term workaround for the requester. >=20 > I like the idea of having something like tmpfiles.d, it would also = help port maintainers (could also be done as a port). >=20 As I have stated in one of those PR: clamd creates file in two = locations: - PidFile - LocalSocket Both the locations could be checked by rc.d script in clamd.conf (also = freshclam eventually) and respective directories can be created from = within start_precmd() otis =E2=80=94 Juraj Lutter otis@FreeBSD.org --Apple-Mail=_20A84A0F-B411-42BA-8CA7-96D01698B8C6 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><br = class=3D""><div><br class=3D""><blockquote type=3D"cite" class=3D""><div = class=3D"">On 27 Aug 2022, at 15:27, Michael Gmelin <<a = href=3D"mailto:grembo@freebsd.org" class=3D"">grembo@freebsd.org</a>> = wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><div = class=3D""><br class=3D""><br class=3D""><blockquote type=3D"cite" = class=3D"">On 27. Aug 2022, at 15:18, <a = href=3D"mailto:freebsd@oldach.net" class=3D"">freebsd@oldach.net</a> = wrote:<br class=3D""><br class=3D"">=EF=BB=BFMichael Gmelin wrote on = Sat, 27 Aug 2022 15:02:04 +0200 (CEST):<br class=3D""><blockquote = type=3D"cite" class=3D"">(you're removing /var/run, which shouldn't be = removed<br class=3D""></blockquote><br class=3D"">Not quite. It's = actually not uncommon to boot with an empty /var. Please see = /etc/rc.d/var and related.<br class=3D""></blockquote><br = class=3D"">That=E2=80=99s a good point.<br class=3D""><br = class=3D""><blockquote type=3D"cite" class=3D"">The request that = ports/packages should consider this case is not exactly unreasonable = IMO.<br class=3D""><br class=3D""></blockquote><br class=3D"">If I was = the maintainer, I would simply add the code to create the directory for = robustness sake (I for one deleted subdirs in /var/run more than once = and would expect a port to fix this on restart, also to make sure = correct permissions are applied). But since it doesn=E2=80=99t seem like = this is going to happen, adding a custom rc file would be a viable short = term workaround for the requester.<br class=3D""><br class=3D"">I like = the idea of having something like tmpfiles.d, it would also help port = maintainers (could also be done as a port).<br class=3D""><br = class=3D""></div></div></blockquote><div><br class=3D""></div>As I have = stated in one of those PR: clamd creates file in two = locations:</div><div><br class=3D""></div><div>- PidFile</div><div>- = LocalSocket</div><div><br class=3D""></div><div>Both the locations could = be checked by rc.d script in clamd.conf (also freshclam eventually) and = respective directories can be created from within = start_precmd()</div><div><br class=3D""></div><div>otis</div><div><br = class=3D""></div><div class=3D""> <meta charset=3D"UTF-8" class=3D""><div dir=3D"auto" style=3D"caret-color:= rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: = start; text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: = none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: = after-white-space;" class=3D""><div>=E2=80=94</div><div>Juraj = Lutter</div><div><a href=3D"mailto:otis@FreeBSD.org" = class=3D"">otis@FreeBSD.org</a></div></div> </div> <br class=3D""></body></html>= --Apple-Mail=_20A84A0F-B411-42BA-8CA7-96D01698B8C6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C908E5B5-3A02-4CB1-9F6F-E58BB2984448>