Date: Sun, 28 Aug 2022 03:05:01 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: freebsd@oldach.net (Helge Oldach) Cc: Cy.Schubert@cschubert.com (Cy Schubert), otis@FreeBSD.org, freebsd@walstatt-de.de, grembo@freebsd.org, freebsd-current@freebsd.org, freebsd-ports@freebsd.org, yasu@freebsd.org Subject: Re: security/clamav: /ar/run on TMPFS renders the port broken by design Message-ID: <20220828100501.EBA69307@slippy.cwsent.com> In-Reply-To: <202208280842.27S8gDXn055868@nuc.oldach.net> References: <202208280842.27S8gDXn055868@nuc.oldach.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multipart MIME message.
--==_Exmh_1661679707_33080
Content-Type: text/plain; charset=us-ascii
In message <202208280842.27S8gDXn055868@nuc.oldach.net>, Helge Oldach
writes:
> Cy Schubert wrote on Sat, 27 Aug 2022 17:26:38 +0200 (CEST):
> > As stated before in this thread, replacing /var/run with tmpfs is not a
> > supported configuration.
>
> Not supported? What is the purpose of /etc/rc.d/var then? That creates a tmpf
> s backed /var, populates it through mtree, and makes a proper /var/run availa
> ble.
>
> However it doesn't (yet) create /var/run/clamav of course.
>
> It would be fairly easy to extend /etc/rc.d/var by a logic that walks through
> /usr/local/etc/mtree/* and runs mtree on each of the files found as needed.
> All that the security/clamav port would need to do then is to drop an appropr
> iate small mtree file as /usr/local/etc/mtree/clamav. From a port's perspecti
> ve that is the same logic as dropping service scripts as /usr/local/etc/rc.d/
> clamav-*.
>
> Kind regards
> Helge
This is because you don't already have a /var/run/clamav yet. Unfortunately
this dies not retroactively create /var/run/clamav.
My new copy of the script, attached, also does not retroactively create the
directory. Create the directory by hand. Use your server. Reboot and the
directories will be recreated.
If converting from UFS or ZFS /var/run, simply add the tmpfs mountpoint
after adding and enabling the script and reboot. (I prefix all locally
written scripts with kq-).
Remember, this does not retroactively create /var/run/clamav if it doesn't
already exist. This only makes mounting of tmpfs /var/run an option
possible.
--==_Exmh_1661679707_33080
Content-Type: text/plain ; name="kq-var-run"; charset=us-ascii
Content-Description: kq-var-run
#!/bin/sh
# PROVIDE: kq-var-run
# REQUIRE: zfs tmp
# BEFORE: FILESYSTEMS
. /etc/rc.subr
name=kq_var_run
rcvar=kq_var_run_enable
extra_commands="load save"
start_cmd="kq_var_run_start"
load_cmd="kq_var_run_load"
save_cmd="kq_var_run_save"
stop_cmd="kq_var_run_stop"
load_rc_config $name
# Set defaults
: ${kq_var_run_enable:="NO"}
: ${kq_var_run_mtree:="/var/db/mtree/BSD.var-run.mtree"}
: ${kq_var_run_autosave:="YES"}
kq_var_run_load() {
test -f ${kq_var_run_mtree} &&
mtree -U -i -q -f ${kq_var_run_mtree} -p /var/run > /dev/null
}
kq_var_run_save() {
if [ ! -d $(dirname ${kq_var_run_mtree}) ]; then
mkdir -p ${kq_var_run_mtree}
fi
mtree -dcbj -p /var/run > ${kq_var_run_mtree}
}
kq_var_run_start() {
df -ttmpfs /var/run > /dev/null 2>&1 &&
kq_var_run_load
}
kq_var_run_stop() {
df -ttmpfs /var/run > /dev/null 2>&1 &&
checkyesno kq_var_run_autosave &&
kq_var_run_save
}
run_rc_command "$1"
--==_Exmh_1661679707_33080
Content-Type: text/plain; charset=us-ascii
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
--==_Exmh_1661679707_33080--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220828100501.EBA69307>