From nobody Sun Aug 28 10:05:01 2022 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MFq1v4m3Bz4bGHB; Sun, 28 Aug 2022 10:05:07 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MFq1t4Gssz3tbM; Sun, 28 Aug 2022 10:05:06 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from shw-obgw-4002a.ext.cloudfilter.net ([10.228.9.250]) by cmsmtp with ESMTP id SBKpoRgu9S8WrSFA9oPnhv; Sun, 28 Aug 2022 10:05:05 +0000 Received: from spqr.komquats.com ([70.66.148.124]) by cmsmtp with ESMTPA id SFA6onPz9C3uhSFA8o0eUs; Sun, 28 Aug 2022 10:05:05 +0000 X-Authority-Analysis: v=2.4 cv=a6MjSGeF c=1 sm=1 tr=0 ts=630b3dd1 a=Cwc3rblV8FOMdVN/wOAqyQ==:117 a=Cwc3rblV8FOMdVN/wOAqyQ==:17 a=biHskzXt2R4A:10 a=XldT38RWNwACPDQzwzUA:9 a=gRS1eiuiAAAA:8 a=eM-nEs0M4Gr-ZpHJD-4A:9 a=CjuIK1q_8ugA:10 a=3xW0S8O8ZcswAB4HatcA:9 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=ics_IjAVWSmO8OVX31YA:9 a=BOg4e644cxQA:10 a=udpbrAo2yJH2O6eCpvBn:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 0B801BC4; Sun, 28 Aug 2022 03:05:02 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id EBA69307; Sun, 28 Aug 2022 03:05:01 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: freebsd@oldach.net (Helge Oldach) cc: Cy.Schubert@cschubert.com (Cy Schubert), otis@FreeBSD.org, freebsd@walstatt-de.de, grembo@freebsd.org, freebsd-current@freebsd.org, freebsd-ports@freebsd.org, yasu@freebsd.org Subject: Re: security/clamav: /ar/run on TMPFS renders the port broken by design In-reply-to: <202208280842.27S8gDXn055868@nuc.oldach.net> References: <202208280842.27S8gDXn055868@nuc.oldach.net> Comments: In-reply-to freebsd@oldach.net (Helge Oldach) message dated "Sun, 28 Aug 2022 10:42:13 +0200." List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org Mime-Version: 1.0 Content-Type: multipart/mixed ; boundary="==_Exmh_1661679707_33080" Date: Sun, 28 Aug 2022 03:05:01 -0700 Message-Id: <20220828100501.EBA69307@slippy.cwsent.com> X-CMAE-Envelope: MS4xfFBEpWwwPTBxqnWg+tH2lUmE/2HAC2j5+HiZy80t6YXaGQI3tmxL8MxDA7Qykrak2wV61SL9UzF30AhBtnS7TzRO1d3aO8N7De1Q4GV/rywgaQ03SaJy GIuSzI6YofvMIy1YYq55HKKABZjafjwrk3NP/UpgeJTAg3JBB3SHj8z5AeJqonX4kXHUhMf5r6G2SxllBgV2t3u1BrcDlzA6AyaHLoTGvGzS31bASl8ly1N0 cchH0L1o5b1sCCWpDNdVIPZYSMaHfzZnM/O80UD043fIo2bGVdod41IBOLFH0T8iroxl6G8S5OvpIRW/xldZorcsdBjoxP6/GjN1DFmo2jk9uovCZlTuiLTR 08CQ6P2+3rpu9xDYWE5X3gJ8lRwp/rtkkFpu7URX1e7kRVuhDyQ= X-Rspamd-Queue-Id: 4MFq1t4Gssz3tbM X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 3.97.99.32) smtp.mailfrom=cy.schubert@cschubert.com X-Spamd-Result: default: False [-1.80 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; MV_CASE(0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[3.97.99.32:from]; MIME_GOOD(-0.10)[multipart/mixed,text/plain]; RCPT_COUNT_SEVEN(0.00)[8]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org,freebsd-current@freebsd.org]; R_SPF_NA(0.00)[no SPF record]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; DMARC_NA(0.00)[cschubert.com: no valid DMARC record]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; RCVD_COUNT_FIVE(0.00)[5]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; TO_DN_NONE(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This is a multipart MIME message. --==_Exmh_1661679707_33080 Content-Type: text/plain; charset=us-ascii In message <202208280842.27S8gDXn055868@nuc.oldach.net>, Helge Oldach writes: > Cy Schubert wrote on Sat, 27 Aug 2022 17:26:38 +0200 (CEST): > > As stated before in this thread, replacing /var/run with tmpfs is not a > > supported configuration. > > Not supported? What is the purpose of /etc/rc.d/var then? That creates a tmpf > s backed /var, populates it through mtree, and makes a proper /var/run availa > ble. > > However it doesn't (yet) create /var/run/clamav of course. > > It would be fairly easy to extend /etc/rc.d/var by a logic that walks through > /usr/local/etc/mtree/* and runs mtree on each of the files found as needed. > All that the security/clamav port would need to do then is to drop an appropr > iate small mtree file as /usr/local/etc/mtree/clamav. From a port's perspecti > ve that is the same logic as dropping service scripts as /usr/local/etc/rc.d/ > clamav-*. > > Kind regards > Helge This is because you don't already have a /var/run/clamav yet. Unfortunately this dies not retroactively create /var/run/clamav. My new copy of the script, attached, also does not retroactively create the directory. Create the directory by hand. Use your server. Reboot and the directories will be recreated. If converting from UFS or ZFS /var/run, simply add the tmpfs mountpoint after adding and enabling the script and reboot. (I prefix all locally written scripts with kq-). Remember, this does not retroactively create /var/run/clamav if it doesn't already exist. This only makes mounting of tmpfs /var/run an option possible. --==_Exmh_1661679707_33080 Content-Type: text/plain ; name="kq-var-run"; charset=us-ascii Content-Description: kq-var-run #!/bin/sh # PROVIDE: kq-var-run # REQUIRE: zfs tmp # BEFORE: FILESYSTEMS . /etc/rc.subr name=kq_var_run rcvar=kq_var_run_enable extra_commands="load save" start_cmd="kq_var_run_start" load_cmd="kq_var_run_load" save_cmd="kq_var_run_save" stop_cmd="kq_var_run_stop" load_rc_config $name # Set defaults : ${kq_var_run_enable:="NO"} : ${kq_var_run_mtree:="/var/db/mtree/BSD.var-run.mtree"} : ${kq_var_run_autosave:="YES"} kq_var_run_load() { test -f ${kq_var_run_mtree} && mtree -U -i -q -f ${kq_var_run_mtree} -p /var/run > /dev/null } kq_var_run_save() { if [ ! -d $(dirname ${kq_var_run_mtree}) ]; then mkdir -p ${kq_var_run_mtree} fi mtree -dcbj -p /var/run > ${kq_var_run_mtree} } kq_var_run_start() { df -ttmpfs /var/run > /dev/null 2>&1 && kq_var_run_load } kq_var_run_stop() { df -ttmpfs /var/run > /dev/null 2>&1 && checkyesno kq_var_run_autosave && kq_var_run_save } run_rc_command "$1" --==_Exmh_1661679707_33080 Content-Type: text/plain; charset=us-ascii Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0 --==_Exmh_1661679707_33080--