From nobody Mon Aug 29 16:57:29 2022 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MGc7M1t7Hz4bVTk; Mon, 29 Aug 2022 16:57:35 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MGc7L17hPz3L87; Mon, 29 Aug 2022 16:57:34 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTP id ShazoSetvS8WrSi4roT2Pb; Mon, 29 Aug 2022 16:57:33 +0000 Received: from spqr.komquats.com ([70.66.148.124]) by cmsmtp with ESMTPA id Si4ooxPkMuJwwSi4poVvSx; Mon, 29 Aug 2022 16:57:33 +0000 X-Authority-Analysis: v=2.4 cv=F+BEy4tN c=1 sm=1 tr=0 ts=630ceffd a=Cwc3rblV8FOMdVN/wOAqyQ==:117 a=Cwc3rblV8FOMdVN/wOAqyQ==:17 a=kj9zAlcOel0A:10 a=biHskzXt2R4A:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=gRS1eiuiAAAA:8 a=EkcXrb_YAAAA:8 a=LXEpIe3u_CHbWU6wHioA:9 a=iOwzQaJqgoF0qnYM:21 a=CjuIK1q_8ugA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=udpbrAo2yJH2O6eCpvBn:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 0206F26E; Mon, 29 Aug 2022 09:57:29 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id C15F4121; Mon, 29 Aug 2022 09:57:29 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: FreeBSD User cc: Cy Schubert , Michael Gmelin , freebsd@oldach.net, otis@freebsd.org, freebsd-current@freebsd.org, freebsd-ports@freebsd.org, yasu@freebsd.org Subject: Re: security/clamav: /var/run on TMPFS renders the port broken by design In-reply-to: <20220829082514.63926a46@thor.intern.walstatt.dynvpn.de> References: <202208280842.27S8gDXn055868@nuc.oldach.net> <163333B4-76A1-4E46-B7C3-60492D379C6E@freebsd.org> <20220828102124.409EC26D@slippy.cwsent.com> <20220828130107.1a76d54a.grembo@freebsd.org> <20220828131120.C3781317@slippy.cwsent.com> <20220829082514.63926a46@thor.intern.walstatt.dynvpn.de> Comments: In-reply-to FreeBSD User message dated "Mon, 29 Aug 2022 08:24:47 +0200." List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 29 Aug 2022 09:57:29 -0700 Message-Id: <20220829165729.C15F4121@slippy.cwsent.com> X-CMAE-Envelope: MS4xfFUCc9/1umJ6vpMqs2MccId2EURivPbDjOnulmy/JKTN0+VuIwtZOp/EINWwK3dfMCIKp9OXFP1dn1A2kCfBeMZX9QGHYqxbrnu3biIKQTG3lsZF4HAb B/PmTEhuzcTPDPnuekJViT4+bJA2JBhDDs9UwIrLWyOtRmLgOVLv88my2phDtY84wWbIptXDdPOM8MzO9neBN4GJ23Zrjoow9pEhgPFzwNn3WwzwjiMoUy1H ryTfTbbbbqVdGsfe8BjNT+dhKmjl3Bmzg2Yb8QJhbNFm3wMkeTdMekf+/srCF/OXEfAdDLOT1BrppLHzKFxFLK7dDbGNgO2e7DDsDvIOms3q6joJMYpJ6cfD 8lyztpqwPE9qGGY0PbZGywx9Jd/i5UumuOK/y+YvLBQx5HpqtoQ= X-Rspamd-Queue-Id: 4MGc7L17hPz3L87 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 3.97.99.32) smtp.mailfrom=cy.schubert@cschubert.com X-Spamd-Result: default: False [-1.80 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; MV_CASE(0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[3.97.99.32:from]; MIME_GOOD(-0.10)[text/plain]; R_DKIM_NA(0.00)[]; RCPT_COUNT_SEVEN(0.00)[8]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_SPF_NA(0.00)[no SPF record]; MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org,freebsd-current@freebsd.org]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; REPLYTO_EQ_FROM(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[cschubert.com: no valid DMARC record]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[] X-ThisMailContainsUnwantedMimeParts: N In message <20220829082514.63926a46@thor.intern.walstatt.dynvpn.de>, FreeBSD Us er writes: > Am Sun, 28 Aug 2022 06:11:20 -0700 > Cy Schubert schrieb: > > > In message <20220828130107.1a76d54a.grembo@freebsd.org>, Michael Gmelin > > writes: > > > > > > > > > > > > On Sun, 28 Aug 2022 03:21:24 -0700 > > > Cy Schubert wrote: > > > > > > > In message <163333B4-76A1-4E46-B7C3-60492D379C6E@freebsd.org>, > > > > Michael Gmelin w > > > > rites: > > > > > > > > > > > > > > > > > > > > > On 28. Aug 2022, at 10:42, freebsd@oldach.net wrote: > > > > > >=20 > > > > > > =EF=BB=BFCy Schubert wrote on Sat, 27 Aug 2022 17:26:38 +0200 > > > > > > (CEST): > > > > > >> As stated before in this thread, replacing /var/run with tmpfs > > > > > >> is not a supported configuration. > > > > > >=20 > > > > > > Not supported? What is the purpose of /etc/rc.d/var then? That > > > > > > creates a t= > > > > > mpfs backed /var, populates it through mtree, and makes a proper > > > > > /var/run av= ailable. > > > > > >=20 > > > > > > However it doesn't (yet) create /var/run/clamav of course. > > > > > >=20 > > > > > > It would be fairly easy to extend /etc/rc.d/var by a logic that > > > > > > walks thro= > > > > > ugh /usr/local/etc/mtree/* and runs mtree on each of the files > > > > > found as need= ed. All that the security/clamav port would need to > > > > > do then is to drop an ap= propriate small mtree file as > > > > > /usr/local/etc/mtree/clamav. =46rom a port's p= erspective that is > > > > > the same logic as dropping service scripts as /usr/local/= > > > > > etc/rc.d/clamav-*. > > > > > > > > > > =46rom a user's perspective, it would be preferable to have this > > > > > happen at s= ervice start though, as (unlike in the setup > > > > > described) reboots don't happen= that frequently, but files in > > > > > /var/run might get deleted manually. Maybe so= me rc framework > > > > > based solution would make sense, e.g., a variable `mtree_fil= es`, > > > > > which, if set, is applied in the default start_precmd. Besides > > > > > being mo= re resilient, this would also have the advantage that all > > > > > required file syst= ems should be available at that point and the > > > > > separation between system and p = orts would be more clear. Another > > > > > advantage would be that directories are on= ly created for services > > > > > that are actually enabled/started. > > > > > > > > Unfortunately this requires all ports to include an mtree file. > > > > Relying on port maintainers who are human to ensure that these files > > > > are created and updated when ports are created and maintained will > > > > result in more human error. I've learned over my long career to rely > > > > more on automation than human beings. Automation [should] never fail > > > > and when it does it does temporarily until the bug is found and > > > > fixed. Human beings inconsistently fail. > > > > > > > > If it were an auto-discovery script that created an mtree file as > > > > part of the packaging process, it would be another matter. But this > > > > optional solution path should be discussed on ports@, not here. > > > > > > > > > > > > > > I don't have much skin in the game, but I created a little proof of > > > concept to allow further discussion (which is not ports-specific, as it > > > works for all service scripts): > > > > > > https://reviews.freebsd.org/D36385 > > > > I've been toying with the idea for a few months but was never bothered to > > create a review or even a script for that matter. > > > > > > > > This basically allows both system admins and port maintainers to > > > create mtree files in /usr/local/etc/mtree (or /etc/mtree, as it's > > > always relative to the service script called) which are automatically > > > applied on service start. It's non-intrusive and doesn't require any > > > sweeping changes to existing ports/services. > > > > Understood that this is a manual process. > > > > > > > > In this specific case, the requester could create > > > /usr/local/etc/mtree/clamav-clamd with the required content (or > > > persuade the port maintainer to include that file). > > > > > > You could of course add some construct to the ports framework that > > > picks up certain directories from the package list automatically and > > > places them into an mtree file as part of the build or installation > > > process. But that would be an additional feature on top of this change. > > > > Someone could. Personally, I think that's a lot of work compared to simply > > saving the state of /var/run at shutdown and restoring it at boot. I can't > > speak for the ports management though. > > > > > > > > This is meant to inspire more discussions, I'm not trying to force > > > anything in. ;) > > > > Agreed. > > > > I cobbled something up yesterday that saves the directory tree state of > > /var/run prior to shutdown (or manually) and restores it at boot. > > > > https://reviews.freebsd.org/D36386 > > > > People can try it out if they want. If there's enough interest I'd be > > willing to commit it. > > > > We have a few options on the table and probably more. The ports > > infrastructure option is probably the most work. Adding functionality to > > all the ports that use /var/run is also a lot of work and if relying on > > individual porters, will likely take some time and be varied in > > implementation and robustness. > > > > > > I'd like to add a sidenote here, if one may please. > > Checking today NanoBSD based projects, i.e. XigmaNAS, which also let /var res > ide on a memory > disk and the way NanoBSD handles /var, contradicts some claims that is is 'un > supported' to put > /var on a volatile memory infrastructure. There is no argument that /var/run on tmpfs should not be done. IIRC RHEL puts /tmp and /var/run on tmpfs. And, when I worked with Solaris and Tru64, both put /tmp on tmpfs. > > On the other hand, there are only few ports which create subfolders to, i.e., > /var/run not > congruent what the specific metree sketch implies, the port security/clamav i > s one of those > few. If /var/run is tmpfs when the system is built the script I posted would handle this. However, after the tact, and remove the old /var/run instead of having the tmpfs mounted on top of a fully populated /var/run that should probably be removed. But we can leave that as an exercise for the SA to figure out. > > The question that bothers me most and this is just from the pratical point of > view as stated > initially and from a second view, just out of curiosity: > > what (fatal?) implications does it have to create some folders by port's rc-s > cript in /var/run > or whatever folder is needed to be on a volatile memory device for FreeBSD ba > se system's mtree > infrastructure? You need to ask port maintainers that. But remember, shotgun approaches to problems simply create technical debt that has to be paid with interest. And, it's always the developer who pays. It's better to consider a holistic solution rather than pick away at it. Try my rc script. Simply enable it and change your /var/run to tmpfs. Then reboot. If you want to dispose of any cruft on disk you can reboot into single user and clean it up at a later date. One final word: We should consider /tmp and /var/run as tmpfs as default, just as RHEL, Solaris and back in the day Tru64. (Though I recall DG/UX, HP-UX and NCR AT&T SysVR4 never used tmpfs.) On the flip side, embedded systems with limited RAM may be the exception but that can be mitigated with a size option (not used by Solaris but used by Tru64). Try the script. ;) -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0