Date: Sat, 27 Aug 2022 15:02:04 +0200 From: Michael Gmelin <grembo@freebsd.org> To: FreeBSD User <freebsd@walstatt-de.de> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>, FreeBSD Ports <freebsd-ports@freebsd.org>, yasu@freebsd.org Subject: Re: security/clamav: /ar/run on TMPFS renders the port broken by design Message-ID: <DBF99D65-0BAE-485F-90EB-42CC3E080161@freebsd.org> In-Reply-To: <20220827125405.10194d30@thor.intern.walstatt.dynvpn.de>
index | next in thread | previous in thread | raw e-mail
> On 27. Aug 2022, at 12:54, FreeBSD User <freebsd@walstatt-de.de> wrote: > > Am Sat, 27 Aug 2022 11:21:40 +0200 > Michael Gmelin <grembo@freebsd.org> schrieb: > >>>> On 27. Aug 2022, at 08:31, FreeBSD User <freebsd@walstatt-de.de> wrote: >>> >>> Hello, >>> >>> I'm referencing to Bug 259699 [2] and Bug 259585 [1]. >>> >>> Port security/clamav is without doubt for many of FreeBSD users an important piece of >>> security software so I assume a widespread usage. >>> >>> It is also a not uncommon use case to use NanoBSD or any kind of low-memory-footprint >>> installation schemes in which /var/run - amongst other system folders - are created at boot >>> time as TMPFS and highly volatile. >>> >>> In our case, the boxes running a small security appliance based upon FreeBSD is rebooted >>> every 24 hours and so /var/run is vanishing. >>> >>> To make the long story short: >>> >>> The solution for this problem would be a check for existence and take action addendum in >>> precmd() routine of the rc-script as sketched in Bug 259699. >>> The maintainer rejects such a workaround by arguing this would violate POLA (see comment 4 >>> in PR 259699 [2]. The maintainer's argument regaring to mtree's files are sound to me. >>> >>> The question is: how can this issue be solved? >>> >>> It is really hard to always chenge our local repository and patch whenever clamav has been >>> patched and modified for what reason ever. >>> >>> Tahanks for reading, >>> >> >> Why don’t you simply add an rc script to your appliance that creates the missing >> directory/directories on boot before clamav is started? >> >> Best >> Michael >> >> >> > > Why not fixing this on a more general basis? It‘s a reasonable way forward, given the limitations you described (you’re removing /var/run, which shouldn’t be removed and the port maintainer not willing to add code to compensate for this). This would fix it for you for your specific needs in a reliable way, you would never have to patch the port again and also won’t use other people‘s time to find a general solution to your very specific problem. It’s a sustainable quick fix to your problem at hand. You can always come up with something grand later, but this would actually work right away. Cheershome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBF99D65-0BAE-485F-90EB-42CC3E080161>