From nobody Sat Aug 27 13:38:44 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MFHpv0P5mz4ZRps; Sat, 27 Aug 2022 13:38:47 +0000 (UTC) (envelope-from otis@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MFHpt6tGhz3QV3; Sat, 27 Aug 2022 13:38:46 +0000 (UTC) (envelope-from otis@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661607527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=VTC3eEx2et/1Lqhhi/kWquSQ746mnxKZNpdRQXt4pQ8=; b=BmCNdasGRA6b2QqnUqKe1BfZ6bmhjP1+EODDetX4c/MXnv7K5S9aatyBwGAGOByE4e3U4f ZCLwv+SSGqC6SyungfNE4STIyzx3Lxh0FLVxzVo4EFf8MUPddBV9MT32WAwdIRXC5EUhat VbuUEOrKzrvR+BXYXnWF2UJHaTdMz7boQ2Umx1cvrG9idjROmYVRdArDHl/3omITaK1i2b R/YtKeVwNTxboV/IzJ8kIfhJzOI0aiYyWiaVgALxWRz2A0Ch3k6aZZYvn2Alq7ib2vCnwk 9iT0/niLchHo8WBkMsM6bEjuttXj8r6JVbSL9TAVVArJY9O+MM/6SexQygAGLQ== Received: from ns2.wilbury.net (ns2.wilbury.net [IPv6:2a01:b200:0:1:f816:3eff:fecd:13e6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "svc.wilbury.net", Issuer "R3" (verified OK)) (Authenticated sender: otis) by smtp.freebsd.org (Postfix) with ESMTPSA id 4MFHpt4MvXz17Ds; Sat, 27 Aug 2022 13:38:46 +0000 (UTC) (envelope-from otis@FreeBSD.org) Received: from smtpclient.apple (85-237-234-63.dynamic.orange.sk [85.237.234.63]) (Authenticated sender: juraj@lutter.sk) by svc.wilbury.net (Postfix) with ESMTPSA id DAF0645D14F; Sat, 27 Aug 2022 15:38:44 +0200 (CEST) From: Juraj Lutter Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_20A84A0F-B411-42BA-8CA7-96D01698B8C6" List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\)) Subject: Re: security/clamav: /ar/run on TMPFS renders the port broken by design Date: Sat, 27 Aug 2022 15:38:44 +0200 In-Reply-To: Cc: freebsd@oldach.net, freebsd-current@freebsd.org, freebsd-ports@freebsd.org, yasu@freebsd.org, freebsd@walstatt-de.de To: Michael Gmelin References: <202208271318.27RDI9Jd044045@nuc.oldach.net> X-Mailer: Apple Mail (2.3696.120.41.1.1) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661607527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=VTC3eEx2et/1Lqhhi/kWquSQ746mnxKZNpdRQXt4pQ8=; b=kTxAjY+GuQO0eRemHHJycDcdz2aTD9DFDkt7sAiiHsyaXGgxQfkwI8E7Z4Au779spnj07w 8J14jYF4/sr+4LekTU8oZsqo6hh6ZXX8+4MJnNx2HuDlpKrN5VVfHwgmHmH94JCRvCRVgX ejLs0WV49cGsyZyLjF8E8kc8HGNAOsC1za4OkEqrEQBDGk1RWHTDW5CUVMY0iYiks+sq4O 1aoCJpVNYFok5LF1QKu6L2TSIy3xJhG+2zTz+j/cGHmnt6dHSU83bBUL9VHgLKH2IdkKsm u7AOpN7lULJa7J4Opib+ycKBYNW03LKg+mgvL3WjVnn11Q49B2q4oHDlMkSUhA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1661607527; a=rsa-sha256; cv=none; b=oESJF0Y0WM3Zt/mxlC4AmyAdkwx+Kz6T3M2QkybH7jeqkcWnqlYX9NPbN4G8WFeSnWptti 7Vmb+2ok6A5U1RAm+UExq7w8jWPIB0P/nQO4bR+fpnMMJ8sWBLZ5AVbsS7DHRBOfGcPOEz WAHNrf+kOBD45ZVQPfWRtwryxDgNsTEw0df/xa4/75l6JlqbsDixZx6AnRt5oGnGBijKjh yLMyGz2op6ITWv5lwu7aIYnyPtNxnymAUfkP0cVLNzkpQemmrQIGzGY/MqR2njH/VWYgCN LF1PPpCeMe79fWDfqAjf1+aKFwQy9J5jZjxcM6zEOib2DGSQ0h10XeN8Lrg45A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_20A84A0F-B411-42BA-8CA7-96D01698B8C6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 27 Aug 2022, at 15:27, Michael Gmelin wrote: >=20 >=20 >=20 >> On 27. Aug 2022, at 15:18, freebsd@oldach.net wrote: >>=20 >> =EF=BB=BFMichael Gmelin wrote on Sat, 27 Aug 2022 15:02:04 +0200 = (CEST): >>> (you're removing /var/run, which shouldn't be removed >>=20 >> Not quite. It's actually not uncommon to boot with an empty /var. = Please see /etc/rc.d/var and related. >=20 > That=E2=80=99s a good point. >=20 >> The request that ports/packages should consider this case is not = exactly unreasonable IMO. >>=20 >=20 > If I was the maintainer, I would simply add the code to create the = directory for robustness sake (I for one deleted subdirs in /var/run = more than once and would expect a port to fix this on restart, also to = make sure correct permissions are applied). But since it doesn=E2=80=99t = seem like this is going to happen, adding a custom rc file would be a = viable short term workaround for the requester. >=20 > I like the idea of having something like tmpfiles.d, it would also = help port maintainers (could also be done as a port). >=20 As I have stated in one of those PR: clamd creates file in two = locations: - PidFile - LocalSocket Both the locations could be checked by rc.d script in clamd.conf (also = freshclam eventually) and respective directories can be created from = within start_precmd() otis =E2=80=94 Juraj Lutter otis@FreeBSD.org --Apple-Mail=_20A84A0F-B411-42BA-8CA7-96D01698B8C6 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On 27 Aug 2022, at 15:27, Michael Gmelin <grembo@freebsd.org> = wrote:



On 27. Aug 2022, at 15:18, freebsd@oldach.net = wrote:

=EF=BB=BFMichael Gmelin wrote on = Sat, 27 Aug 2022 15:02:04 +0200 (CEST):
(you're removing /var/run, which shouldn't be = removed

Not quite. It's = actually not uncommon to boot with an empty /var. Please see = /etc/rc.d/var and related.

That=E2=80=99s a good point.

The request that = ports/packages should consider this case is not exactly unreasonable = IMO.


If I was = the maintainer, I would simply add the code to create the directory for = robustness sake (I for one deleted subdirs in /var/run more than once = and would expect a port to fix this on restart, also to make sure = correct permissions are applied). But since it doesn=E2=80=99t seem like = this is going to happen, adding a custom rc file would be a viable short = term workaround for the requester.

I like = the idea of having something like tmpfiles.d, it would also help port = maintainers (could also be done as a port).


As I have = stated in one of those PR: clamd creates file in two = locations:

- PidFile
- = LocalSocket

Both the locations could = be checked by rc.d script in clamd.conf (also freshclam eventually) and = respective directories can be created from within = start_precmd()

otis

=E2=80=94
Juraj = Lutter

= --Apple-Mail=_20A84A0F-B411-42BA-8CA7-96D01698B8C6--