From nobody Sat Aug 27 15:26:15 2022
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MFLBx2NV5z4ZdFy;
	Sat, 27 Aug 2022 15:26:17 +0000 (UTC)
	(envelope-from jamie@catflap.org)
Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [IPv6:2001:19f0:300:2185:123::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 4MFLBw5dGdz3dC3;
	Sat, 27 Aug 2022 15:26:16 +0000 (UTC)
	(envelope-from jamie@catflap.org)
X-Catflap-Envelope-From: <jamie@donotpassgo.dyslexicfish.net>
X-Catflap-Envelope-To: freebsd-current@FreeBSD.org
Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [104.207.135.49])
	by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id 27RFQGN0071258;
	Sat, 27 Aug 2022 16:26:16 +0100 (BST)
	(envelope-from jamie@donotpassgo.dyslexicfish.net)
Received: (from jamie@localhost)
	by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id 27RFQF3U071257;
	Sat, 27 Aug 2022 16:26:15 +0100 (BST)
	(envelope-from jamie)
From: Jamie Landeg-Jones <jamie@catflap.org>
Message-Id: <202208271526.27RFQF3U071257@donotpassgo.dyslexicfish.net>
Date: Sat, 27 Aug 2022 16:26:15 +0100
Organization: Dyslexic Fish
To: grembo@FreeBSD.org, freebsd@oldach.net
Cc: yasu@FreeBSD.org, freebsd@walstatt-de.de, freebsd-ports@FreeBSD.org,
        freebsd-current@FreeBSD.org
Subject: Re: security/clamav: /ar/run on TMPFS renders the port broken by
 design
References: <202208271318.27RDI9Jd044045@nuc.oldach.net>
 <E3110EFB-EF59-40C3-ACBF-496C7F309B49@freebsd.org>
In-Reply-To: <E3110EFB-EF59-40C3-ACBF-496C7F309B49@freebsd.org>
User-Agent: Heirloom mailx 12.4 7/29/08
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (donotpassgo.dyslexicfish.net [104.207.135.49]); Sat, 27 Aug 2022 16:26:16 +0100 (BST)
X-Rspamd-Queue-Id: 4MFLBw5dGdz3dC3
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=pass (policy=none) header.from=catflap.org;
	spf=pass (mx1.freebsd.org: domain of jamie@catflap.org designates 2001:19f0:300:2185:123::1 as permitted sender) smtp.mailfrom=jamie@catflap.org
X-Spamd-Result: default: False [-3.70 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.999];
	DMARC_POLICY_ALLOW(-0.50)[catflap.org,none];
	R_SPF_ALLOW(-0.20)[+mx:dyslexicfish.net:c];
	RCVD_NO_TLS_LAST(0.10)[];
	MIME_GOOD(-0.10)[text/plain];
	MLMMJ_DEST(0.00)[freebsd-current@FreeBSD.org,freebsd-ports@FreeBSD.org];
	ARC_NA(0.00)[];
	R_DKIM_NA(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	HAS_ORG_HEADER(0.00)[];
	MIME_TRACE(0.00)[0:+];
	FREEFALL_USER(0.00)[jamie];
	RCVD_COUNT_THREE(0.00)[3];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_FIVE(0.00)[6];
	TO_DN_NONE(0.00)[];
	ASN(0.00)[asn:20473, ipnet:2001:19f0::/38, country:US]
X-ThisMailContainsUnwantedMimeParts: N

Michael Gmelin <grembo@FreeBSD.org> wrote:

> I like the idea of having something like tmpfiles.d, it would also help port maintainers (could also be done as a port).

I use tmpfs for /var/run and already have such a script for this very reason
(although not clamav)

I would have thought each port startup script should ensure it's file/directory
exists before attempting to launch - having "tmpfiles.d" would still require
some changes for the port maintainer to make to their port, but I guess it
may help to keep things centralised.

I'm willing to "standardise" my script if it would help, but as it stands, you
can see it here:

http://freebsd.dyslexicfish.net/src/

15:47 (71) "~/x" jamie@newbie% cat /usr/common/etc/var_run.mtree
# File/Directory        User           Group        Perms
#
distccd.pid             distcc         distcc         640
ntop/                   ntop           ntop           750
nsd/                    nsd            nsd            750
netdata/                netdata        netdata        750
screens/                root           wheel         1777
sshdbanner/             sshdbanner     sshdbanner     755
spamd/                  spamd          spamd          750
symon.pid               _symon         _symon         640
symux.pid               _symon         _symon         640
vnstat/                 vnstat         vnstat         750