Date: Sun, 28 Aug 2022 11:37:16 +0200 From: Michael Gmelin <grembo@freebsd.org> To: freebsd@oldach.net Cc: Cy.Schubert@cschubert.com, otis@freebsd.org, freebsd@walstatt-de.de, freebsd-current@freebsd.org, freebsd-ports@freebsd.org, yasu@freebsd.org Subject: Re: security/clamav: /ar/run on TMPFS renders the port broken by design Message-ID: <163333B4-76A1-4E46-B7C3-60492D379C6E@freebsd.org> In-Reply-To: <202208280842.27S8gDXn055868@nuc.oldach.net> References: <202208280842.27S8gDXn055868@nuc.oldach.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 28. Aug 2022, at 10:42, freebsd@oldach.net wrote: >=20 > =EF=BB=BFCy Schubert wrote on Sat, 27 Aug 2022 17:26:38 +0200 (CEST): >> As stated before in this thread, replacing /var/run with tmpfs is not a >> supported configuration. >=20 > Not supported? What is the purpose of /etc/rc.d/var then? That creates a t= mpfs backed /var, populates it through mtree, and makes a proper /var/run av= ailable. >=20 > However it doesn't (yet) create /var/run/clamav of course. >=20 > It would be fairly easy to extend /etc/rc.d/var by a logic that walks thro= ugh /usr/local/etc/mtree/* and runs mtree on each of the files found as need= ed. All that the security/clamav port would need to do then is to drop an ap= propriate small mtree file as /usr/local/etc/mtree/clamav. =46rom a port's p= erspective that is the same logic as dropping service scripts as /usr/local/= etc/rc.d/clamav-*. =46rom a user's perspective, it would be preferable to have this happen at s= ervice start though, as (unlike in the setup described) reboots don't happen= that frequently, but files in /var/run might get deleted manually. Maybe so= me rc framework based solution would make sense, e.g., a variable `mtree_fil= es`, which, if set, is applied in the default start_precmd. Besides being mo= re resilient, this would also have the advantage that all required file syst= ems should be available at that point and the separation between system and p= orts would be more clear. Another advantage would be that directories are on= ly created for services that are actually enabled/started. Cheers Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?163333B4-76A1-4E46-B7C3-60492D379C6E>