From nobody Sat Aug 27 10:53:38 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MFD910j3qz4b7pg; Sat, 27 Aug 2022 10:54:13 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp052.goneo.de (smtp052.goneo.de [85.220.129.60]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MFD8z6DWDz4Khh; Sat, 27 Aug 2022 10:54:11 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from hub1.goneo.de (hub1.goneo.de [85.220.129.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by smtp5.goneo.de (Postfix) with ESMTPS id 70ADF10A32E0; Sat, 27 Aug 2022 12:54:08 +0200 (CEST) Received: from hub1.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPS id D6D0010A32F4; Sat, 27 Aug 2022 12:54:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1661597646; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FAmNI8Ra2D229ERAFrHRnp1ehRdJWiRH5YQ7s0G3ikg=; b=hY+FeiLg3ETvxNwgoQK8pcVLE+Kv4YbgAVwr/MyT6QJWcWTIzSKjc0zmmba4UnBc2z4X7B wdM18/C+ZBnI3YOzIc2S6pUdkSdXoFHhVqkgfgJNz1Mtsxfq77xlRJ60HNVYZF/H+/fB4t 29+cj/K3dhVljGlhNAFOho9OK99N2sVFHRFtnvT/1VR6QwcON0d7olq7IYOsbANEIlD+yl PVLZugWAj7B2fn5iRkq8y8PmAK167Fdd0dqZh5+AEH+0juHhODu2Oadv1yaBfvEn/FZB8K qostU2ZAP8TZvL6RNkdERt/KDC4cvThPLRz1kleBxQ35kiUD1whqMJg2VBQpMw== Received: from thor.intern.walstatt.dynvpn.de (dynamic-077-183-115-239.77.183.pool.telefonica.de [77.183.115.239]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPSA id 9B3A810A333F; Sat, 27 Aug 2022 12:54:06 +0200 (CEST) Date: Sat, 27 Aug 2022 12:53:38 +0200 From: FreeBSD User To: Michael Gmelin Cc: FreeBSD CURRENT , FreeBSD Ports , yasu@freebsd.org Subject: Re: security/clamav: /ar/run on TMPFS renders the port broken by design Message-ID: <20220827125405.10194d30@thor.intern.walstatt.dynvpn.de> In-Reply-To: References: <20220827083042.73e7f439@thor.intern.walstatt.dynvpn.de> Organization: walstatt-de.de List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-UID: 1309d6 X-Rspamd-UID: 17fbd0 X-Rspamd-Queue-Id: 4MFD8z6DWDz4Khh X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=hY+FeiLg; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd@walstatt-de.de has no SPF policy when checking 85.220.129.60) smtp.mailfrom=freebsd@walstatt-de.de X-Spamd-Result: default: False [-3.30 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_SHORT(-1.00)[-0.999]; R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001]; MIME_GOOD(-0.10)[text/plain]; DKIM_TRACE(0.00)[walstatt-de.de:+]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-ports@freebsd.org]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; MIME_TRACE(0.00)[0:+]; HAS_ORG_HEADER(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DMARC_NA(0.00)[walstatt-de.de]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE]; RCPT_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Am Sat, 27 Aug 2022 11:21:40 +0200 Michael Gmelin schrieb: > > On 27. Aug 2022, at 08:31, FreeBSD User wrote: > >=20 > > =EF=BB=BFHello, > >=20 > > I'm referencing to Bug 259699 [2] and Bug 259585 [1]. > >=20 > > Port security/clamav is without doubt for many of FreeBSD users an impo= rtant piece of > > security software so I assume a widespread usage. > >=20 > > It is also a not uncommon use case to use NanoBSD or any kind of low-me= mory-footprint > > installation schemes in which /var/run - amongst other system folders -= are created at boot > > time as TMPFS and highly volatile. > >=20 > > In our case, the boxes running a small security appliance based upon Fr= eeBSD is rebooted > > every 24 hours and so /var/run is vanishing. > >=20 > > To make the long story short: > >=20 > > The solution for this problem would be a check for existence and take a= ction addendum in > > precmd() routine of the rc-script as sketched in Bug 259699. > > The maintainer rejects such a workaround by arguing this would violate = POLA (see comment 4 > > in PR 259699 [2]. The maintainer's argument regaring to mtree's files a= re sound to me. > >=20 > > The question is: how can this issue be solved? > >=20 > > It is really hard to always chenge our local repository and patch whene= ver clamav has been > > patched and modified for what reason ever. > >=20 > > Tahanks for reading, > > =20 >=20 > Why don=E2=80=99t you simply add an rc script to your appliance that crea= tes the missing > directory/directories on boot before clamav is started? >=20 > Best > Michael >=20 >=20 >=20 Why not fixing this on a more general basis? Best regards, oh --=20 O. Hartmann