Re: security/clamav: /ar/run on TMPFS renders the port broken by design

Reply: Cy Schubert : "Re: security/clamav: /ar/run on TMPFS renders the port broken by design"
In reply to: Juraj Lutter : "Re: security/clamav: /ar/run on TMPFS renders the port broken by design"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Sat, 27 Aug 2022 15:26:38 UTC

On Sat, 27 Aug 2022 15:38:44 +0200
Juraj Lutter <otis@FreeBSD.org> wrote:

> > On 27 Aug 2022, at 15:27, Michael Gmelin <grembo@freebsd.org> wrote:
> > 
> > 
> >   
> >> On 27. Aug 2022, at 15:18, freebsd@oldach.net wrote:
> >> 
> >> Michael Gmelin wrote on Sat, 27 Aug 2022 15:02:04 +0200 (CEST):  
> >>> (you're removing /var/run, which shouldn't be removed  
> >> 
> >> Not quite. It's actually not uncommon to boot with an empty /var. Please see /etc/rc.d/var and related.  
> > 
> > That’s a good point.
> >   
> >> The request that ports/packages should consider this case is not exactly unreasonable IMO.
> >>   
> > 
> > If I was the maintainer, I would simply add the code to create the directory for robustness sake (I for one deleted subdirs in /var/run more than once and would expect a port to fix this on restart, also to make sure correct permissions are applied). But since it doesn’t seem like this is going to happen, adding a custom rc file would be a viable short term workaround for the requester.
> > 
> > I like the idea of having something like tmpfiles.d, it would also help port maintainers (could also be done as a port).
> >   
> 
> As I have stated in one of those PR: clamd creates file in two locations:
> 
> - PidFile
> - LocalSocket
> 
> Both the locations could be checked by rc.d script in clamd.conf (also freshclam eventually) and respective directories can be created from within start_precmd()
> 
> otis
> 
> —
> Juraj Lutter
> otis@FreeBSD.org
> 

As stated before in this thread, replacing /var/run with tmpfs is not a
supported configuration. However if users wish to replace /var/run
with tmpfs they can create an rc script (I put my extra rc scripts in
/etc/local/rc.d) to create the hierarc
If one does this they can either use mtree(1) to create the hierarchy
or simply take a snapshot (find /var/run -type d | cpio -o >
/etc/local/my_var_run.cpio), having their rc script recreate the
hierarchy using cpio -i < /etc/local/my_var_run.cpio). And
be periodically updated the archive as needed, probably through a
shutdown script.

One will notice that /etc/mtree/BSD.var.dist shows us what is created
in /var/run by default during installworld.

The change requested is not specifically for an individual port but
essentially a FreeBSD-wide infrastructure change. I don't think this
is reasonable without a lot of consideration about what will be broken
during the process of changing build and boot processes and the
potential POLA fallout from such a change. A change like this needs to
be architected.

I don't think this is the mailing list to discuss this topic. This
should be discussed on ports@. Not here. Maybe it should be moved there
as this is a ports not a base O/S issue.

-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0