From nobody Sat Aug 27 13:21:38 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MFHRp6PQKz4ZQCQ for ; Sat, 27 Aug 2022 13:22:14 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp6.goneo.de (smtp6.goneo.de [85.220.129.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MFHRn4FGVz3Ldd for ; Sat, 27 Aug 2022 13:22:13 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from hub2.goneo.de (hub2.goneo.de [85.220.129.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by smtp6.goneo.de (Postfix) with ESMTPS id 48CB010A32EB for ; Sat, 27 Aug 2022 15:22:10 +0200 (CEST) Received: from hub2.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by hub2.goneo.de (Postfix) with ESMTPS id 4101210A3308 for ; Sat, 27 Aug 2022 15:22:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1661606526; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AOWYwzdcEfO8K+vUwuIvYl09qzOyh2Ka+qfJLHf5KGU=; b=DaEVmDQqLV5/RIgf1YgwXtAHVRm0acz8Ce04KSkRvGHDgsMAdXlw0jO+gpZcQMmnCEsS9Q L3SClijD9+0+f/VJ1A2yKJDaqTPeTd/AeNBnEJZBymquNe6HYhEhnC87u1kgcSpNr+X4Gj wAqdT6qx+USGhDQcCN4n6WDC7Kyco19+drH9winKRasL2T1bS479d3xWMzlzup17Ec6FSU hsPD0NNyNgdBTozP6dE0SoeEfczZskkTc97i03Dj5hIx1duTrSdL74GTdLYZCh6eFJflfv 9vt162VZHPDmVcDLI5tMo7dPAXejpZ+W4DGzgak12uaNB4958opfZkNrAEHZfg== Received: from thor.intern.walstatt.dynvpn.de (dynamic-077-183-115-239.77.183.pool.telefonica.de [77.183.115.239]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by hub2.goneo.de (Postfix) with ESMTPSA id 1A29E10A32E7 for ; Sat, 27 Aug 2022 15:22:06 +0200 (CEST) Date: Sat, 27 Aug 2022 15:21:38 +0200 From: FreeBSD User To: freebsd-current@freebsd.org Subject: Re: security/clamav: /ar/run on TMPFS renders the port broken by design Message-ID: <20220827152205.76d9df57@thor.intern.walstatt.dynvpn.de> In-Reply-To: References: <20220827083042.73e7f439@thor.intern.walstatt.dynvpn.de> Organization: walstatt-de.de List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-UID: 364e76 X-Rspamd-UID: 298816 X-Rspamd-Queue-Id: 4MFHRn4FGVz3Ldd X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=DaEVmDQq; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd@walstatt-de.de has no SPF policy when checking 85.220.129.31) smtp.mailfrom=freebsd@walstatt-de.de X-Spamd-Result: default: False [-3.40 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[85.220.129.31:from]; DKIM_TRACE(0.00)[walstatt-de.de:+]; ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; MIME_TRACE(0.00)[0:+]; R_SPF_NA(0.00)[no SPF record]; DMARC_NA(0.00)[walstatt-de.de]; HAS_ORG_HEADER(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Am Sat, 27 Aug 2022 13:16:43 +0200 tuexen@freebsd.org schrieb: > > On 27. Aug 2022, at 08:30, FreeBSD User wrote: > > > > Hello, > > > > I'm referencing to Bug 259699 [2] and Bug 259585 [1]. > > > > Port security/clamav is without doubt for many of FreeBSD users an important piece of > > security software so I assume a widespread usage. > > > > It is also a not uncommon use case to use NanoBSD or any kind of low-memory-footprint > > installation schemes in which /var/run - amongst other system folders - are created at boot > > time as TMPFS and highly volatile. > > > > In our case, the boxes running a small security appliance based upon FreeBSD is rebooted > > every 24 hours and so /var/run is vanishing. > Why are you rebooting every 24 hours? The appliance has to be on a non-writable medium and is to be rebooted every 24 hours to cleanse temporary memory. This is given in the specs and by the department(s) the appliance is for. Kind regards > > Best regards > Michael > > > > To make the long story short: > > > > The solution for this problem would be a check for existence and take action addendum in > > precmd() routine of the rc-script as sketched in Bug 259699. > > The maintainer rejects such a workaround by arguing this would violate POLA (see comment 4 > > in PR 259699 [2]. The maintainer's argument regaring to mtree's files are sound to me. > > > > The question is: how can this issue be solved? > > > > It is really hard to always chenge our local repository and patch whenever clamav has been > > patched and modified for what reason ever. > > > > Tahanks for reading, > > > > kind regards > > > > O. Hartmann > > > > [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259585 > > [2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259699 > > > > > > -- > > O. Hartmann > > > > -- O. Hartmann