All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Armin Kuster" <akuster808@gmail.com>
To: "Böszörményi Zoltán" <zboszor@pr.hu>,
	yocto@lists.yoctoproject.org,
	openembedded-core@lists.openembedded.org,
	"Khem Raj" <raj.khem@gmail.com>
Cc: "Zoltán Böszörményi" <zboszor@gmail.com>
Subject: Re: [OE-core] [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install
Date: Sun, 26 Sep 2021 09:01:37 -0700	[thread overview]
Message-ID: <13f1e4fa-9507-e0f2-9fd0-ced0489948ce@gmail.com> (raw)
In-Reply-To: <65749bc7-3235-9dd5-db51-b54377d88020@pr.hu>



On 9/26/21 8:56 AM, Böszörményi Zoltán wrote:
> On 2021. 09. 26. 17:35, Armin Kuster wrote:
>>
>>
>> On 9/26/21 5:25 AM, Zoltán Böszörményi wrote:
>>> From: Zoltán Böszörményi <zboszor@gmail.com>
>>>
>>> Also, rearrange the runtime-dependencies a little so
>>> clamav-freshclam is installed later than clamav.
>>>
>>> The issue is that clamav-freshclam ships /var/lib/clamav
>>> and the main clamav package uses chown in pkg_postinst to set
>>> the ownership of this directory. But pkg_postinst is not
>>> marked as "ontarget" so this chown only took effect when
>>> upgrading or reinstalling the package.
>>>
>>> So when clamav is part of an OS image out of the box, freshclamd
>>> cannot populate this directory since it's running under the clamav
>>> user.
>>>
>>> Fix this by creating /var/lib/clamav with the proper ownership
>>> in do_install and rearrange runtime-dependencies, so clamav-freshclam
>>> RDEPENDS on clamav and clamav relaxes its runtime-dependency into
>>> RRECOMMENDS so clamav-freshclam is installed later than clamav,
>>> avoiding these warnings:
>>>
>>>    Installing       : clamav-freshclam-...            487/1954
>>> warning: user clamav does not exist - using root
>>> warning: group clamav does not exist - using root
>>>
>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>> This patch does not apply if I have the previous one applied. I see a
>> dup of the chown changes in the do_install step.
>> Can you clarify?
>
> This patch is an alternative solution.
> You can choose whichever you prefer.
ok. Thanks for the clarification.

-armin
>
> Thanks,
> Zoltán
>
>>
>> -armin
>>> ---
>>>   recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++----
>>>   1 file changed, 5 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb
>>> b/recipes-scanners/clamav/clamav_0.104.0.bb
>>> index 0d3a678..25123dc 100644
>>> --- a/recipes-scanners/clamav/clamav_0.104.0.bb
>>> +++ b/recipes-scanners/clamav/clamav_0.104.0.bb
>>> @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L
>>> ${RECIPE_SYSROOT}${nonarch_li
>>>     do_install:append () {
>>>       install -d ${D}/${sysconfdir}
>>> -    install -d ${D}/${localstatedir}/lib/clamav
>>> +    install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID}
>>> ${D}/${localstatedir}/lib/clamav
>>>       install -d ${D}${sysconfdir}/clamav
>>> ${D}${sysconfdir}/default/volatiles
>>>         install -m 644 ${WORKDIR}/clamd.conf
>>> ${D}/${prefix}/${sysconfdir}
>>> @@ -83,7 +83,6 @@ pkg_postinst:${PN} () {
>>>           elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
>>>               ${sysconfdir}/init.d/populate-volatile.sh update
>>>           fi
>>> -        chown -R ${CLAMAV_UID}:${CLAMAV_GID}
>>> ${localstatedir}/lib/clamav
>>>       fi
>>>   }
>>>   @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES  = "${PN}-daemon
>>> ${PN}-freshclam"
>>>   SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service"
>>>   SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service"
>>>   -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2
>>> ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
>>> -RDEPENDS:${PN}-daemon = "clamav"
>>> +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2
>>> ncurses-libtinfo curl libpcre2 clamav-libclamav"
>>> +RRECOMMENDS:${PN} = "clamav-freshclam"
>>> +RDEPENDS:${PN}-freshclam = "clamav"
>>> +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam"
>>
>>
>>
>> 
>>
>


  reply	other threads:[~2021-09-26 16:01 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20210926050321.314479-1-zboszor@pr.hu>
2021-09-26 12:25 ` Cover mail for "clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install" Zoltan Boszormenyi
2021-09-26 12:25   ` [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install Zoltan Boszormenyi
2021-09-26 15:35     ` Armin Kuster
2021-09-26 15:56       ` [OE-core] " Zoltan Boszormenyi
2021-09-26 16:01         ` Armin Kuster [this message]
2021-09-28 23:30     ` Armin Kuster

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=13f1e4fa-9507-e0f2-9fd0-ced0489948ce@gmail.com \
    --to=akuster808@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=raj.khem@gmail.com \
    --cc=yocto@lists.yoctoproject.org \
    --cc=zboszor@gmail.com \
    --cc=zboszor@pr.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.