From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Subject: Re: [OE-core] [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install References: <20210926050321.314479-1-zboszor@pr.hu> <20210926122553.387448-1-zboszor@pr.hu> <20210926122553.387448-2-zboszor@pr.hu> <65749bc7-3235-9dd5-db51-b54377d88020@pr.hu> From: "Armin Kuster" Message-ID: <13f1e4fa-9507-e0f2-9fd0-ced0489948ce@gmail.com> Date: Sun, 26 Sep 2021 09:01:37 -0700 MIME-Version: 1.0 In-Reply-To: <65749bc7-3235-9dd5-db51-b54377d88020@pr.hu> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Content-Language: en-US List-id: To: =?UTF-8?B?QsO2c3rDtnJtw6lueWkgWm9sdMOhbg==?= , yocto@lists.yoctoproject.org, openembedded-core@lists.openembedded.org, Khem Raj Cc: =?UTF-8?B?Wm9sdMOhbiBCw7ZzesO2cm3DqW55aQ==?= On 9/26/21 8:56 AM, Böszörményi Zoltán wrote: > On 2021. 09. 26. 17:35, Armin Kuster wrote: >> >> >> On 9/26/21 5:25 AM, Zoltán Böszörményi wrote: >>> From: Zoltán Böszörményi >>> >>> Also, rearrange the runtime-dependencies a little so >>> clamav-freshclam is installed later than clamav. >>> >>> The issue is that clamav-freshclam ships /var/lib/clamav >>> and the main clamav package uses chown in pkg_postinst to set >>> the ownership of this directory. But pkg_postinst is not >>> marked as "ontarget" so this chown only took effect when >>> upgrading or reinstalling the package. >>> >>> So when clamav is part of an OS image out of the box, freshclamd >>> cannot populate this directory since it's running under the clamav >>> user. >>> >>> Fix this by creating /var/lib/clamav with the proper ownership >>> in do_install and rearrange runtime-dependencies, so clamav-freshclam >>> RDEPENDS on clamav and clamav relaxes its runtime-dependency into >>> RRECOMMENDS so clamav-freshclam is installed later than clamav, >>> avoiding these warnings: >>> >>>    Installing       : clamav-freshclam-...            487/1954 >>> warning: user clamav does not exist - using root >>> warning: group clamav does not exist - using root >>> >>> Signed-off-by: Zoltán Böszörményi >> This patch does not apply if I have the previous one applied. I see a >> dup of the chown changes in the do_install step. >> Can you clarify? > > This patch is an alternative solution. > You can choose whichever you prefer. ok. Thanks for the clarification. -armin > > Thanks, > Zoltán > >> >> -armin >>> --- >>>   recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++---- >>>   1 file changed, 5 insertions(+), 4 deletions(-) >>> >>> diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb >>> b/recipes-scanners/clamav/clamav_0.104.0.bb >>> index 0d3a678..25123dc 100644 >>> --- a/recipes-scanners/clamav/clamav_0.104.0.bb >>> +++ b/recipes-scanners/clamav/clamav_0.104.0.bb >>> @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L >>> ${RECIPE_SYSROOT}${nonarch_li >>>     do_install:append () { >>>       install -d ${D}/${sysconfdir} >>> -    install -d ${D}/${localstatedir}/lib/clamav >>> +    install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} >>> ${D}/${localstatedir}/lib/clamav >>>       install -d ${D}${sysconfdir}/clamav >>> ${D}${sysconfdir}/default/volatiles >>>         install -m 644 ${WORKDIR}/clamd.conf >>> ${D}/${prefix}/${sysconfdir} >>> @@ -83,7 +83,6 @@ pkg_postinst:${PN} () { >>>           elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then >>>               ${sysconfdir}/init.d/populate-volatile.sh update >>>           fi >>> -        chown -R ${CLAMAV_UID}:${CLAMAV_GID} >>> ${localstatedir}/lib/clamav >>>       fi >>>   } >>>   @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES  = "${PN}-daemon >>> ${PN}-freshclam" >>>   SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service" >>>   SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service" >>>   -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 >>> ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" >>> -RDEPENDS:${PN}-daemon = "clamav" >>> +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 >>> ncurses-libtinfo curl libpcre2 clamav-libclamav" >>> +RRECOMMENDS:${PN} = "clamav-freshclam" >>> +RDEPENDS:${PN}-freshclam = "clamav" >>> +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam" >> >> >> >> >> >