* Cover mail for "clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install" [not found] <20210926050321.314479-1-zboszor@pr.hu> @ 2021-09-26 12:25 ` Zoltan Boszormenyi 2021-09-26 12:25 ` [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install Zoltan Boszormenyi 0 siblings, 1 reply; 6+ messages in thread From: Zoltan Boszormenyi @ 2021-09-26 12:25 UTC (permalink / raw) To: yocto, openembedded-core, Armin Kuster, Khem Raj Cc: Zoltán Böszörményi Hi, this is what Khem suggested. Please review. Thanks in advance, Zoltán Böszörményi ^ permalink raw reply [flat|nested] 6+ messages in thread
* [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install 2021-09-26 12:25 ` Cover mail for "clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install" Zoltan Boszormenyi @ 2021-09-26 12:25 ` Zoltan Boszormenyi 2021-09-26 15:35 ` Armin Kuster 2021-09-28 23:30 ` Armin Kuster 0 siblings, 2 replies; 6+ messages in thread From: Zoltan Boszormenyi @ 2021-09-26 12:25 UTC (permalink / raw) To: yocto, openembedded-core, Armin Kuster, Khem Raj Cc: Zoltán Böszörményi From: Zoltán Böszörményi <zboszor@gmail.com> Also, rearrange the runtime-dependencies a little so clamav-freshclam is installed later than clamav. The issue is that clamav-freshclam ships /var/lib/clamav and the main clamav package uses chown in pkg_postinst to set the ownership of this directory. But pkg_postinst is not marked as "ontarget" so this chown only took effect when upgrading or reinstalling the package. So when clamav is part of an OS image out of the box, freshclamd cannot populate this directory since it's running under the clamav user. Fix this by creating /var/lib/clamav with the proper ownership in do_install and rearrange runtime-dependencies, so clamav-freshclam RDEPENDS on clamav and clamav relaxes its runtime-dependency into RRECOMMENDS so clamav-freshclam is installed later than clamav, avoiding these warnings: Installing : clamav-freshclam-... 487/1954 warning: user clamav does not exist - using root warning: group clamav does not exist - using root Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> --- recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb index 0d3a678..25123dc 100644 --- a/recipes-scanners/clamav/clamav_0.104.0.bb +++ b/recipes-scanners/clamav/clamav_0.104.0.bb @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_li do_install:append () { install -d ${D}/${sysconfdir} - install -d ${D}/${localstatedir}/lib/clamav + install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir} @@ -83,7 +83,6 @@ pkg_postinst:${PN} () { elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then ${sysconfdir}/init.d/populate-volatile.sh update fi - chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav fi } @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-freshclam" SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service" SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service" -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" -RDEPENDS:${PN}-daemon = "clamav" +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-libclamav" +RRECOMMENDS:${PN} = "clamav-freshclam" +RDEPENDS:${PN}-freshclam = "clamav" +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam" -- 2.31.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install 2021-09-26 12:25 ` [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install Zoltan Boszormenyi @ 2021-09-26 15:35 ` Armin Kuster 2021-09-26 15:56 ` [OE-core] " Zoltan Boszormenyi 2021-09-28 23:30 ` Armin Kuster 1 sibling, 1 reply; 6+ messages in thread From: Armin Kuster @ 2021-09-26 15:35 UTC (permalink / raw) To: Zoltán Böszörményi, yocto, openembedded-core, Khem Raj Cc: Zoltán Böszörményi On 9/26/21 5:25 AM, Zoltán Böszörményi wrote: > From: Zoltán Böszörményi <zboszor@gmail.com> > > Also, rearrange the runtime-dependencies a little so > clamav-freshclam is installed later than clamav. > > The issue is that clamav-freshclam ships /var/lib/clamav > and the main clamav package uses chown in pkg_postinst to set > the ownership of this directory. But pkg_postinst is not > marked as "ontarget" so this chown only took effect when > upgrading or reinstalling the package. > > So when clamav is part of an OS image out of the box, freshclamd > cannot populate this directory since it's running under the clamav > user. > > Fix this by creating /var/lib/clamav with the proper ownership > in do_install and rearrange runtime-dependencies, so clamav-freshclam > RDEPENDS on clamav and clamav relaxes its runtime-dependency into > RRECOMMENDS so clamav-freshclam is installed later than clamav, > avoiding these warnings: > > Installing : clamav-freshclam-... 487/1954 > warning: user clamav does not exist - using root > warning: group clamav does not exist - using root > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> This patch does not apply if I have the previous one applied. I see a dup of the chown changes in the do_install step. Can you clarify? -armin > --- > recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb > index 0d3a678..25123dc 100644 > --- a/recipes-scanners/clamav/clamav_0.104.0.bb > +++ b/recipes-scanners/clamav/clamav_0.104.0.bb > @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_li > > do_install:append () { > install -d ${D}/${sysconfdir} > - install -d ${D}/${localstatedir}/lib/clamav > + install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav > install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles > > install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir} > @@ -83,7 +83,6 @@ pkg_postinst:${PN} () { > elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then > ${sysconfdir}/init.d/populate-volatile.sh update > fi > - chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav > fi > } > > @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-freshclam" > SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service" > SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service" > > -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" > -RDEPENDS:${PN}-daemon = "clamav" > +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-libclamav" > +RRECOMMENDS:${PN} = "clamav-freshclam" > +RDEPENDS:${PN}-freshclam = "clamav" > +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam" ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install 2021-09-26 15:35 ` Armin Kuster @ 2021-09-26 15:56 ` Zoltan Boszormenyi 2021-09-26 16:01 ` Armin Kuster 0 siblings, 1 reply; 6+ messages in thread From: Zoltan Boszormenyi @ 2021-09-26 15:56 UTC (permalink / raw) To: Armin Kuster, yocto, openembedded-core, Khem Raj Cc: Zoltán Böszörményi On 2021. 09. 26. 17:35, Armin Kuster wrote: > > > On 9/26/21 5:25 AM, Zoltán Böszörményi wrote: >> From: Zoltán Böszörményi <zboszor@gmail.com> >> >> Also, rearrange the runtime-dependencies a little so >> clamav-freshclam is installed later than clamav. >> >> The issue is that clamav-freshclam ships /var/lib/clamav >> and the main clamav package uses chown in pkg_postinst to set >> the ownership of this directory. But pkg_postinst is not >> marked as "ontarget" so this chown only took effect when >> upgrading or reinstalling the package. >> >> So when clamav is part of an OS image out of the box, freshclamd >> cannot populate this directory since it's running under the clamav >> user. >> >> Fix this by creating /var/lib/clamav with the proper ownership >> in do_install and rearrange runtime-dependencies, so clamav-freshclam >> RDEPENDS on clamav and clamav relaxes its runtime-dependency into >> RRECOMMENDS so clamav-freshclam is installed later than clamav, >> avoiding these warnings: >> >> Installing : clamav-freshclam-... 487/1954 >> warning: user clamav does not exist - using root >> warning: group clamav does not exist - using root >> >> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> > This patch does not apply if I have the previous one applied. I see a > dup of the chown changes in the do_install step. > Can you clarify? This patch is an alternative solution. You can choose whichever you prefer. Thanks, Zoltán > > -armin >> --- >> recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++---- >> 1 file changed, 5 insertions(+), 4 deletions(-) >> >> diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb >> index 0d3a678..25123dc 100644 >> --- a/recipes-scanners/clamav/clamav_0.104.0.bb >> +++ b/recipes-scanners/clamav/clamav_0.104.0.bb >> @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_li >> >> do_install:append () { >> install -d ${D}/${sysconfdir} >> - install -d ${D}/${localstatedir}/lib/clamav >> + install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav >> install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles >> >> install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir} >> @@ -83,7 +83,6 @@ pkg_postinst:${PN} () { >> elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then >> ${sysconfdir}/init.d/populate-volatile.sh update >> fi >> - chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav >> fi >> } >> >> @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-freshclam" >> SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service" >> SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service" >> >> -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" >> -RDEPENDS:${PN}-daemon = "clamav" >> +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-libclamav" >> +RRECOMMENDS:${PN} = "clamav-freshclam" >> +RDEPENDS:${PN}-freshclam = "clamav" >> +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam" > > > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install 2021-09-26 15:56 ` [OE-core] " Zoltan Boszormenyi @ 2021-09-26 16:01 ` Armin Kuster 0 siblings, 0 replies; 6+ messages in thread From: Armin Kuster @ 2021-09-26 16:01 UTC (permalink / raw) To: Böszörményi Zoltán, yocto, openembedded-core, Khem Raj Cc: Zoltán Böszörményi On 9/26/21 8:56 AM, Böszörményi Zoltán wrote: > On 2021. 09. 26. 17:35, Armin Kuster wrote: >> >> >> On 9/26/21 5:25 AM, Zoltán Böszörményi wrote: >>> From: Zoltán Böszörményi <zboszor@gmail.com> >>> >>> Also, rearrange the runtime-dependencies a little so >>> clamav-freshclam is installed later than clamav. >>> >>> The issue is that clamav-freshclam ships /var/lib/clamav >>> and the main clamav package uses chown in pkg_postinst to set >>> the ownership of this directory. But pkg_postinst is not >>> marked as "ontarget" so this chown only took effect when >>> upgrading or reinstalling the package. >>> >>> So when clamav is part of an OS image out of the box, freshclamd >>> cannot populate this directory since it's running under the clamav >>> user. >>> >>> Fix this by creating /var/lib/clamav with the proper ownership >>> in do_install and rearrange runtime-dependencies, so clamav-freshclam >>> RDEPENDS on clamav and clamav relaxes its runtime-dependency into >>> RRECOMMENDS so clamav-freshclam is installed later than clamav, >>> avoiding these warnings: >>> >>> Installing : clamav-freshclam-... 487/1954 >>> warning: user clamav does not exist - using root >>> warning: group clamav does not exist - using root >>> >>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> >> This patch does not apply if I have the previous one applied. I see a >> dup of the chown changes in the do_install step. >> Can you clarify? > > This patch is an alternative solution. > You can choose whichever you prefer. ok. Thanks for the clarification. -armin > > Thanks, > Zoltán > >> >> -armin >>> --- >>> recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++---- >>> 1 file changed, 5 insertions(+), 4 deletions(-) >>> >>> diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb >>> b/recipes-scanners/clamav/clamav_0.104.0.bb >>> index 0d3a678..25123dc 100644 >>> --- a/recipes-scanners/clamav/clamav_0.104.0.bb >>> +++ b/recipes-scanners/clamav/clamav_0.104.0.bb >>> @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L >>> ${RECIPE_SYSROOT}${nonarch_li >>> do_install:append () { >>> install -d ${D}/${sysconfdir} >>> - install -d ${D}/${localstatedir}/lib/clamav >>> + install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} >>> ${D}/${localstatedir}/lib/clamav >>> install -d ${D}${sysconfdir}/clamav >>> ${D}${sysconfdir}/default/volatiles >>> install -m 644 ${WORKDIR}/clamd.conf >>> ${D}/${prefix}/${sysconfdir} >>> @@ -83,7 +83,6 @@ pkg_postinst:${PN} () { >>> elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then >>> ${sysconfdir}/init.d/populate-volatile.sh update >>> fi >>> - chown -R ${CLAMAV_UID}:${CLAMAV_GID} >>> ${localstatedir}/lib/clamav >>> fi >>> } >>> @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES = "${PN}-daemon >>> ${PN}-freshclam" >>> SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service" >>> SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service" >>> -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 >>> ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" >>> -RDEPENDS:${PN}-daemon = "clamav" >>> +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 >>> ncurses-libtinfo curl libpcre2 clamav-libclamav" >>> +RRECOMMENDS:${PN} = "clamav-freshclam" >>> +RDEPENDS:${PN}-freshclam = "clamav" >>> +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam" >> >> >> >> >> > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install 2021-09-26 12:25 ` [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install Zoltan Boszormenyi 2021-09-26 15:35 ` Armin Kuster @ 2021-09-28 23:30 ` Armin Kuster 1 sibling, 0 replies; 6+ messages in thread From: Armin Kuster @ 2021-09-28 23:30 UTC (permalink / raw) To: Zoltán Böszörményi, yocto, openembedded-core, Khem Raj Cc: Zoltán Böszörményi merged. On 9/26/21 5:25 AM, Zoltán Böszörményi wrote: > From: Zoltán Böszörményi <zboszor@gmail.com> > > Also, rearrange the runtime-dependencies a little so > clamav-freshclam is installed later than clamav. > > The issue is that clamav-freshclam ships /var/lib/clamav > and the main clamav package uses chown in pkg_postinst to set > the ownership of this directory. But pkg_postinst is not > marked as "ontarget" so this chown only took effect when > upgrading or reinstalling the package. > > So when clamav is part of an OS image out of the box, freshclamd > cannot populate this directory since it's running under the clamav > user. > > Fix this by creating /var/lib/clamav with the proper ownership > in do_install and rearrange runtime-dependencies, so clamav-freshclam > RDEPENDS on clamav and clamav relaxes its runtime-dependency into > RRECOMMENDS so clamav-freshclam is installed later than clamav, > avoiding these warnings: > > Installing : clamav-freshclam-... 487/1954 > warning: user clamav does not exist - using root > warning: group clamav does not exist - using root > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> > --- > recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb > index 0d3a678..25123dc 100644 > --- a/recipes-scanners/clamav/clamav_0.104.0.bb > +++ b/recipes-scanners/clamav/clamav_0.104.0.bb > @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_li > > do_install:append () { > install -d ${D}/${sysconfdir} > - install -d ${D}/${localstatedir}/lib/clamav > + install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav > install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles > > install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir} > @@ -83,7 +83,6 @@ pkg_postinst:${PN} () { > elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then > ${sysconfdir}/init.d/populate-volatile.sh update > fi > - chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav > fi > } > > @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-freshclam" > SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service" > SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service" > > -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" > -RDEPENDS:${PN}-daemon = "clamav" > +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-libclamav" > +RRECOMMENDS:${PN} = "clamav-freshclam" > +RDEPENDS:${PN}-freshclam = "clamav" > +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam" ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-09-28 23:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20210926050321.314479-1-zboszor@pr.hu>
2021-09-26 12:25 ` Cover mail for "clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install" Zoltan Boszormenyi
2021-09-26 12:25 ` [meta-security][PATCH] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install Zoltan Boszormenyi
2021-09-26 15:35 ` Armin Kuster
2021-09-26 15:56 ` [OE-core] " Zoltan Boszormenyi
2021-09-26 16:01 ` Armin Kuster
2021-09-28 23:30 ` Armin Kuster
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.