diff mbox series

[meta-security] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install

Message ID 20210926122553.387448-2-zboszor@pr.hu
State New
Headers show
Series [meta-security] clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install | expand

Commit Message

Böszörményi Zoltán Sept. 26, 2021, 12:25 p.m. UTC
From: Zoltán Böszörményi <zboszor@gmail.com>

Also, rearrange the runtime-dependencies a little so
clamav-freshclam is installed later than clamav.

The issue is that clamav-freshclam ships /var/lib/clamav
and the main clamav package uses chown in pkg_postinst to set
the ownership of this directory. But pkg_postinst is not
marked as "ontarget" so this chown only took effect when
upgrading or reinstalling the package.

So when clamav is part of an OS image out of the box, freshclamd
cannot populate this directory since it's running under the clamav
user.

Fix this by creating /var/lib/clamav with the proper ownership
in do_install and rearrange runtime-dependencies, so clamav-freshclam
RDEPENDS on clamav and clamav relaxes its runtime-dependency into
RRECOMMENDS so clamav-freshclam is installed later than clamav,
avoiding these warnings:

  Installing       : clamav-freshclam-...            487/1954
warning: user clamav does not exist - using root
warning: group clamav does not exist - using root

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Comments

akuster808 Sept. 26, 2021, 3:35 p.m. UTC | #1
On 9/26/21 5:25 AM, Zoltán Böszörményi wrote:
> From: Zoltán Böszörményi <zboszor@gmail.com>
>
> Also, rearrange the runtime-dependencies a little so
> clamav-freshclam is installed later than clamav.
>
> The issue is that clamav-freshclam ships /var/lib/clamav
> and the main clamav package uses chown in pkg_postinst to set
> the ownership of this directory. But pkg_postinst is not
> marked as "ontarget" so this chown only took effect when
> upgrading or reinstalling the package.
>
> So when clamav is part of an OS image out of the box, freshclamd
> cannot populate this directory since it's running under the clamav
> user.
>
> Fix this by creating /var/lib/clamav with the proper ownership
> in do_install and rearrange runtime-dependencies, so clamav-freshclam
> RDEPENDS on clamav and clamav relaxes its runtime-dependency into
> RRECOMMENDS so clamav-freshclam is installed later than clamav,
> avoiding these warnings:
>
>   Installing       : clamav-freshclam-...            487/1954
> warning: user clamav does not exist - using root
> warning: group clamav does not exist - using root
>
> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
This patch does not apply if I have the previous one applied. I see a
dup of the chown changes in the do_install step.
Can you clarify?

-armin
> ---
>  recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb
> index 0d3a678..25123dc 100644
> --- a/recipes-scanners/clamav/clamav_0.104.0.bb
> +++ b/recipes-scanners/clamav/clamav_0.104.0.bb
> @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_li
>  
>  do_install:append () {
>      install -d ${D}/${sysconfdir}
> -    install -d ${D}/${localstatedir}/lib/clamav
> +    install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
>      install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
>  
>      install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir}
> @@ -83,7 +83,6 @@ pkg_postinst:${PN} () {
>          elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
>              ${sysconfdir}/init.d/populate-volatile.sh update
>          fi
> -        chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
>      fi
>  }
>  
> @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES  = "${PN}-daemon ${PN}-freshclam"
>  SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service"
>  SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service"
>  
> -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
> -RDEPENDS:${PN}-daemon = "clamav"
> +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-libclamav"
> +RRECOMMENDS:${PN} = "clamav-freshclam"
> +RDEPENDS:${PN}-freshclam = "clamav"
> +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam"
Böszörményi Zoltán Sept. 26, 2021, 3:56 p.m. UTC | #2
On 2021. 09. 26. 17:35, Armin Kuster wrote:
> 
> 
> On 9/26/21 5:25 AM, Zoltán Böszörményi wrote:
>> From: Zoltán Böszörményi <zboszor@gmail.com>
>>
>> Also, rearrange the runtime-dependencies a little so
>> clamav-freshclam is installed later than clamav.
>>
>> The issue is that clamav-freshclam ships /var/lib/clamav
>> and the main clamav package uses chown in pkg_postinst to set
>> the ownership of this directory. But pkg_postinst is not
>> marked as "ontarget" so this chown only took effect when
>> upgrading or reinstalling the package.
>>
>> So when clamav is part of an OS image out of the box, freshclamd
>> cannot populate this directory since it's running under the clamav
>> user.
>>
>> Fix this by creating /var/lib/clamav with the proper ownership
>> in do_install and rearrange runtime-dependencies, so clamav-freshclam
>> RDEPENDS on clamav and clamav relaxes its runtime-dependency into
>> RRECOMMENDS so clamav-freshclam is installed later than clamav,
>> avoiding these warnings:
>>
>>    Installing       : clamav-freshclam-...            487/1954
>> warning: user clamav does not exist - using root
>> warning: group clamav does not exist - using root
>>
>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> This patch does not apply if I have the previous one applied. I see a
> dup of the chown changes in the do_install step.
> Can you clarify?

This patch is an alternative solution.
You can choose whichever you prefer.

Thanks,
Zoltán

> 
> -armin
>> ---
>>   recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++----
>>   1 file changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb
>> index 0d3a678..25123dc 100644
>> --- a/recipes-scanners/clamav/clamav_0.104.0.bb
>> +++ b/recipes-scanners/clamav/clamav_0.104.0.bb
>> @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_li
>>   
>>   do_install:append () {
>>       install -d ${D}/${sysconfdir}
>> -    install -d ${D}/${localstatedir}/lib/clamav
>> +    install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
>>       install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
>>   
>>       install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir}
>> @@ -83,7 +83,6 @@ pkg_postinst:${PN} () {
>>           elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
>>               ${sysconfdir}/init.d/populate-volatile.sh update
>>           fi
>> -        chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
>>       fi
>>   }
>>   
>> @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES  = "${PN}-daemon ${PN}-freshclam"
>>   SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service"
>>   SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service"
>>   
>> -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
>> -RDEPENDS:${PN}-daemon = "clamav"
>> +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-libclamav"
>> +RRECOMMENDS:${PN} = "clamav-freshclam"
>> +RDEPENDS:${PN}-freshclam = "clamav"
>> +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam"
> 
> 
> 
> 
>
akuster808 Sept. 26, 2021, 4:01 p.m. UTC | #3
On 9/26/21 8:56 AM, Böszörményi Zoltán wrote:
> On 2021. 09. 26. 17:35, Armin Kuster wrote:
>>
>>
>> On 9/26/21 5:25 AM, Zoltán Böszörményi wrote:
>>> From: Zoltán Böszörményi <zboszor@gmail.com>
>>>
>>> Also, rearrange the runtime-dependencies a little so
>>> clamav-freshclam is installed later than clamav.
>>>
>>> The issue is that clamav-freshclam ships /var/lib/clamav
>>> and the main clamav package uses chown in pkg_postinst to set
>>> the ownership of this directory. But pkg_postinst is not
>>> marked as "ontarget" so this chown only took effect when
>>> upgrading or reinstalling the package.
>>>
>>> So when clamav is part of an OS image out of the box, freshclamd
>>> cannot populate this directory since it's running under the clamav
>>> user.
>>>
>>> Fix this by creating /var/lib/clamav with the proper ownership
>>> in do_install and rearrange runtime-dependencies, so clamav-freshclam
>>> RDEPENDS on clamav and clamav relaxes its runtime-dependency into
>>> RRECOMMENDS so clamav-freshclam is installed later than clamav,
>>> avoiding these warnings:
>>>
>>>    Installing       : clamav-freshclam-...            487/1954
>>> warning: user clamav does not exist - using root
>>> warning: group clamav does not exist - using root
>>>
>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>> This patch does not apply if I have the previous one applied. I see a
>> dup of the chown changes in the do_install step.
>> Can you clarify?
>
> This patch is an alternative solution.
> You can choose whichever you prefer.
ok. Thanks for the clarification.

-armin
>
> Thanks,
> Zoltán
>
>>
>> -armin
>>> ---
>>>   recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++----
>>>   1 file changed, 5 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb
>>> b/recipes-scanners/clamav/clamav_0.104.0.bb
>>> index 0d3a678..25123dc 100644
>>> --- a/recipes-scanners/clamav/clamav_0.104.0.bb
>>> +++ b/recipes-scanners/clamav/clamav_0.104.0.bb
>>> @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L
>>> ${RECIPE_SYSROOT}${nonarch_li
>>>     do_install:append () {
>>>       install -d ${D}/${sysconfdir}
>>> -    install -d ${D}/${localstatedir}/lib/clamav
>>> +    install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID}
>>> ${D}/${localstatedir}/lib/clamav
>>>       install -d ${D}${sysconfdir}/clamav
>>> ${D}${sysconfdir}/default/volatiles
>>>         install -m 644 ${WORKDIR}/clamd.conf
>>> ${D}/${prefix}/${sysconfdir}
>>> @@ -83,7 +83,6 @@ pkg_postinst:${PN} () {
>>>           elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
>>>               ${sysconfdir}/init.d/populate-volatile.sh update
>>>           fi
>>> -        chown -R ${CLAMAV_UID}:${CLAMAV_GID}
>>> ${localstatedir}/lib/clamav
>>>       fi
>>>   }
>>>   @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES  = "${PN}-daemon
>>> ${PN}-freshclam"
>>>   SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service"
>>>   SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service"
>>>   -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2
>>> ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
>>> -RDEPENDS:${PN}-daemon = "clamav"
>>> +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2
>>> ncurses-libtinfo curl libpcre2 clamav-libclamav"
>>> +RRECOMMENDS:${PN} = "clamav-freshclam"
>>> +RDEPENDS:${PN}-freshclam = "clamav"
>>> +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam"
>>
>>
>>
>> 
>>
>
akuster808 Sept. 28, 2021, 11:30 p.m. UTC | #4
merged.


On 9/26/21 5:25 AM, Zoltán Böszörményi wrote:
> From: Zoltán Böszörményi <zboszor@gmail.com>
>
> Also, rearrange the runtime-dependencies a little so
> clamav-freshclam is installed later than clamav.
>
> The issue is that clamav-freshclam ships /var/lib/clamav
> and the main clamav package uses chown in pkg_postinst to set
> the ownership of this directory. But pkg_postinst is not
> marked as "ontarget" so this chown only took effect when
> upgrading or reinstalling the package.
>
> So when clamav is part of an OS image out of the box, freshclamd
> cannot populate this directory since it's running under the clamav
> user.
>
> Fix this by creating /var/lib/clamav with the proper ownership
> in do_install and rearrange runtime-dependencies, so clamav-freshclam
> RDEPENDS on clamav and clamav relaxes its runtime-dependency into
> RRECOMMENDS so clamav-freshclam is installed later than clamav,
> avoiding these warnings:
>
>   Installing       : clamav-freshclam-...            487/1954
> warning: user clamav does not exist - using root
> warning: group clamav does not exist - using root
>
> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> ---
>  recipes-scanners/clamav/clamav_0.104.0.bb | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb
> index 0d3a678..25123dc 100644
> --- a/recipes-scanners/clamav/clamav_0.104.0.bb
> +++ b/recipes-scanners/clamav/clamav_0.104.0.bb
> @@ -54,7 +54,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_li
>  
>  do_install:append () {
>      install -d ${D}/${sysconfdir}
> -    install -d ${D}/${localstatedir}/lib/clamav
> +    install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
>      install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
>  
>      install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir}
> @@ -83,7 +83,6 @@ pkg_postinst:${PN} () {
>          elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
>              ${sysconfdir}/init.d/populate-volatile.sh update
>          fi
> -        chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
>      fi
>  }
>  
> @@ -149,5 +148,7 @@ SYSTEMD_PACKAGES  = "${PN}-daemon ${PN}-freshclam"
>  SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service"
>  SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service"
>  
> -RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
> -RDEPENDS:${PN}-daemon = "clamav"
> +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-libclamav"
> +RRECOMMENDS:${PN} = "clamav-freshclam"
> +RDEPENDS:${PN}-freshclam = "clamav"
> +RDEPENDS:${PN}-daemon = "clamav clamav-freshclam"
diff mbox series

Patch

diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb
index 0d3a678..25123dc 100644
--- a/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -54,7 +54,7 @@  export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_li
 
 do_install:append () {
     install -d ${D}/${sysconfdir}
-    install -d ${D}/${localstatedir}/lib/clamav
+    install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
     install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
 
     install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir}
@@ -83,7 +83,6 @@  pkg_postinst:${PN} () {
         elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
             ${sysconfdir}/init.d/populate-volatile.sh update
         fi
-        chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
     fi
 }
 
@@ -149,5 +148,7 @@  SYSTEMD_PACKAGES  = "${PN}-daemon ${PN}-freshclam"
 SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service"
 SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service"
 
-RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
-RDEPENDS:${PN}-daemon = "clamav"
+RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-libclamav"
+RRECOMMENDS:${PN} = "clamav-freshclam"
+RDEPENDS:${PN}-freshclam = "clamav"
+RDEPENDS:${PN}-daemon = "clamav clamav-freshclam"