Opened 7 years ago

Last modified 6 years ago

#39435 assigned enhancement

clamav

Reported by: mroman@… Owned by: danielluke (Daniel J. Luke)
Priority: Normal Milestone:
Component: ports Version:
Keywords: haspatch Cc: petrrr, cooljeanius (Eric Gallager), jul_bsd@…
Port: clamav

Description

  • clamav fails to build if clamav user doesn't exist
    (not everyone wants to use clamav-server port)
  • create dir with virus database automatically : /share/clamav
  • configure clamav to run out of the box
  • set suid bit of freshclam to work with clamxav

Attachments (1)

Portfile-clamav.diff (2.6 KB) - added by mroman@… 7 years ago.

Download all attachments as: .zip

Change History (11)

Changed 7 years ago by mroman@…

Attachment: Portfile-clamav.diff added

comment:1 Changed 7 years ago by mf2k (Frank Schima)

Cc: geeklair.net:dluke removed
Keywords: haspatch added
Owner: changed from macports-tickets@… to dluke@…

Trac requires valid email addresses.

comment:2 Changed 7 years ago by mf2k (Frank Schima)

Type: defectenhancement
Version: 2.1.3

comment:3 Changed 7 years ago by danielluke (Daniel J. Luke)

I'll try to take a look at this this weekend (and try to incorporate as much as is reasonable) - a couple of thoughts though.

clamav should build without the clamav user (I haven't tested that specifically in a while, so upstream may have broken it) - I'm not sure if the buildbot has a clamav user or not, the existing (lack of) setup was done on purpose since there are a wide variety of ways one might want to use clamav, I don't think setting the suid bit is something we want to do at all.

comment:4 Changed 7 years ago by danielluke (Daniel J. Luke)

Owner: changed from dluke@… to dluke@…
Status: newassigned

comment:5 Changed 7 years ago by mroman@…

The freshclam.conf says it runs by default as clamav user. So I was curious and deleted the clamav user and group using dscl. Rebuilding port gave me configure error.
The problem with no having clamav user is that enduser has to manually edit .conf files and create ${prefix}/share/clamav with appropriate owner/group to enable freshclam to fetch virus definitions. But most users just use default settings. Besides, separate clamav user account rather doesn't create any security risk.
If you look at clamav-server there is big list of things for user to do. Pretty nasty for me.
I am not sure about this suid bit, but I suppose it would not pose any additional security problem: it's just for freshclam and the clamav user doesn't have admin privileges afterall.
Thank you for your response. I have just thought to make the configuration of this port a little easier.

comment:6 Changed 7 years ago by mroman@…

The documentation says, that the check for existence of clamav account may be disabled when installing on unprivileged user account: http://www.clamav.net/doc/latest/html/node13.html
Right now I don't have access to mac to check this.

Last edited 7 years ago by mroman@… (previous) (diff)

comment:7 Changed 7 years ago by mroman@…

On second thoughts, probably using suid on freshclam isn't the best solution indeed, however we could consider setting to "clamav" the owner and group of freshclam in post-destroot.

comment:8 Changed 7 years ago by petrrr

Cc: Peter.Danecek@… added

Cc Me!

comment:9 Changed 6 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

comment:10 Changed 6 years ago by jul_bsd@…

Cc: jul_bsd@… added

Cc Me!

Note: See TracTickets for help on using tickets.