This one time, at band camp, Paolo said: > On Fri, Jan 12, 2007 at 01:01:29AM +0000, Stephen Gran wrote: > > > start) > > > + mkdir -p /var/run/clamav > > > + chmod 0775 /var/run/clamav > > > + chown root:clamav /var/run/clamav > > > OPTIND=1 > > > > I have so far stayed away from this issue, since it is quite possible to > > have clamd and freshclam run as seperate users, but they share both > > /var/log/clamav and /var/run/clamav. The packaging so far tries very > > hm, ok - right now both daemons run as clamav:clamav, so above just works - > it might be needed to replicate them into freshclam's init script, as either > may be disabled, so both need to refresh the volatile dir.
And clamav-milter. Does this also need to be done for /var/log/clamav/ and /var/lib/clamav/ ? If not, why not? What benefits are you hoping for? > But should they run as different users, there's still no problem with above > as long as they are in same group. > Else, either > 1. both log/clamav and run/clamav are 777 That's clearly unacceptable. > 2. use separate dirs, log/clamd run/clamd run/freshclam log/freshclam That is possible, but currently feels like overkill. > While I can see reasons to use different users, I see no point in *not* > having both daemon members of group clamav, so above added line would > still apply. This should be doable, though. I'm not really all that sure that adding this feature buys us anything, though - see below for why. > BTW man clam(d)scan don't stress the point that such util run as user clamav, > hence won't be able to access file/dirs not a+r/a+rx. See README.Debian, section CLAMAV-DAEMON, subsection WARNINGS. > > hard to stay out of the way of local admin changes. Making this change > > reverses that, and I am not comfortable with it. > > > > If you can come up with a good way to reconcile this, I'm happy to merge > > same problem with other pkgs - on ML it's said that it's each pkgs' init / > admin script responsability to check for and in case make/adjust its own > admin stuf under /var, as that's undoable elsewhere. > So afaikt other pkgs have been / are going to be adjusted to refresh their > dir trees under /var on (re)start. To be pedantically clear, people have discussed this on mailing lists, but no consensus was formed that this is even the right thing to do, much less that we should really begin implementing it, as far as I know. The only reason for doing this is that you have a root disk that has limited writes, and you want to put /var/run on a tmpfs - all other situations bring a lot of work for no gain. clamav is probably not something you want to run on such a resource limited machine, so I'm not sure I see the gain. During normal operation, the various clamav processes will write to /tmp/, /var/run/clamav/, /var/lib/clamav/, and /var/log/clamav/ and /dev/log. Why are we special casing /var/run/clamav/ ? > So I see no problem to keep those lines in both init scripts. But likely > should be moved up, @top of script after *.conf is read, which then should > keep both uid gid of daemon. The package already has a common-functions bit for things that all the init scripts need. It's easy enough to add the right logic there, but I am not convinced that the current logic is correct, or that this is something clamav should try to support. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature
