The current clamav ebuild contains the line enewuser clamav -1 -1 /dev/null clamav to create a clamav user account. This results in cron error messages like the following: CROND[8642]: (CRON) ERROR chdir failed (/dev/null): Not a directory Since the ebuild also uses keepdir /var/lib/clamav fowners clamav:clamav /var/lib/clamav I suggest /var/lib/clamav instead of /dev/null as the clamav user's home directory.
What cron job is causing that error?
The command that causes the error is this: clamav umask 0027 && /usr/local/sbin/clamav-unofficial-sigs.sh The script can be found via https://github.com/extremeshok/clamav-unofficial-sigs . It uses 'cd' quite a bit, but even apart from that particular script, does not every cron job which is run as user foo have foo's home directory, as defined in /etc/passwd, as its process working directory?
Dude, emerge clamav-unofficial-sigs =) Does the latest version of the script "cd" to HOME? (It shouldn't, but there are other big problems with the latest version.)
Maybe crond is trying to chdir to home because you run the job as "clamav" directly. Since the clamav user also had no shell, I set mine up with su clamav -s /bin/bash -c /usr/sbin/clamav-unofficial-sigs.sh > /dev/null running hourly as root. That probably starts in / or something like that.
> Dude, emerge clamav-unofficial-sigs =) I'm not sure the ebuild maintainer is trustworthy. :-D > Maybe crond is trying to chdir to home because you run > the job as "clamav" directly. That's what I thought. For obvious reasons I did not want to run the script as root, and since a crontab allows specifying a user, I did not see a reason for using "su" as a crutch. Not having a shell should not bother cron, as long as the executable/script is called with a fully qualified path. However, not having a home directory seems odd to cronie. Is there a particular security reason why the clamav user should not have a home directory which equals to the directory its virus signatures are stored in?
(In reply to Ralph Seichter from comment #5) > > Not having a shell should not bother cron, as long as the executable/script > is called with a fully qualified path. However, not having a home directory > seems odd to cronie. Is there a particular security reason why the clamav > user should not have a home directory which equals to the directory its > virus signatures are stored in? There are a few good reasons to leave the homedir unset once clamav switches to a GLEP81 user-package. But primarily, since I wrote the guidelines in bug 693964 and have started harassing other people about them, I feel obligated to try to follow them myself. I agree that using "su" is a bit ugly -- I thought I needed it to override the shell, but I think we're both in luck. Cronie supports setting HOME=/var/lib/clamav SHELL=/bin/bash at the top of the cron job. That should let us both run the cron job as "clamav" without su, regardless of what the home directory is.
If we're gonna install a systemd timer (bug 694120), I might as well just provide a working cron job too.
(In reply to Michael Orlitzky from comment #6) > HOME=/var/lib/clamav Thanks, I'll try that.
Reassigning to myself; I'll eventually fix this by providing a cron job and systemd timer for clamav-unofficial-sigs.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2637f7bdf5ca4b984e24294ff39ceedb5cfbea58 commit 2637f7bdf5ca4b984e24294ff39ceedb5cfbea58 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2019-11-06 15:10:57 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2019-11-06 15:56:54 +0000 app-antivirus/clamav-unofficial-sigs: new revision with a cron job. This update script needs to run as a restricted user, with bash as its shell, and with a real home directory to prevent cron errors in the logs. The best way to do that seems to be to install a custom job into /etc/cron.d that sets the HOME and SHELL variables. This new revision provides a cron job that works as documentation, and adds a new USE=cron flag to install it. The default is NOT to install it because /etc/cron.d is not 100% standard, and the update script needs to be configured before it will work. Closes: https://bugs.gentoo.org/694054 Package-Manager: Portage-2.3.76, Repoman-2.3.16 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> ....ebuild => clamav-unofficial-sigs-6.0.1-r1.ebuild} | 15 +++++++++++++-- .../files/clamav-unofficial-sigs.crond | 19 +++++++++++++++++++ app-antivirus/clamav-unofficial-sigs/metadata.xml | 8 ++++++++ 3 files changed, 40 insertions(+), 2 deletions(-)
