According to default config files, init scripts should contain pidfile=/run/clamav/ Actually: # grep pidfile= $(qlist clamav | grep init ) /etc/init.d/clamav-milter:pidfile="/run/${RC_SVCNAME}.pid" /etc/init.d/clamd:pidfile="/run/${RC_SVCNAME}.pid" /etc/init.d/freshclam:pidfile="/run/${RC_SVCNAME}.pid"
No, it shouldn't. That's a security vulnerability, and one that clamav upstream already spent a lot of time fixing. Here's my reply to the change announcement: https://marc.info/?l=clamav-users&m=169117576515342&w=2
In your opinion it is therefore normal to have a different pidfile in the init script and in the configuration. Ok, that's your view, but many will have problems with it.
Can you give an actual reason you want something different here? It's not about preference. And mjo has already asked upstream to fix the "default config files" you reference.
Ok, there is a real problem here, just not the one in the summary. The 1.2.0 ebuild runs, sed -e "s/^#\(PidFile .*\)/\1/" on the config file to uncomment that line. While it used to be OK, now it is not. But the config file should be changed because the upstream commented location is now secure. The init script has it right.
(In reply to Michael Orlitzky from comment #4) > now secure now INsecure
# genlop -n clamav | tail -n1 Fri Oct 27 05:41:19 2023 >>> app-antivirus/clamav-1.2.1 # grep PidFile /etc/clamav/*.sample clamav-milter.conf.sample:#PidFile /run/clamav/clamav-milter.pid clamd.conf.sample:#PidFile /run/clamav/clamd.pid freshclam.conf.sample:#PidFile /run/clamav/freshclam.pid # grep pidfile= $(qlist clamav | grep init ) /etc/init.d/clamav-milter:pidfile="/run/${RC_SVCNAME}.pid" /etc/init.d/clamd:pidfile="/run/${RC_SVCNAME}.pid" /etc/init.d/freshclam:pidfile="/run/${RC_SVCNAME}.pid"
I had forgotten about this and it doesn't look like anyone acted on my mailing list message, so I opened https://github.com/Cisco-Talos/clamav/issues/1076 as a reminder.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b99345bb35e9a6a208a3aa3cd6660b4d606cdb3 commit 7b99345bb35e9a6a208a3aa3cd6660b4d606cdb3 Author: Matt Jolly <kangie@gentoo.org> AuthorDate: 2024-06-24 10:24:55 +0000 Commit: Matt Jolly <kangie@gentoo.org> CommitDate: 2024-06-24 11:04:15 +0000 app-antivirus/clamav: package maintenance revbump 1.3.1 with the following fixes: - add postinst message for 'clamonacc' - fix x32 builds - fix PID paths - drop py310; add py313 Bug: https://github.com/Cisco-Talos/clamav/issues/1076 Bug: https://bugs.gentoo.org/921088 Bug: https://bugs.gentoo.org/916147 Bug: https://bugs.gentoo.org/787233 Closes: https://bugs.gentoo.org/927214 Signed-off-by: Matt Jolly <kangie@gentoo.org> app-antivirus/clamav/clamav-1.3.1-r1.ebuild | 409 +++++++++++++++++++++ .../clamav/files/clamav-1.3.1-onenote-rs.patch | 30 ++ 2 files changed, 439 insertions(+)
Resolved for 1.3.1-r1 by updating the relevant `sed` invocations to set the appropriate location for Gentoo - `${EPREFIX}/run/{clamd,freshclam,clamav-milter}.pid` in the shipped clamav config. I also +1'd the upstream issue a while back but I'll put in a reminder. I'm going to let old versions age out at this point unless someone can convince me that there's a compelling reason to force rebuilds (etc).
*** Bug 929067 has been marked as a duplicate of this bug. ***
Matt, why do you think bug 929067 is a duplicate of this bug? The patch I suggested there DOES indeed change the PID file path, but only to make it identical to what the default config file contained and thus to make things working at all. The intention of 929067 was to drastically speed up the "clamd" start time. And this is still necessary (and working) in version 1.3.1-r2! One can well leave out the PID part (provided the configuration file points to the location used by the init file), so that apart from the explanatory comments only the additional assignment command_background=true and one necessary change in "/etc/clamd.conf" remains.
