The original port make use of compat3 wich is broken. The following patch remove the compat3 dependency from port. Since the uvscan work fine with libc.so.6 (instead of libc.so.3) i am using /etc/libmap.conf to runnig uvscan without installing compat3. --- Makefile.orig Mon May 1 12:03:06 2006 +++ Makefile Mon May 1 12:11:23 2006 @@ -17,9 +17,6 @@ COMMENT= Evaluation version of a DOS/Windows/Linux file virus scanner RUN_DEPENDS+= ${LOCALBASE}/sbin/update_dat:${PORTSDIR}/security/uvscan-dat -# misc/compat3x is forbidden, but if it is compiled into the system -# we may still be good to go. -LIB_DEPENDS+= c.3:${PORTSDIR}/misc/compat3x LIB_DEPENDS+= m.2:${PORTSDIR}/misc/compat4x ONLY_FOR_ARCHS= i386 @@ -62,5 +59,9 @@ post-install: ${LN} -sf ${PREFIX}/lib/libbsdfv.so.4 \ ${PREFIX}/lib/libbsdfv.so + @if [ -z "`${GREP} ${PREFIX}/libexec/uvscan/uvscan /etc/libmap.conf`" ]; then \ + echo "[${PREFIX}/libexec/uvscan/uvscan]" >> /etc/libmap.conf ; \ + echo "libc.so.3 libc.so.6" >> /etc/libmap.conf ; \ + fi .include <bsd.port.mk> Fix: # cd /usr/ports/security/vscan # patch < Makefile.patch # make install clean
Responsible Changed From-To: freebsd-ports-bugs->jeh Over to maintainer
I see problems with this patch. First, the 4.x versions don't support libmap, so this will break them. Second, not all version of 5.x have support for libmap. Third, 5.x does not have libc.so.6, only 6.x and 7-CURRENT do. and 7-CURRENT can be expected to use libc.so.7 at some point. So you need to add code that correctly check the OSVERSION to handle all of these cases. I am also asking several people that know more about security and the libraries then I do about this. But I know in the past there has been discussions about doing this and it was stated that this was risky. Jim
State Changed From-To: open->feedback Moved to "feedback" for now
James Housley wrote: > I see problems with this patch. First, the 4.x versions don't support > libmap, so this will break them. Second, not all version of 5.x have > support for libmap. Third, 5.x does not have libc.so.6, only 6.x and > 7-CURRENT do. and 7-CURRENT can be expected to use libc.so.7 at some > point. So you need to add code that correctly check the OSVERSION to > handle all of these cases. > > I am also asking several people that know more about security and the > libraries then I do about this. But I know in the past there has been > discussions about doing this and it was stated that this was risky. > > Jim Please consider this new patch. Now you have to explicit set WITHOUT_COMPAT3=yes and this option only work on systems with libmap.conf(5) support (FreeBSD-5.1 at least - information from libmap.conf(5) man page). The problem with different version of libc.so on different FreeBSD versions (5.X, 6.X and 7.X sometime) is fixed by use of libc.so on mapping instead of version specific libc.so. The port print the necessary lines for libmap.conf, but not touch the file. The user is warned about the security risks of doing this kind of map (i can't tell if the message is really clear about the risks, but is better than none). I think this patch is much more clear now. And finally i have used this map to run uvscan mainly with qmail-scanner about a year now without any problem. This setup has been replicated by a small group of users always with success. Thanks for your time, luiz --- Makefile.orig Sat May 13 17:23:35 2006 +++ Makefile Mon May 15 21:58:41 2006 @@ -16,9 +16,17 @@ MAINTAINER= jeh@FreeBSD.org COMMENT= Evaluation version of a DOS/Windows/Linux file virus scanner -# misc/compat3x is forbidden, but if it is compiled into the system -# we may still be good to go. +# misc/compat3x is forbidden, but with FreeBSD 5.1 or later you can use +# libmap.conf(5) to map against current libc. This may affect the system +# security. Use at your own risk. +.include <bsd.port.pre.mk> +.if defined(WITHOUT_COMPAT3) +.if ${OSVERSION} < 510000 +IGNORE= requires FreeBSD 5.1 or later +.endif +.else LIB_DEPENDS+= c.3:${PORTSDIR}/misc/compat3x +.endif LIB_DEPENDS+= m.2:${PORTSDIR}/misc/compat4x ONLY_FOR_ARCHS= i386 @@ -65,7 +73,16 @@ post-install: ${LN} -sf ${PREFIX}/lib/libbsdfv.so.4 ${PREFIX}/lib/libbsdfv.so - ${ECHO_CMD} "Trying to fetch the current DAT file" +.if defined(WITHOUT_COMPAT3) && ${OSVERSION} >= 510000 + @${ECHO_CMD} "" + @${ECHO_CMD} "This may affect the system security. Use at your own risk." + @${ECHO_CMD} "You need to add the following two lines to your libmap.conf(5):" + @${ECHO_CMD} "" + @${ECHO_CMD} "[/usr/local/libexec/uvscan/uvscan]" + @${ECHO_CMD} "libc.so.3 libc.so" + @${ECHO_CMD} "" +.endif + @${ECHO_CMD} "Trying to fetch the current DAT file" ${SH} ${PREFIX}/sbin/update_dat -.include <bsd.port.mk> +.include <bsd.port.post.mk>
State Changed From-To: feedback->closed Committed, thanks.