Comment 1 Erwin Lansing 2006-05-01 16:51:46 UTC

Responsible Changed
From-To: freebsd-ports-bugs->jeh

Over to maintainer

Comment 2 jeh 2006-05-02 14:36:01 UTC

I see problems with this patch.  First, the 4.x versions don't  
support libmap, so this will break them.  Second, not all version of  
5.x have support for libmap.  Third, 5.x does not have libc.so.6,  
only 6.x and 7-CURRENT do.  and 7-CURRENT can be expected to use  
libc.so.7 at some point.  So you need to add code that correctly  
check the OSVERSION to handle all of these cases.

I am also asking several people that know more about security and the  
libraries then I do about this.  But I know in the past there has  
been discussions about doing this and it was stated that this was risky.

Jim

Comment 3 jeh 2006-05-15 16:16:25 UTC

State Changed
From-To: open->feedback

Moved to "feedback" for now

James Housley wrote:
> I see problems with this patch.  First, the 4.x versions don't support 
> libmap, so this will break them.  Second, not all version of 5.x have 
> support for libmap.  Third, 5.x does not have libc.so.6, only 6.x and 
> 7-CURRENT do.  and 7-CURRENT can be expected to use libc.so.7 at some 
> point.  So you need to add code that correctly check the OSVERSION to 
> handle all of these cases.
> 
> I am also asking several people that know more about security and the 
> libraries then I do about this.  But I know in the past there has been 
> discussions about doing this and it was stated that this was risky.
> 
> Jim


Please consider this new patch.

Now you have to explicit set WITHOUT_COMPAT3=yes and this option only 
work on systems with libmap.conf(5) support (FreeBSD-5.1 at least - 
information from libmap.conf(5) man page).

The problem with different version of libc.so on different FreeBSD 
versions (5.X, 6.X and 7.X sometime) is fixed by use of libc.so on 
mapping instead of version specific libc.so.

The port print the necessary lines for libmap.conf, but not touch the file.

The user is warned about the security risks of doing this kind of map (i 
can't tell if the message is really clear about the risks, but is better 
than none).

I think this patch is much more clear now.

And finally i have used this map to run uvscan mainly with qmail-scanner 
about a year now without any problem. This setup has been replicated by 
a small group of users always with success.

Thanks for your time,
luiz




--- Makefile.orig       Sat May 13 17:23:35 2006
+++ Makefile    Mon May 15 21:58:41 2006
@@ -16,9 +16,17 @@
  MAINTAINER=    jeh@FreeBSD.org
  COMMENT=       Evaluation version of a DOS/Windows/Linux file virus 
scanner

-# misc/compat3x is forbidden, but if it is compiled into the system
-# we may still be good to go.
+# misc/compat3x is forbidden, but with FreeBSD 5.1 or later you can use
+# libmap.conf(5) to map against current libc. This may affect the system
+# security. Use at your own risk.
+.include <bsd.port.pre.mk>
+.if defined(WITHOUT_COMPAT3)
+.if ${OSVERSION} < 510000
+IGNORE=                requires FreeBSD 5.1 or later
+.endif
+.else
  LIB_DEPENDS+=  c.3:${PORTSDIR}/misc/compat3x
+.endif
  LIB_DEPENDS+=  m.2:${PORTSDIR}/misc/compat4x

  ONLY_FOR_ARCHS=                i386
@@ -65,7 +73,16 @@

  post-install:
         ${LN} -sf ${PREFIX}/lib/libbsdfv.so.4 ${PREFIX}/lib/libbsdfv.so
-       ${ECHO_CMD} "Trying to fetch the current DAT file"
+.if defined(WITHOUT_COMPAT3) && ${OSVERSION} >= 510000
+       @${ECHO_CMD} ""
+       @${ECHO_CMD} "This may affect the system security. Use at your 
own risk."
+       @${ECHO_CMD} "You need to add the following two lines to your 
libmap.conf(5):"
+       @${ECHO_CMD} ""
+       @${ECHO_CMD} "[/usr/local/libexec/uvscan/uvscan]"
+       @${ECHO_CMD} "libc.so.3         libc.so"
+       @${ECHO_CMD} ""
+.endif
+       @${ECHO_CMD} "Trying to fetch the current DAT file"
         ${SH} ${PREFIX}/sbin/update_dat

-.include <bsd.port.mk>
+.include <bsd.port.post.mk>

Comment 5 jeh 2006-05-16 16:22:11 UTC

State Changed
From-To: feedback->closed

Committed, thanks.