1. The current build with the '--with-posix-acl' option causes problems on ZFS filesystem (default NFSv4 ACL). Refer to this post: https://forums.freebsd.org/threads/getfacl-invalid-argument.94485/ 2. If the '--with-posix-acl' option is the default, can we have a flavor of 'aide-noposixacl', which builds without the option for use with ZFS filesystems?
Created attachment 255670 [details] Add no-acl flavour. Add a no-acl flavour. Please give this a spin.
(In reply to Cy Schubert from comment #1) The patch should work. My procedure is: 1. Download the latest ports: root@freebsd_test:~ # git clone --depth=1 -b main https://git.freebsd.org/ports.git /usr/ports 2. Save the patch: root@freebsd_test:~ # ee /usr/ports/security/aide/files/0001-security-aide-Flavorize-and-add-a-without-ACL-flavor.patch 3. Apply the patch: root@freebsd_test:~ # patch < /usr/ports/security/aide/files/0001-security-aide-Flavorize-and-add-a-without-ACL-flavor.patch 4. Use portmaster to install the flavor: root@freebsd_test:~ # portmaster security/aide@without_acl 5. Update the config: root@freebsd_test:~ # sed -i '' 's/database=/database_in=/g' /usr/local/etc/aide.conf 6. Initialize the AIDE database: root@freebsd_test:~ # aide --init 7. Create a file to show the difference: root@freebsd_test:~ # touch /usr/local/etc/test 8. Run AIDE: root@freebsd_test:~ # aide The "failed to get ACL" errors are gone. However, the flavor name looks strange. pkg info shows aidewithout_acl instead of aide-without_acl. Also, users may be confused as the name implies building without ACLs. I suggest updating the description to: File and directory integrity checker (without POSIX ACLs) root@freebsd_test:~ # pkg info aidewithout_acl-0.18.6_1 File and directory integrity checker
(In reply to testcb00 from comment #2) Don't do this. Here's the way to apply the patch. There are two ways to patch your ports. If your ports is a git repo then, cd /usr/ports git apply the_saved_filename If your ports are as distributed from install media, not a git repo, then, cd /usr/ports patch -C -p1 < the_saved_filename && patch -p1 < the_saved_filename To back out the patch when using git: git restore . To back out the patch when using patch: for I in find /usr/ports -name \*.orig; do mv $I $(echo $I | sed 's/\.orig$//'); done The patch works here. What if I commit it and MFH it for you? All you would need to do is wait a week or two until the quarterly builds it, then pkg install aide-without_acl.
(In reply to Cy Schubert from comment #3) Noted. I followed your guide (git) and it also worked, but the flavor name is still aidewithout_acl. Could my old method be causing the problem?
Created attachment 255676 [details] Corrects package name. Oops. I screwed up. Attached is a new patch.
(In reply to Cy Schubert from comment #5) This works. Now the name is aide-without_acl-0.18.6_1. Thank you.
(In reply to testcb00 from comment #6) Give it a few days. I will commit this patch if I don't hear from you (in this PR) about any issues by Tuesday.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7b20f87790b64c5e3c068c4ab055f5f9758db0b7 commit 7b20f87790b64c5e3c068c4ab055f5f9758db0b7 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2024-12-05 00:31:21 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2024-12-12 20:39:51 +0000 security/aide: Flavorize and add a without ACL flavor ZFS supports NFSv4 ACLs and UFS can optionally support them. UFS doesn't by default support ACLs unless specifically enabled. The default remains as before. PR: 283166 security/aide/Makefile | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)