[Avcheck] Porting avcheck to Solaris

[Piotr Klaban]

Hi,

I have tested avcheck 0.3 + AVP on Solaris8,
and now I try to describe what I have done
to port avcheck to the new system.

During the compilation phase of avcheck
---------------------------------------

The following changes need to be introduced:

a) avcheck compile command need to have the following
   libraries linked: -lsocket -lnsl
   in order to access networking code.
   E.g. in the Makefile:

CC = gcc
CFLAGS = -O2 -Wall
# uncomment -lsocket -lnsl libraries for Solaris
LDFLAGS= -lsocket -lnsl
^^^^^^^^^^^^^^^^^^^^^^^

[...]

avcheck: avcheck.c
        $(CC) -o $@ $(CFLAGS) -DVERSION=\"$(VERSION)\" avcheck.c $(LDFLAGS)
                                                                 ^^^^^^^^^^
b) in the substlang.sh script the 'echo -n' command
   is prohibitted for the Solaris' native /bin/sh shell.
   That should be either:
	echo "s|@$1@|\c" >&3
   or
	/usr/ucb/echo -n "s|@$1@|" >&3

   I do not found any reasonable method for implementing it
   in the right way (ie. portable, maybe you would use 
   autoconfigure in the future).

c) in the uchroot.c is the small bug:

--- uchroot.c   Mon Aug 13 16:04:23 2001
+++ uchroot.c.new       Tue Aug 28 17:06:53 2001
@@ -22,7 +22,7 @@
   fprintf(stderr, "%s: ", progname);
   va_start(ap, fmt); vfprintf(stderr, fmt, ap); va_end(ap);
   if (code)
-    fprintf(stderr, ": %m");
+    fprintf(stderr, ": %s", strerror(errno));
   putc('\n', stderr);
   fflush(stderr);
   exit(1);

   Without this change error message is written as:
    uchroot: unable to execute ./kavdaemon: m
   instead of e.g.:
    uchroot: unable to execute ./kavdaemon: Permission denied

d) I was unable to run the given 'infected' program, because of
   for shell loop. I have changed:

  destined to"
  for i ; do echo " $i" ; done

to:

  destined to"
  for i in $@
  do echo " $i" ; done

   Then it works well (after configuration of the e-mails of course).

During the installation/configuration phase:
--------------------------------------------

e) in the README.Postfix file there is a spell mistake.
   Instead of
	localhost:1025 inet - n - - smtpd -o content_filter=
   there should be
	localhost:1025 inet n - n - - smtpd -o content_filter=

f) suggestion:
   There is a spell mistake in README.Postfix:

 avcheck unix - n n - 5 pipe
        user=avc argv=/var/spool/av/avcheck
                                 ^^
   Accoring to the README.AVP avcheck is located in avp not av subdir.
   But it would be good to place avcheck, uchroot and infected
   (infexted in README.AVP) programs in other directory
   than chroot'ed one (/usr/local/sbin or /usr/sbin for example).
   If the chroot'ed directory would be compromised, avcheck
   and uchroot files can be substitued with the wierd ones.

g) special devices can not be copied with cp -a (-a exists
   only for GNU cp) since /dev/* are symbolic links to /devices
   directory; however one can use (on Solaris8 only):

  cd /var/spool/avp/dev
  /usr/sbin/mknod conslog c 21 0
  /usr/sbin/mknod console c 0 0
  /usr/sbin/mknod null c 13 2
  /usr/sbin/mknod syscon c 0 0
  /usr/sbin/mknod sysmsg c 60 0
  chmod 666 null
  chmod 620 conslog console syscon sysmsg
  chgrp avp conslog console syscon sysmsg
  chgrp sys null

  ls -la

crw--w----   1 root     avp       21,   0 Aug 28 15:02 conslog
crw--w----   1 root     avp        0,   0 Aug 28 15:02 console
crw-rw-rw-   1 root     sys       13,   2 Aug 28 15:02 null
crw--w----   1 root     avp        0,   0 Aug 28 15:02 syscon
crw--w----   1 root     avp       60,   0 Aug 28 15:03 sysmsg

  The syscon and sysmsg special devices are used for kavdaemon
  syslog message (one message) that is send even if there
  is 'UseSysLog = No' setting in the defUnix.prf file. 

h) the kavdaemon is not static file, then there should be
   appropriate libraries copied to the /var/spool/avp/usr/lib directory:

  mkdir /var/spool/avp/usr/lib
  cd /usr/lib
  cp ld.so.1 libdl.so.1 libmp.so.2 libsocket.so.1 \
     libc.so.1 libm.so.1 libnsl.so.1 /var/spool/avp/usr/lib/

  (be careful with such a command - do not override your own library files).

During the running phase:
-------------------------

There is problem with uchroot: the /var/spool/avp filesystem MUST NOT
be mounted as nosuid.

I have switched on the report generation in var/log directory
(chown avpd var/log), but it is not necessary for living.

BTW - in the main.cf file one need to add the 127.0.0.0/8
network to the mynetworks variable (if it is not there by default).

During the update phase:
------------------------

Sparc Solaris' version of AVP need to have two additional files
in the bases/ directory - packers.elb and elf.set. That is during
the AvpUpdate phase that two lines should not be deleted -
do it with two additional lines in AvpUpdate:

    285 $OldBase{$AvpKlb.".new"} = 0;
+   286 $OldBase{'packers.elb'} = 0;
+   287 $OldBase{'elf.set'} = 0;
    288 foreach $f ( keys( %OldBase )) {

There should be perhaps also $OldBase{$AvpSet.".unix"} = 0;
since the author advices to use avp.set.unix instead of avp.set
in AVP configuration.

Additionally, if someone is interrested, I have added
'umask 022' to the AvpUpdate program, and run it from the crontab
as the avpu user, that have access to the /var/spool/avp/bases/
directory and files - running ftp update phase as root is not necessary.

-- 
Piotr Klaban