[Avcheck] Porting avcheck to Solaris
Piotr Klaban
makler@man.torun.pl
Wed, 29 Aug 2001 10:15:35 +0200
On Wed, Aug 29, 2001 at 09:34:24AM +0200, Ralf Hildebrandt wrote:
> > Additionally, if someone is interrested, I have added
> > 'umask 022' to the AvpUpdate program, and run it from the crontab
> > as the avpu user, that have access to the /var/spool/avp/bases/
> > directory and files - running ftp update phase as root is not necessary.
>
> That was my thought as well, but what happens if new files are
> introduced? /var/spool/avp/bases/ must be writable for avpu?
Yes /var/spool/avp/bases/ is writable by avpu.
AvpUpdate creates new files and deletes old, unnecessary files.
I the old program (homemade one) that I use on another
linux server, the zip files (not *.avc) are mirrored
and the unpacked to the bases.new directory that is swapped
with the old bases/ dir. The avpdaemon is restarted.
It is a bit complicated, and also as root.
With AvpUpdate everything is done in one directory
(that /var/spool/avp/bases/) owned by avpu
(IMHO, if avp's ftp directory would be compromised
kavdaemon can do something nasty - but what we can do - chroot'ing
environment with separate avpp user is everything we can do).
Details of my implementation (AvpUpdate changes, crontabs etc.)
----------------------------
AvpUpdate (from AvpUpdate-0.6.7.tgz)
has the following changes incorporated:
--- AvpUpdate Mon Apr 9 08:40:35 2001
+++ /usr/local/sbin/AvpUpdate Tue Aug 28 17:41:19 2001
@@ -16,3 +16,3 @@
# and comment next string:
-$no_read_this = "yes";
+#$no_read_this = "no";
@@ -20,6 +20,8 @@
+umask 022;
+
$UpdateServer = "ftp.avp.ru"; # Support server
$UpdateDir = "/updates"; # Directory on support server with avp.set & *.avc files
-$UpdateUser = "your_login"; # ftp username, my be "anonimous"
-$UpdatePasswd = "your_password"; # if need logged as "anonimous" use your e-mail
+$UpdateUser = "anonymous"; # ftp username, my be "anonimous"
+$UpdatePasswd = "anonymous\@man.torun.pl"; # if need logged as "anonimous" use your e-mail
# address (type "\@" for "@")
@@ -29,5 +31,5 @@
-$avpBaseDir = "/var/lib/avp"; # Antivirual database directory
+$avpBaseDir = "/var/spool/avp/bases"; # Antivirual database directory
-$UpdateExec = "/usr/lib/avp/anounce"; # Exec this program after update database
+$UpdateExec = "/usr/bin/touch $avpBaseDir/needupdate"; # Exec this program after update database
@@ -35,3 +37,3 @@
-$CaseFileName = upper; # Case of database file names (upper or lower)
+$CaseFileName = "lower"; # Case of database file names (upper or lower)
@@ -281,2 +283,3 @@
$OldBase{$AvpSet.".new"} = 0;
+$OldBase{$AvpSet.".unix"} = 0;
$OldBase{$AvpVnd} = 0;
@@ -285,2 +288,4 @@
$OldBase{$AvpKlb.".new"} = 0;
+$OldBase{'packers.elb'} = 0;
+$OldBase{'elf.set'} = 0;
foreach $f ( keys( %OldBase )) {
@@ -288,2 +293,3 @@
unlink $avpBaseDir."/".$f;
+ print "Unlinking $avpBaseDir/$f\n";
}
that means that after the successful update
the new file /var/spool/avp/needupdate
would be created with the command:
"/usr/bin/touch $avpBaseDir/needupdate"
In the crontab -e avpu there is a line:
55 5 * * * /usr/local/sbin/AvpUpdate
That means that AvpUpdate would be run at 5:55am.
The existence of the $avpBaseDir/needupdate file
is checked in the simple announce script at 6:20pm
(that one must be run as root in order to
be able to restart avp daemon:
In the crontab -e root there is a line:
20 6 * * * /var/spool/avp/announce
The contents of the announce script:
#!/bin/sh
if [ ! -f /var/spool/avp/bases/needupdate ]; then
exit 0;
fi
/bin/sh /etc/init.d/avpd stop
sleep 1;
/bin/sh /etc/init.d/avpd start
rm /var/spool/avp/bases/needupdate
--
Piotr Klaban