[Avcheck] Porting avcheck to Solaris

[Piotr Klaban]

On Wed, Aug 29, 2001 at 09:34:24AM +0200, Ralf Hildebrandt wrote:
> > Additionally, if someone is interrested, I have added
> > 'umask 022' to the AvpUpdate program, and run it from the crontab
> > as the avpu user, that have access to the /var/spool/avp/bases/
> > directory and files - running ftp update phase as root is not necessary.
> 
> That was my thought as well, but what happens if new files are
> introduced? /var/spool/avp/bases/ must be writable for avpu?

Yes /var/spool/avp/bases/ is writable by avpu.
AvpUpdate creates new files and deletes old, unnecessary files.

I the old program (homemade one) that I use on another
linux server, the zip files (not *.avc) are mirrored
and the unpacked to the bases.new directory that is swapped
with the old bases/ dir. The avpdaemon is restarted.
It is a bit complicated, and also as root.

With AvpUpdate everything is done in one directory
(that /var/spool/avp/bases/) owned by avpu
(IMHO, if avp's ftp directory would be compromised
kavdaemon can do something nasty - but what we can do - chroot'ing
environment with separate avpp user is everything we can do).

Details of my implementation (AvpUpdate changes, crontabs etc.)
----------------------------

AvpUpdate (from AvpUpdate-0.6.7.tgz)
has the following changes incorporated:

--- AvpUpdate   Mon Apr  9 08:40:35 2001
+++ /usr/local/sbin/AvpUpdate   Tue Aug 28 17:41:19 2001
@@ -16,3 +16,3 @@
 # and comment next string:
-$no_read_this = "yes";
+#$no_read_this = "no";
 
@@ -20,6 +20,8 @@
 
+umask 022;
+
 $UpdateServer = "ftp.avp.ru";           # Support server
 $UpdateDir    = "/updates";             # Directory on support server with avp.set & *.avc files
-$UpdateUser   = "your_login";           # ftp username, my be "anonimous"
-$UpdatePasswd = "your_password";        # if need logged as "anonimous" use your e-mail
+$UpdateUser   = "anonymous";           # ftp username, my be "anonimous"
+$UpdatePasswd = "anonymous\@man.torun.pl";        # if need logged as "anonimous" use your e-mail
                                         # address (type "\@" for "@")
@@ -29,5 +31,5 @@
 
-$avpBaseDir   = "/var/lib/avp";         # Antivirual database directory
+$avpBaseDir   = "/var/spool/avp/bases";         # Antivirual database directory
 
-$UpdateExec   = "/usr/lib/avp/anounce"; # Exec this program after update database
+$UpdateExec   = "/usr/bin/touch $avpBaseDir/needupdate"; # Exec this program after update database
 
@@ -35,3 +37,3 @@
 
-$CaseFileName = upper;                  # Case of database file names (upper or lower)
+$CaseFileName = "lower";                  # Case of database file names (upper or lower)
 
@@ -281,2 +283,3 @@
 $OldBase{$AvpSet.".new"} = 0;
+$OldBase{$AvpSet.".unix"} = 0;
 $OldBase{$AvpVnd} = 0;
@@ -285,2 +288,4 @@
 $OldBase{$AvpKlb.".new"} = 0;
+$OldBase{'packers.elb'} = 0;
+$OldBase{'elf.set'} = 0;
 foreach $f ( keys( %OldBase )) {
@@ -288,2 +293,3 @@
                unlink $avpBaseDir."/".$f;
+               print "Unlinking $avpBaseDir/$f\n";
        }

that means that after the successful update
the new file /var/spool/avp/needupdate
would be created with the command:
"/usr/bin/touch $avpBaseDir/needupdate"

In the crontab -e avpu there is a line:

	55 5 * * * /usr/local/sbin/AvpUpdate

That means that AvpUpdate would be run at 5:55am.
The existence of the $avpBaseDir/needupdate file
is checked in the simple announce script at 6:20pm
(that one must be run as root in order to
be able to restart avp daemon:

In the crontab -e root there is a line:

	20 6 * * * /var/spool/avp/announce

The contents of the announce script:

#!/bin/sh

if [ ! -f /var/spool/avp/bases/needupdate ]; then
        exit 0;
fi

/bin/sh /etc/init.d/avpd stop
sleep 1;
/bin/sh /etc/init.d/avpd start
rm /var/spool/avp/bases/needupdate

-- 
Piotr Klaban