[Avcheck] Readme.avp

Michael Tokarev mjt@tls.msk.ru
Sat, 27 Jul 2002 18:20:32 +0400 

Morten Christensen wrote:
> 
> I had a problem when installing avcheck the first time.
> I think a few more lines in the readme.avp-file would
> have spared me and the friendly people on this list some
> time. Here is my proposal. You must look carefully if it
> is the right technical solution:
> 
> --->today start<---
> 
> Some descriptions for those directories inside /var/spool/avp:
> 
>  /var/spool/avp itself: a root for all avp "activity"/files.
>    This directory will be modified only during the installation,
>    kavdaemon and avcheck will not write to it or modify files here.
> 
> ---<today end>---
> 
> --->changed start<---
> 
> Some descriptions for those directories inside /var/spool/avp:
> 
>  /var/spool/avp itself: a root for all avp "activity"/files.
>    This directory will be modified only during the installation,
>    kavdaemon and avcheck will not write to it or modify files here.
>    The user, kavdaemon and avcheck is started as, must have
>    execute-rights on those files. That can be done with:
>      chown :avgroup /var/spool/avp/*
> 
> ---<changed end>---

I don't think this is a correct way.  Here is my a listing of
/var/spool/drweb from my machine:

drwxr-xr-x    6 root     root         1024 Jul 24 14:29 .
drwxr-xr-x    2 root     root         1024 Jul 24 14:26 bases/
-rw-r--r--    1 root     root       570368 Jul 12 04:28 drweb32.dll
-rwxr-xr-x    1 root     root       931192 May 15 03:59 drwebd*
-rw-r--r--    1 root     root          501 Nov 20  2001 drwebd.ini
-r--r--r--    1 root     root         1165 Aug 14  2001 drwebd.key
drwxr-xr-x    2 root     root         1024 Oct  1  2001 etc/
drwxr-x---    2 drwebd   avscan       1024 Jul 24 14:29 run/
drwxr-xr-x    2 drwebc   avscan       1024 Jul 27 17:56 tst/

(this is drweb not avp, and user/group names are somewhat different,
but the same rules applies anyway).  As you see, only 2 directories
are owned by group avgroup (avscan) - the ones that are really
necessary.  I assumed that all the non-private files are accessible
to everyone on a system.  There is a file, drwebd.key (and similar
file for avp exists too), that may be considered private as well
(so noone will be able to "stole" it from here) - I think it's ok
to chgrp it to avgroup and give away read permissions from others
(so yet another file will be owned by this group) - this way,
avcheck will too be able to access it (other alternative is to
make it owned by a user who runs av daemon and set permissions
to 0400 - but in this case daemon will be able to *modify*, at
least in principle, and this may be not good).

There is no requiriment to have other files in this directory (except
of some essential ones) owned by any particular user/group, the only
requiriment is that permissions should be sufficient for successeful
execution and no party will have more permission than is necessary
(the same applies to permission bits as well as owner/group).

I think it's sufficient to add similar listing (as above) to some
README files to serve as an example, and this shuld solve this
issue.  Please correct me if I'm wrong here (until it's too late... ;)

Thanks for a tip.

BTW, `chown :group' should really be `chgrp group' instead.

/mjt