summaryrefslogtreecommitdiff
blob: d906ed530acbb0ab762be181a42a7d977419b34d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=7

inherit systemd

DESCRIPTION="Download and install third-party clamav signatures"
HOMEPAGE="https://github.com/extremeshok/clamav-unofficial-sigs"
SRC_URI="https://github.com/extremeshok/clamav-unofficial-sigs/archive/${PV}.tar.gz -> ${P}.tar.gz"

LICENSE="BSD"
SLOT="0"
KEYWORDS="~amd64 ~x86"
IUSE="cron"

# Require acct-{user,group}/clamav at build time so that we can set
# the permissions on /var/lib/${PN} in src_install rather than in
# pkg_postinst; calling "chown" on the live filesystem scares me.
DEPEND="acct-group/clamav
	acct-user/clamav"

# The script relies on either net-misc/socat, or Perl's
# IO::Socket::UNIX. We already depend on Perl, and Gentoo's Perl ships
# with IO::Socket::UNIX, so we can leave out net-misc/socat here.
#
# Recent versions will crash if you don't have "clamscan" available,
# so we are forced to depend on app-antivirus/clamav finally.
RDEPEND="${DEPEND}
	app-antivirus/clamav
	app-crypt/gnupg
	dev-lang/perl
	net-dns/bind-tools
	|| ( net-misc/wget net-misc/curl )"

# This script is cccrrraaaaaaazzzzzzzzyyyyyy. It does a million
# insecure things. Let's not accidentally run it as root.
PATCHES=(
	"${FILESDIR}/${P}-disable-run-as-root.patch"
	"${FILESDIR}/${P}-fix-mbl-database-name.patch"
	"${FILESDIR}/${P}-fix-mbl-url.patch"
)

src_prepare() {
	default

	# https://github.com/extremeshok/clamav-unofficial-sigs/pull/301
	echo 'allow_upgrades="no"' >> config/os/os.gentoo.conf || die
	echo 'allow_update_checks="no"' >> config/os/os.gentoo.conf || die
}

src_install() {
	dobin "${PN}.sh"

	insinto /etc/logrotate.d
	newins "${FILESDIR}/${PN}.logrotate" "${PN}"

	insinto "/etc/${PN}"
	doins config/{master,user}.conf
	newins config/os/os.gentoo.conf os.conf

	# To generate the man page, you have to first install the package,
	# and then issue some ridiculous command like
	#
	# $ sudo su -s /bin/sh \
	#           -c 'man_dir=/tmp clamav-unofficial-sigs.sh --install-man' \
	#           clamav
	#
	# That'll stick it in /tmp, which is unsafe-ish, but the example is
	# easily modified.
	newman "${FILESDIR}/${P}.man.8" "${PN}.8"
	dodoc README.md

	if use cron; then
		# Beware, this directory is not completely standard. However,
		# we need this to run as "clamav" with a non-default shell and
		# home directory (bug 694054), and this seems like the most
		# reliable way to accomplish that.
		insinto "/etc/cron.d"
		newins "${FILESDIR}/${PN}.crond" "${PN}"
	else
		dodoc "${FILESDIR}/${PN}.crond"
	fi

	# Install the systemd service and timer unconditionally, because
	# the timer is disabled by default (and won't annoy people until
	# after they've configured the script).
	systemd_dounit "${FILESDIR}/${PN}".{service,timer}

	# The script's working directory, as set in the configuration
	# file. By default, the script runs as clamav:clamav because
	# it needs write access to the clamav databases.
	diropts -o clamav -g clamav
	keepdir "/var/lib/${PN}"
}

pkg_postinst() {
	elog ''
	elog "You will need to select databases in /etc/${PN}/master.conf."
	elog "For details, please see the ${PN}(8) manual page."
	elog ''
	elog 'An up-to-date description of the available Sanesecurity'
	elog 'databases is available at,'
	elog ''
	elog '  http://sanesecurity.com/usage/signatures/'
	elog ''
}