Bug 963920 - clamav-filesystem has useradd and groupadd issues
Summary: clamav-filesystem has useradd and groupadd issues
Alias: None
Product: Fedora
Classification: Fedora
Component: clamav
Version: 18
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Nick Bebout
QA Contact: Fedora Extras Quality Assurance
: 964328 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2013-05-16 18:53 UTC by Chris Schanzle
Modified: 2013-06-21 02:05 UTC (History)
14 users (show)

Fixed In Version: clamav-0.97.8-2.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-06-18 06:24:34 UTC
Type: Bug

Attachments (Terms of Use)

Description Chris Schanzle 2013-05-16 18:53:52 UTC
Description of problem:
clamav-filesystem scripts does not create group and user system accounts properly.

Version-Release number of selected component (if applicable):

How reproducible:
100% if clamupdate group and clamupdate user accounts do not already exist.

Steps to Reproduce:
1. yum remove clamav\*
2. userdel clamupdate
3. groupdel clamupdate
4. yum install clamav clamav-update
Actual results:
Downloading Packages:
(1/5): clamav-0.97.8-1.fc18.x86_64.rpm                     | 922 kB   00:00     
(2/5): clamav-data-empty-0.97.8-1.fc18.noarch.rpm          |  17 kB   00:00     
(3/5): clamav-filesystem-0.97.8-1.fc18.noarch.rpm          |  17 kB   00:00     
(4/5): clamav-lib-0.97.8-1.fc18.x86_64.rpm                 | 3.6 MB   00:00     
(5/5): clamav-update-0.97.8-1.fc18.x86_64.rpm              |  83 kB   00:00     
Total                                            27 MB/s | 4.6 MB     00:00     
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : clamav-data-empty-0.97.8-1.fc18.noarch                       1/5 
  Installing : clamav-lib-0.97.8-1.fc18.x86_64                              2/5 
Usage: groupadd [options] GROUP

  -f, --force                   exit successfully if the group already exists,
                                and cancel -g if the GID is already used
  -g, --gid GID                 use GID for the new group
  -h, --help                    display this help message and exit
  -K, --key KEY=VALUE           override /etc/login.defs defaults
  -o, --non-unique              allow to create groups with duplicate
                                (non-unique) GID
  -p, --password PASSWORD       use this encrypted password for the new group
  -r, --system                  create a system account
  -R, --root CHROOT_DIR         directory to chroot into

useradd: group 'clamupdate' does not exist
  Installing : clamav-filesystem-0.97.8-1.fc18.noarch                       3/5 
warning: user clamupdate does not exist - using root
warning: group clamupdate does not exist - using root
  Installing : clamav-update-0.97.8-1.fc18.x86_64                           4/5 
/usr/bin/chown: invalid group: ‘root:clamupdate’
  Installing : clamav-0.97.8-1.fc18.x86_64                                  5/5 
  Verifying  : clamav-lib-0.97.8-1.fc18.x86_64                              1/5 
  Verifying  : clamav-0.97.8-1.fc18.x86_64                                  2/5 
  Verifying  : clamav-update-0.97.8-1.fc18.x86_64                           3/5 
  Verifying  : clamav-data-empty-0.97.8-1.fc18.noarch                       4/5 
  Verifying  : clamav-filesystem-0.97.8-1.fc18.noarch                       5/5 

  clamav.x86_64 0:0.97.8-1.fc18       clamav-update.x86_64 0:0.97.8-1.fc18      

Dependency Installed:
  clamav-data-empty.noarch 0:0.97.8-1.fc18                                      
  clamav-filesystem.noarch 0:0.97.8-1.fc18                                      
  clamav-lib.x86_64 0:0.97.8-1.fc18                                             


Expected results:
no errors

Additional info:

In the below scripts,
1. ${username} is clearly not expanded properly
2. "-g 4" needs to be removed from the groupadd (username is last argument anyway)
3.  what happens if gruopadd command returns non-zero exit status?  Probably want ||: 
4.  "-u 4" should be removed from useradd

# rpm -q --scripts clamav-filesystem-0.97.8-1.fc18.noarchpreinstall scriptlet (using /bin/sh):
getent group clamupdate >/dev/null || groupadd -r ${username} -g 4
getent passwd clamupdate >/dev/null || \
    useradd -r -g clamupdate -d /var/lib/clamav -s /sbin/nologin -u 4 \
    -c "Clamav database update user" clamupdate
exit 0

Comment 1 Chris Schanzle 2013-05-16 18:56:29 UTC
Workaround: pre-create group and user account, then install or reinstall with yum:

yum remove clamav\*
groupadd -r clamupdate 
useradd -r -g clamupdate -d /var/lib/clamav -s /sbin/nologin -c "Clamav database update user" clamupdate
yum install clamav clamav-update

Comment 2 Chris Schanzle 2013-05-16 19:34:16 UTC
In reviewing the clamav.spec, I also see similar issues with

%pre scanner
getent group %{scanuser} >/dev/null || groupadd -r ${scanuser} -g 49
getent passwd %{scanuser} >/dev/null || \
    useradd -r -g %{scanuser} -d / -s /sbin/nologin -u 49 \
    -c "Clamav scanner user" %{scanuser}
exit 0

I suggest:
1. removing '-g 49'
2. fixing ${scanuser} to %{scanuser}
3. removing '-u 49'

So that it appears as below:

getent group %{scanuser} >/dev/null || groupadd -r %{scanuser}
getent passwd %{scanuser} >/dev/null || \
    useradd -r -g %{scanuser} -d / -s /sbin/nologin \
    -c "Clamav scanner user" %{scanuser}
exit 0

I also see use of ${milteruser} rather than %{milteruser} which is broken.

There is much inconsistent use of braces around macro names (e.g., %{milteruser} vs %milteruser) and some macros never have braces when used (%milterlog), but I do not see where this violates any packaging guidelines.

Comment 3 Michael H. Warfield 2013-05-28 14:01:49 UTC
Seriously broken.  I've been running into this.  Workaround are useless if you are building respins such as the Network Security Toolkit (NST) since they're trying to build run-live file systems that include this package and you have no opportunity to precreate the user and group ids.

Comment 4 Nick Bebout 2013-06-13 20:27:30 UTC
*** Bug 964328 has been marked as a duplicate of this bug. ***

Comment 5 Fedora Update System 2013-06-13 21:32:26 UTC
clamav-0.97.8-2.fc18 has been submitted as an update for Fedora 18.

Comment 6 Fedora Update System 2013-06-13 21:33:01 UTC
clamav-0.97.8-2.fc19 has been submitted as an update for Fedora 19.

Comment 7 Fedora Update System 2013-06-13 21:33:35 UTC
clamav-0.97.8-2.fc17 has been submitted as an update for Fedora 17.

Comment 8 Fedora Update System 2013-06-14 23:12:52 UTC
Package clamav-0.97.8-2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing clamav-0.97.8-2.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2013-06-18 06:24:34 UTC
clamav-0.97.8-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Peter Ludikovsky 2013-06-19 13:28:42 UTC
Any chance of getting this fix into the reported release (Fedora 18 Spherical Cow)?

Comment 11 Frank Murphy 2013-06-19 13:44:30 UTC
(In reply to Peter Ludikovsky from comment #10)
> Any chance of getting this fix into the reported release (Fedora 18
> Spherical Cow)?

Read comment #5

Comment 12 Fedora Update System 2013-06-21 02:00:39 UTC
clamav-0.97.8-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2013-06-21 02:05:56 UTC
clamav-0.97.8-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.