Arch Linux User Repository

In other words, it is not something the Fangfrisch package needs to address. I appreciate that.

Building in a clean chroot is recommended by the DeveloperWiki, amongst other reasons for doing so. It also helps keep the system clean of makedepends and other cruft.

And yes, the build chroot does install clamav (and all other dependencies), but makechrootpkg does not execute the systemd functions that a 'regular' install initializes, so the clamav user is never created in the chroot.

What you can do instead is create your own '/usr/lib/tmpfiles.d/$pkgname.conf' tmpfile and put the access restriction in there.

Clean chroot is supposed to have clamav group. I do not know why it is not there. (I dont use clean chroot)

When clean chroot installs clamav package - it is supposed to run systemd-sysusers which will create clamav user and group before the package fangfrisch built.

The permissions 0750 and ownership root:clamav of fangfrisch-has-news.sh were deliberately chosen. Only clamav should execute the script (but not be able to change it). That's also why it is not placed in /usr/local/bin or similar; the script is not meant for general use.

It all works as designed, with the exception of a "build chroot", which I don't know why somebody would need? If it is in fact needed, it has to be fully populated in terms of ClamAV related user accounts, files and directories.

We can possibly remove -g clamav if @Morbius confirms that normal user wont be able to do anything unexpected / unwanted. That line in PKGBUILD was added recently by @Morbius himself.

Normally scripts / executables are supposed to go in /usr/bin and not /etc.

Also fangfrisch needs clamav because it expects clamdscan file to be there and executes it. And it also needs /var/lib/clamav directory. Hence clamav dependency is correct.

Then

install -Dm0755 -t "${pkgdir}/etc/fangfrisch" "${srcdir}/fangfrisch-has-news.sh"

might be more suitable, because it contains nothing security sensitive. Also imho not necessary to restrict it to root execution only.

If you look in /etc/fangfrisch everything is owned by root there anyway. As it should be. Only /var/lib/clamav should be owned by clamav so non-uid-0 user clamav can modifiy files there as it pleases. For /etc/ I like root:root owner because settings set by human admin cannot be modified from the daemon.

Thinking of requirements: Fangfrisch is designed as a companion application for ClamAV, but does not technically require ClamAV. For example, Fangfrisch can run on a different machine and will not be worse off for it. Fangfrisch certainly does not require ClamAV during the build process. The first reference is made in the form of the "clamav" user/group, at install time. That user account is all that matters, from a technical perspective.

You need package "clamav" in makedepends imho, so the user is around during build time.

@Taijian ClamAV is listed as a requirement of Fangfrisch, so the user "clamav" is expected to exist. Perhaps @amish can comment on this issue?

@Morbius: I do not think that user exists.

extra/clamav does install 'clamav.sysusers' to '/usr/lib/sysusers.d/clamav.conf', but I do not think that that file is being sourced in a build chroot.