1 files changed, 39 insertions, 0 deletions

diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch
new file mode 100644
index 000000000000..2b40c982309b
--- /dev/null
+++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch
@@ -0,0 +1,39 @@
+From 5235a5e518a1b17f50eb0f56c088f3808d939626 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Tue, 4 Feb 2020 19:34:56 -0500
+Subject: [PATCH 1/1] clamav-unofficial-sigs.sh: disable running as root.
+
+The only way I'm going to let this be installed on my machine is if
+it never runs as root. The shit that it does is insane (a priori)
+and also implemented insecurely. There's no good reason to run the
+script as root on Gentoo anyway. A cron job is provided for you,
+or you can use "su -s /bin/bash -c ... clamav" to run it as the
+clamav user.
+---
+ clamav-unofficial-sigs.sh | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh
+index aa70db1..60d305b 100644
+--- a/clamav-unofficial-sigs.sh
++++ b/clamav-unofficial-sigs.sh
+@@ -3,6 +3,16 @@
+ # shellcheck disable=SC2120
+ # shellcheck disable=SC2128
+ # shellcheck disable=SC2154
++
++if [[ ${EUID} -eq 0 ]]; then
++    exec 1>&2
++    echo "This script has been patched by the Gentoo maintainer to disable"
++    echo "running it as root (effective UID 0). When run as root, the script"
++    echo "performs a number of operations insecurely. You should never need"
++    echo "to run this as root on Gentoo in the first place."
++    exit 1;
++fi
++
+ ################################################################################
+ # This is property of eXtremeSHOK.com
+ # You are free to use, modify and distribute, however you may not remove this notice.
+-- 
+2.24.1
+