Bug 1154428

Summary: rkhunter potentially exposes securtiy critical files in insecure tmpdir
Product: [Fedora] Fedora EPEL Reporter: Christoph Anton Mitterer <calestyo>
Component: rkhunterAssignee: Kevin Fenzi <kevin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: el6CC: kevin, lnie, manuel.wolfshant, nonamedotc
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: rkhunter-1.4.2-4.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-01 16:44:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christoph Anton Mitterer 2014-10-19 16:27:10 UTC
The rkhunter package has the following set:
TMPDIR=/var/lib/rkhunter

which is world-readable:
# ls -al /var/lib/rkhunter/
total 28
drwxr-xr-x  3 root root 4096 Oct 19 03:16 .


It may thus be possible, that any file copied there by rkhunter, may have it's access restrictions prevented, which is also why the rkhunter.conf documentation already says:
# NOTE: Do not use '/tmp' as your temporary directory. Some important files
# will be written to this directory, so be sure that the directory permissions
# are secure.

Cheers,
Chris.

Comment 1 Kevin Fenzi 2014-10-19 16:48:05 UTC
I might be missing something, but I don't see any issue here... 

That dir is world readable, but not writable. Nothing inside it that is sensitive is readable to non priv users. 

rkhunter uses mktemp for temp files, so they should be fine. 

I suppose we could change the dir to 700, but I don't see a urgent reason to.

Comment 2 Christoph Anton Mitterer 2014-10-19 16:58:37 UTC
Read the documentation:

rkhunter may copy temporary files (or parts of) from other system locations there in order to scan/analyze them.

So you could have something like /etc/unaccessible-dir/readable-password-file which is copied there, and then the protection from unaccessible-dir no longer applies.

The proper way is to use the default for TMPDIR, which is /var/lib/rkhunter/tmp and create that dir u=rwx,go=


Cheers,
Chris.

Comment 3 Fedora Update System 2014-10-27 15:57:04 UTC
rkhunter-1.4.2-5.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-5.fc21

Comment 4 Fedora Update System 2014-10-27 15:57:25 UTC
rkhunter-1.4.2-5.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-5.fc20

Comment 5 Fedora Update System 2014-10-27 15:57:45 UTC
rkhunter-1.4.2-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-5.fc19

Comment 6 Fedora Update System 2014-10-27 15:58:11 UTC
rkhunter-1.4.2-5.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-5.el7

Comment 7 Fedora Update System 2014-10-27 15:58:42 UTC
rkhunter-1.4.2-4.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-4.el6

Comment 8 Fedora Update System 2014-10-28 06:34:10 UTC
Package rkhunter-1.4.2-5.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.2-5.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13683/rkhunter-1.4.2-5.fc20
then log in and leave karma (feedback).

Comment 9 lnie 2014-10-29 03:27:06 UTC
rkhunter-1.4.2-5.fc20 works

Comment 10 Fedora Update System 2014-11-01 16:44:10 UTC
rkhunter-1.4.2-5.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2014-11-07 02:36:14 UTC
rkhunter-1.4.2-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2014-11-07 02:39:57 UTC
rkhunter-1.4.2-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2014-11-12 23:17:11 UTC
rkhunter-1.4.2-5.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2014-11-12 23:19:40 UTC
rkhunter-1.4.2-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.