Bug 456340

Correct. This is expected by upstream... 
You must run 'rkhunter --propupd' to create copies of those files for it to
check against. 

From the man page: 

       --propupd
              One of the checks rkhunter performs is to compare  various  current
              file  properties  of  various commands, against those it has previ-
              ously stored. This command option causes  rkhunter  to  update  its
              data file of stored values with the current values.

              WARNING: It is the users responsibility to ensure that the files on
              the system are genuine and from a  reliable  source.  rkhunter  can
              only  report  if a file has changed, but not on what has caused the
              change. Hence, if a file has changed,  and  the  --propupd  command
              option is used, then rkhunter will assume that the file is genuine.

I'm not sure there is anything I can do package wise to get around this, 
as it's expected that the end user decides that their install is ok. 

But I ran rkhunter --propupd, and rkhunter runs w/o warnings, it only happens
when I reboot. Then copies of passwd and group files disappear.

Ah, I see what you are saying... 

Yeah, this is partially a upstream issue, and partially my fault. 
rkhunter in Fedora uses /var/run/rkhunter as it's tmpdir. This unfortunately
gets wiped on every reboot, so thats why you have to re-run it on boot. 

Possible solutions would be: 

1. Get upstream to not save passwd/shadow info in tmpdir. If those are expected
to be persistent, they shouldn't go to the tmpdir.

2. I could move them to another dir that is persistent. 

3. We could just leave it as is. After a reboot you may well want to check why
the reboot happened and that your files are ok and re-run propupd. 

I'm not sure which way to go off hand... will ponder on it. 
Any thoughts?

I suggest saving them under /var/lib/rkhunter.

Yeah, we could do that, but upstream seems to want people to have to decide after each reboot that their setup is ok and right by running --propupd. 
If we store them in a persistent way we are changing the behavior of upstream... 

I think this is a discussion thats better made upstream. 

Nerijus / Wolfy: Would one of you be willing to take this up on the upstream lists? Or would you like me to?

Thing is that a long time ago I packaged rkhunter myself (1.2.9 at the time, upgraded to 1.3.0pre and 1.3.0 next). I have used a similar but different spec and a completely different cronjob (very simple, basically it boils down to one line: rkhunter --update && rkhunter XXXX | mail -s "rkunter job" ). And I have never seen the behaviour exhibited by the package from Fedora EPEL.

sorry for the long delay here. ;( 

I can change it to use /usr/lib/rkhunter for it's tmpdir, but thats set in the /etc/rkhunter.conf file, so on update people will get a /etc/rkhunter.conf.rpmnew file. ;( 

Should we just do that? or is there any better solution here?

No problem, there are times when *.rpmnew files appear. Admins should check them.

True. The other issue here is that with that change rkhunter is going to use /var/lib/rkhunter for all it's temp files, which is not very selinux friendly. 
:( 

Better would be a patch to make it store passwd/shadow in it's normal db dir, and use them from there. I can try and look at a patch to do that, but if one of you wants to do so that would be great.

Can you guys try the new package in rawhide ? 
(I can scratch build it as well if you need me to). 

I think I have propupd persisting thru reboots. 
If you guys can confirm I can push this and several other fixes to F9/F10.

I'll give it a spin in Centos 4/5 as soon as I manage to persuade my mock to restart building packages.

Just tested, as follows:
- removed /var/lib/rkhunter/{group, passwd}
- updated rkhunter to 1.3.4 (local built copy based on the src.rpm from koji/rawhide)
- reboot and received :
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
Warning: Unable to check for group file differences: no copy of the group file exists.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

----------------------- End Rootkit Hunter Scan -----------------------
- checked  /var/lib/rkhunter/ and the two files were there
- reboot again
- rechecked  /var/lib/rkhunter/ and the two files were still there

So I guess it's OK, at least after my very fast test

ok, great. I will push updates to testing for f10/f9 and we can get some more widespread testing.

rkhunter-1.3.4-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rkhunter-1.3.4-1.fc10

rkhunter-1.3.4-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/rkhunter-1.3.4-1.fc9

rkhunter-1.3.4-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rkhunter'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-0153

rkhunter-1.3.4-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update rkhunter'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2009-0163

rkhunter-1.3.4-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

rkhunter-1.3.4-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.