Bug 456340
Summary: | "no copy of the passwd file exists" after reboot | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nerijus Baliūnas <nerijus> |
Component: | rkhunter | Assignee: | Kevin Fenzi <kevin> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 9 | CC: | devrim, manuel.wolfshant |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-01-24 02:33:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nerijus Baliūnas
2008-07-22 23:08:18 UTC
Correct. This is expected by upstream... You must run 'rkhunter --propupd' to create copies of those files for it to check against. From the man page: --propupd One of the checks rkhunter performs is to compare various current file properties of various commands, against those it has previ- ously stored. This command option causes rkhunter to update its data file of stored values with the current values. WARNING: It is the users responsibility to ensure that the files on the system are genuine and from a reliable source. rkhunter can only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine. I'm not sure there is anything I can do package wise to get around this, as it's expected that the end user decides that their install is ok. But I ran rkhunter --propupd, and rkhunter runs w/o warnings, it only happens when I reboot. Then copies of passwd and group files disappear. Ah, I see what you are saying... Yeah, this is partially a upstream issue, and partially my fault. rkhunter in Fedora uses /var/run/rkhunter as it's tmpdir. This unfortunately gets wiped on every reboot, so thats why you have to re-run it on boot. Possible solutions would be: 1. Get upstream to not save passwd/shadow info in tmpdir. If those are expected to be persistent, they shouldn't go to the tmpdir. 2. I could move them to another dir that is persistent. 3. We could just leave it as is. After a reboot you may well want to check why the reboot happened and that your files are ok and re-run propupd. I'm not sure which way to go off hand... will ponder on it. Any thoughts? I suggest saving them under /var/lib/rkhunter. Yeah, we could do that, but upstream seems to want people to have to decide after each reboot that their setup is ok and right by running --propupd. If we store them in a persistent way we are changing the behavior of upstream... I think this is a discussion thats better made upstream. Nerijus / Wolfy: Would one of you be willing to take this up on the upstream lists? Or would you like me to? Thing is that a long time ago I packaged rkhunter myself (1.2.9 at the time, upgraded to 1.3.0pre and 1.3.0 next). I have used a similar but different spec and a completely different cronjob (very simple, basically it boils down to one line: rkhunter --update && rkhunter XXXX | mail -s "rkunter job" ). And I have never seen the behaviour exhibited by the package from Fedora EPEL. sorry for the long delay here. ;( I can change it to use /usr/lib/rkhunter for it's tmpdir, but thats set in the /etc/rkhunter.conf file, so on update people will get a /etc/rkhunter.conf.rpmnew file. ;( Should we just do that? or is there any better solution here? No problem, there are times when *.rpmnew files appear. Admins should check them. True. The other issue here is that with that change rkhunter is going to use /var/lib/rkhunter for all it's temp files, which is not very selinux friendly. :( Better would be a patch to make it store passwd/shadow in it's normal db dir, and use them from there. I can try and look at a patch to do that, but if one of you wants to do so that would be great. Can you guys try the new package in rawhide ? (I can scratch build it as well if you need me to). I think I have propupd persisting thru reboots. If you guys can confirm I can push this and several other fixes to F9/F10. I'll give it a spin in Centos 4/5 as soon as I manage to persuade my mock to restart building packages. Just tested, as follows: - removed /var/lib/rkhunter/{group, passwd} - updated rkhunter to 1.3.4 (local built copy based on the src.rpm from koji/rawhide) - reboot and received : ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: Unable to check for passwd file differences: no copy of the passwd file exists. Warning: Unable to check for group file differences: no copy of the group file exists. One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter/rkhunter.log) ----------------------- End Rootkit Hunter Scan ----------------------- - checked /var/lib/rkhunter/ and the two files were there - reboot again - rechecked /var/lib/rkhunter/ and the two files were still there So I guess it's OK, at least after my very fast test ok, great. I will push updates to testing for f10/f9 and we can get some more widespread testing. rkhunter-1.3.4-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/rkhunter-1.3.4-1.fc10 rkhunter-1.3.4-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/rkhunter-1.3.4-1.fc9 rkhunter-1.3.4-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update rkhunter'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-0153 rkhunter-1.3.4-1.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing-newkey update rkhunter'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2009-0163 rkhunter-1.3.4-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. rkhunter-1.3.4-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |