Bug 719259

Summary:	suspicious files in /dev/shm
Product:	[Fedora] Fedora	Reporter:	Thomas Moschny <thomas.moschny>
Component:	rkhunter	Assignee:	Kevin Fenzi <kevin>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	19	CC:	kevin
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	rkhunter-1.3.8-8.fc15	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-07-22 14:46:24 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Thomas Moschny 2011-07-06 09:29:58 UTC

Description of problem:
rkhunter does not like files in /dev/shm 

Version-Release number of selected component (if applicable):
rkhunter-1.3.8-6.fc15.noarch

Additional info:
Could you add these to rkhunter.conf:

# tomboy creates this one
ALLOWDEVFILE="/dev/shm/mono.*"

# created by libv4l
ALLOWDEVFILE="/dev/shm/libv4l-*

Comment 1 Fedora Update System 2011-07-08 15:49:53 UTC

rkhunter-1.3.8-7.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/rkhunter-1.3.8-7.fc15

Comment 2 Fedora Update System 2011-07-08 17:48:28 UTC

rkhunter-1.3.8-8.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/rkhunter-1.3.8-8.fc15

Comment 3 Fedora Update System 2011-07-08 17:48:42 UTC

rkhunter-1.3.8-8.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/rkhunter-1.3.8-8.fc15

Comment 4 Fedora Update System 2011-07-12 05:26:51 UTC

Package rkhunter-1.3.8-8.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rkhunter-1.3.8-8.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/rkhunter-1.3.8-8.fc15
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2011-07-22 19:25:37 UTC

rkhunter-1.3.8-8.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Thomas Moschny 2013-07-22 09:52:03 UTC

Unfortunately there is some quoting problem left:

In /etc/rkhunter.conf:

# created by libv4l
ALLOWDEVFILE="/dev/shm/libv4l-*"

Now, the actual "suspicious" file is named

libv4l-moschny:usb-0000:00:1d.7-2.1.4:093a:2600:VGA Single Chip

causing rkhunter to preoduce these two warnings:

Invalid ALLOWDEVFILE configuration option: Invalid pathname: Single
Invalid ALLOWDEVFILE configuration option: Invalid pathname: Chip

Seems there's a problem with rkhunter expanding the wildcard in case matching files contain a space.

Comment 7 Thomas Moschny 2013-07-22 11:17:32 UTC

Even worse, despite the messages being labelled 'warning' rkhunter does not seem to perform any real checks.

Comment 8 Kevin Fenzi 2013-07-22 14:23:14 UTC

Please see: 

https://bugzilla.redhat.com/show_bug.cgi?id=984180#c1

In short, upstream is aware of the issue, but it will require redoing a lot to get everything working as it should be.

Comment 9 Thomas Moschny 2013-07-22 14:46:24 UTC

Ok, I subscribed to the other bug, closing this one.