Bug 719270

Summary: strange warning about replaced /usr/bin/rkhunter
Product: [Fedora] Fedora Reporter: Thomas Moschny <thomas.moschny>
Component: rkhunterAssignee: Kevin Fenzi <kevin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: kevin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rkhunter-1.3.8-8.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-22 19:25:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Thomas Moschny 2011-07-06 09:51:04 UTC 
Description of problem:
The daily runs of rkhunter produce this strange warning:

Warning: The command '/usr/bin/rkhunter' has been replaced and is not a script: /usr/bin/rkhunter: POSIX shell script, ASCII text executable, with very long lines

This looks bogus to me:
- it *is* a script (output contradicts itself)
- afaict it wasn't modified:

# sha1sum /usr/bin/rkhunter
2d8832de4ca600e529ed8cdc3927273bb7ae21c9  /usr/bin/rkhunter

# rpm -V rkhunter
5S.T.....    /var/lib/rkhunter/db/mirrors.dat
5S.T.....    /var/lib/rkhunter/db/programs_bad.dat

# LC_ALL=C rpm -qi rkhunter
Name        : rkhunter
Version     : 1.3.8
Release     : 6.fc15
Architecture: noarch
Install Date: Mon Jul  4 15:56:26 2011
Group       : Applications/System
Size        : 751288
License     : GPLv2+
Signature   : RSA/SHA256, Thu Jun 23 16:31:38 2011, Key ID b4ebf579069c8460
Source RPM  : rkhunter-1.3.8-6.fc15.src.rpm
Build Date  : Tue Jun 21 23:54:28 2011
Build Host  : x86-01.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://rkhunter.sourceforge.net/
Summary     : A host-based tool to scan for rootkits, backdoors and local exploits
Description :
Rootkit Hunter (RKH) is an easy-to-use tool which checks
computers running UNIX (clones) for the presence of rootkits
and other unwanted tools.
Comment 1 Kevin Fenzi 2011-07-06 14:39:39 UTC 
There was a report of this on an upstream list, but unfortunately without much detail. 

When did you start seeing these messages? 
Can you see any updates around that time (check /var/log/yum.log) that might be related? 
In particular the 'file' command. 

You have run a 'rkhunter --propupd' right?
Comment 2 Thomas Moschny 2011-07-06 15:41:10 UTC 
(In reply to comment #1)
> There was a report of this on an upstream list, but unfortunately without much
> detail. 
> 
> When did you start seeing these messages? 
> Can you see any updates around that time (check /var/log/yum.log) that might be
> related? 
> In particular the 'file' command. 

I think I saw this message from the very beginning (installed rkhunter just a couple of days ago).

> You have run a 'rkhunter --propupd' right?

No, I did not. Running it now seems to suppress that warning.

Imho that doesn't make this ticket useless though. The rkhunter RPM seems to come with wrong information (or wrong implicit assumptions) about the /usr/bin/rkhunter file. While in general it is true that only the admin knows the state of the machine and propupd should not be run automatically, the rkhunter RPM should at least know its own files.

Looking at the code, there seems to be some special case handling for the rkhunter script itself, in /usr/bin/rkhunter:10068, needing to be fixed.
Comment 3 Thomas Moschny 2011-07-06 15:51:41 UTC 
# with file.x86_64 0:5.05-3.fc15:

$ file /usr/bin/rkhunter
/usr/bin/rkhunter: POSIX shell script text executable


# with file.x86_64 0:5.07-4.fc15:

$ file /usr/bin/rkhunter
/usr/bin/rkhunter: POSIX shell script, ASCII text executable, with very long lines
Comment 4 Fedora Update System 2011-07-08 15:49:42 UTC 
rkhunter-1.3.8-7.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/rkhunter-1.3.8-7.fc15
Comment 5 Fedora Update System 2011-07-08 17:48:19 UTC 
rkhunter-1.3.8-8.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/rkhunter-1.3.8-8.fc15
Comment 6 Fedora Update System 2011-07-08 17:48:33 UTC 
rkhunter-1.3.8-8.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/rkhunter-1.3.8-8.fc15
Comment 7 Fedora Update System 2011-07-12 05:26:41 UTC 
Package rkhunter-1.3.8-8.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rkhunter-1.3.8-8.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/rkhunter-1.3.8-8.fc15
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2011-07-22 19:25:28 UTC 
rkhunter-1.3.8-8.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.