Bug 984180 - ALLOWDEVFILE does not work since years with path containing a space
ALLOWDEVFILE does not work since years with path containing a space
Product: Fedora
Classification: Fedora
Component: rkhunter (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-07-13 05:36 EDT by Harald Reindl
Modified: 2014-04-06 13:55 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-04-06 13:55:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
don't expand wildcards before calling check_paths (648 bytes, patch)
2013-07-22 10:44 EDT, Thomas Moschny
no flags Details | Diff

  None (edit)
Description Harald Reindl 2013-07-13 05:36:26 EDT
i decided to write a new bugreport because the old one is ignored for years

the file below exists, is created by ZendStudio, can not be changed, period


[root@srv-rhsoft:~]$ rkhunter --check
Invalid ALLOWDEVFILE configuration option: Invalid pathname: Studio
Invalid ALLOWDEVFILE configuration option: Invalid pathname: Studio_Launcher

*whatever* you are doing there, replace the space with %, write the full path and escape the space, using a wildchar, it doe snot work, you get *every day* over years a rkhunter warning - this is ridiculous

[root@srv-rhsoft:~]$ stat /dev/shm/sem.SWT_Window_Zend\ Studio
  Datei: „/dev/shm/sem.SWT_Window_Zend Studio“
  Größe: 32             Blöcke: 8          EA Block: 4096   reguläre Datei
Gerät: fh/15d   Inode: 759736      Verknüpfungen: 1
Zugriff: (0750/-rwxr-x---)  Uid: (  500/   harry)   Gid: (  501/verwaltung)
Zugriff    : 2013-07-12 23:17:57.027048692 +0200
Modifiziert: 2013-07-09 00:03:05.417206114 +0200
Geändert   : 2013-07-09 00:03:05.417206114 +0200
 Geburt    : -
Comment 1 Kevin Fenzi 2013-07-13 14:03:17 EDT
I talked with upstream about this issue a while back and they agreed it should be fixed, but that it was a larger job than just a simple patch. 

To quote: 

"Unfortunately this whole area comes down to handling files with spaces
in their names (and in particular when wildcarding). It is something we
have discussed on the developers list, and there is no easy solution. We
have something in mind, but it will take some time. For that reason, I
am a bit loathe to try and 'fix' things involving spaces at the moment
because it will have to be undone later on."

I can ask again and see what their timeframe is... or if you like you could do so: 
Comment 2 Harald Reindl 2013-07-13 20:06:03 EDT
If i only could chnage the behavior of "Zend Studio" or my bash skills would be better i had solved this at my own long ago since it is very disturbing get every day a rkhunter-alarm because php-development is my daily job and so this file exists always :-(

it's remarkably that after all the many years a simple space in filenames i still that big problem..............
Comment 3 Thomas Moschny 2013-07-22 10:44:27 EDT
Created attachment 776931 [details]
don't expand wildcards before calling check_paths
Comment 4 Thomas Moschny 2013-07-22 10:45:07 EDT
Also found upstream's remarks about how complicated fixing it would be.

The attached patch fixes the issue for me (see also bug 719259), but note that given the size and complexity of rkhunter I also cannot guarantee it doesn't have unwanted side-effects :) But it worked fine in my testing.

As far as I understand, the check_paths() function does wildcard expansion (as well as '%'->' ' replacement, which is rkunter's way of quoting spaces in the non-wildcard case) itself, so it is not necessary (and in fact wrong, as this bug shows) to do that before calling it. With the patch check_paths() is called with the unexpanded, unmodified string coming from the configuration.

Of course one could/should look through the code and see whether the code handling other options could be modified in a similar way.
Comment 5 Kevin Fenzi 2013-07-22 16:11:46 EDT
Would you mind running this by upstream? Or would you mind if I do so?
Comment 6 Thomas Moschny 2013-07-22 16:51:45 EDT
(In reply to Kevin Fenzi from comment #5)
> Would you mind running this by upstream? Or would you mind if I do so?

No, please go ahead. As I said I think the patch is somehow incomplete, but in principle I don't see why it should not work that way.
Comment 7 Harald Reindl 2013-08-03 18:31:08 EDT

seems to do the trick since version 1.4
% replaces the space instead of escaping or wildchars
Comment 8 Kevin Fenzi 2013-08-03 20:53:03 EDT
Yes, that will work if you know the exact filename... if you need a wildcard it won't. 

Upstream has a bunch of changes that should fix things next release, but the next release is a while off right now. 

So, I can try and do a build with this patch to test things out? and if there's no serious regressions, we can use that in the mean time.
Comment 9 Harald Reindl 2013-08-04 04:30:41 EDT
in my case it is a fixed filename, the whitespace was more "if you are too stupid for recognize as space i give you ZendStudio*" 

IMHO it is still poor that you need to know it is a % sign instead a space or witha backslash escaped space - if i write a software and internally something needs to be escaped this way it is my job to read the configuration and make the trannsition transparent while the users job is to tell me the path as it is
Comment 10 Thomas Moschny 2013-08-29 11:35:41 EDT
(In reply to Kevin Fenzi from comment #8)
> So, I can try and do a build with this patch to test things out? and if
> there's no serious regressions, we can use that in the mean time.

So, is this still an option? Or what about upstream's release plans?
Comment 11 Kevin Fenzi 2013-09-01 15:10:22 EDT
I'll push this now into rawhide and f20... I'm waiting to hear back on a few other bugs I'd like to fix before pushing to stable releases. 

Upstream isn't fully sure when the next release will be out.
Comment 12 Fedora End Of Life 2013-12-21 10:35:25 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 13 Kevin Fenzi 2014-03-13 15:53:44 EDT
Can you test this scratch build: 


against this issue to confirm it's fixed?
Comment 14 Harald Reindl 2014-03-13 16:02:36 EDT
can you provide a command to generate such a shm-file?

looks like recent ZendStudio versions no longer creates them
or whatever triggers to do so is unknown to me and hits only

[root@srv-rhsoft:~]$ LANG=C                                                                                                     
[root@srv-rhsoft:~]$ ls -lha -R /dev/shm/                                                                                       
total 0                                                                                                                         
drwxrwxrwt  2 root root   40 2014-03-13 16:03 .
drwxr-xr-x 19 root root 3.9K 2014-03-13 16:11 ..
Comment 15 Kevin Fenzi 2014-03-13 18:42:31 EDT
Ah, perhaps this is no longer needed then. 

You could simulate it by just doing a 'touch "/dev/shm/foo bar"' I guess.
Comment 16 Harald Reindl 2014-03-20 11:16:58 EDT
now confirmed as working 
the last two config lines with the real spaces are now fine

[root@srv-rhsoft:~]$ rkhunter --check
Warning: Suspicious file types found in /dev:
         /dev/shm/sem.SWT_Window_Zend<SP>Studio: data

ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend Studio
ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend Studio_Launcher
Comment 17 Kevin Fenzi 2014-04-06 13:55:10 EDT
Excellent. Thanks!

Note You need to log in before you can comment on or make changes to this bug.