i decided to write a new bugreport because the old one is ignored for years the file below exists, is created by ZendStudio, can not be changed, period /etc/rkhunter.conf.local: ALLOWDEVFILE="/dev/shm/sem.SWT_Window_Zend*" [root@srv-rhsoft:~]$ rkhunter --check Invalid ALLOWDEVFILE configuration option: Invalid pathname: Studio Invalid ALLOWDEVFILE configuration option: Invalid pathname: Studio_Launcher *whatever* you are doing there, replace the space with %, write the full path and escape the space, using a wildchar, it doe snot work, you get *every day* over years a rkhunter warning - this is ridiculous _____________________________ [root@srv-rhsoft:~]$ stat /dev/shm/sem.SWT_Window_Zend\ Studio Datei: „/dev/shm/sem.SWT_Window_Zend Studio“ Größe: 32 Blöcke: 8 EA Block: 4096 reguläre Datei Gerät: fh/15d Inode: 759736 Verknüpfungen: 1 Zugriff: (0750/-rwxr-x---) Uid: ( 500/ harry) Gid: ( 501/verwaltung) Zugriff : 2013-07-12 23:17:57.027048692 +0200 Modifiziert: 2013-07-09 00:03:05.417206114 +0200 Geändert : 2013-07-09 00:03:05.417206114 +0200 Geburt : -
I talked with upstream about this issue a while back and they agreed it should be fixed, but that it was a larger job than just a simple patch. To quote: "Unfortunately this whole area comes down to handling files with spaces in their names (and in particular when wildcarding). It is something we have discussed on the developers list, and there is no easy solution. We have something in mind, but it will take some time. For that reason, I am a bit loathe to try and 'fix' things involving spaces at the moment because it will have to be undone later on." I can ask again and see what their timeframe is... or if you like you could do so: rkhunter-users.net
If i only could chnage the behavior of "Zend Studio" or my bash skills would be better i had solved this at my own long ago since it is very disturbing get every day a rkhunter-alarm because php-development is my daily job and so this file exists always :-( it's remarkably that after all the many years a simple space in filenames i still that big problem..............
Created attachment 776931 [details] don't expand wildcards before calling check_paths
Also found upstream's remarks about how complicated fixing it would be. The attached patch fixes the issue for me (see also bug 719259), but note that given the size and complexity of rkhunter I also cannot guarantee it doesn't have unwanted side-effects :) But it worked fine in my testing. As far as I understand, the check_paths() function does wildcard expansion (as well as '%'->' ' replacement, which is rkunter's way of quoting spaces in the non-wildcard case) itself, so it is not necessary (and in fact wrong, as this bug shows) to do that before calling it. With the patch check_paths() is called with the unexpanded, unmodified string coming from the configuration. Of course one could/should look through the code and see whether the code handling other options could be modified in a similar way.
Would you mind running this by upstream? Or would you mind if I do so?
(In reply to Kevin Fenzi from comment #5) > Would you mind running this by upstream? Or would you mind if I do so? No, please go ahead. As I said I think the patch is somehow incomplete, but in principle I don't see why it should not work that way.
ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio seems to do the trick since version 1.4 % replaces the space instead of escaping or wildchars
Yes, that will work if you know the exact filename... if you need a wildcard it won't. Upstream has a bunch of changes that should fix things next release, but the next release is a while off right now. So, I can try and do a build with this patch to test things out? and if there's no serious regressions, we can use that in the mean time.
in my case it is a fixed filename, the whitespace was more "if you are too stupid for recognize as space i give you ZendStudio*" IMHO it is still poor that you need to know it is a % sign instead a space or witha backslash escaped space - if i write a software and internally something needs to be escaped this way it is my job to read the configuration and make the trannsition transparent while the users job is to tell me the path as it is
(In reply to Kevin Fenzi from comment #8) > So, I can try and do a build with this patch to test things out? and if > there's no serious regressions, we can use that in the mean time. So, is this still an option? Or what about upstream's release plans?
I'll push this now into rawhide and f20... I'm waiting to hear back on a few other bugs I'd like to fix before pushing to stable releases. Upstream isn't fully sure when the next release will be out.
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Can you test this scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=6630812 against this issue to confirm it's fixed?
can you provide a command to generate such a shm-file? looks like recent ZendStudio versions no longer creates them or whatever triggers to do so is unknown to me and hits only unexpected [root@srv-rhsoft:~]$ LANG=C [root@srv-rhsoft:~]$ ls -lha -R /dev/shm/ /dev/shm/: total 0 drwxrwxrwt 2 root root 40 2014-03-13 16:03 . drwxr-xr-x 19 root root 3.9K 2014-03-13 16:11 ..
Ah, perhaps this is no longer needed then. You could simulate it by just doing a 'touch "/dev/shm/foo bar"' I guess.
now confirmed as working the last two config lines with the real spaces are now fine [root@srv-rhsoft:~]$ rkhunter --check Warning: Suspicious file types found in /dev: /dev/shm/sem.SWT_Window_Zend<SP>Studio: data ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio_Launcher ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend<SP>Studio ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend<SP>Studio_Launcher ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend Studio ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend Studio_Launcher
Excellent. Thanks!