Your message dated Thu, 24 Nov 2005 15:02:08 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#297680: fixed in chkrootkit 0.46a-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Mar 2005 09:22:54 +0000
>From [EMAIL PROTECTED] Wed Mar 02 01:22:54 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mout0.freenet.de [194.97.50.131]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D6Q4E-0002dM-00; Wed, 02 Mar 2005 01:22:54 -0800
Received: from [194.97.55.192] (helo=mx8.freenet.de)
by mout0.freenet.de with esmtpa (Exim 4.50)
id 1D6Q3j-0007CL-DC
for [EMAIL PROTECTED]; Wed, 02 Mar 2005 10:22:23 +0100
Received: from pd95fa94f.dip.t-dialin.net ([217.95.169.79])
by mx8.freenet.de with esmtpa (ID [EMAIL PROTECTED]) (Exim 4.43 #13)
id 1D6Q3i-0003rY-GD
for [EMAIL PROTECTED]; Wed, 02 Mar 2005 10:22:23 +0100
Received: from 192.168.171.4 (ident=unknown) by strcmp with smtp
(masqmail 0.2.20) id 1D6Q3h-1Ie-00 for <[EMAIL PROTECTED]>; Wed,
02 Mar 2005 10:22:21 +0100
Received: (nullmailer pid 6920 invoked by uid 1000);
Wed, 02 Mar 2005 09:22:21 -0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Ralf Neubauer <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: chkrootkit: evaluates $HOME, ignores -n (in the same line)
X-Mailer: reportbug 3.8
Date: Wed, 02 Mar 2005 10:22:21 +0100
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.4 required=4.0 tests=BAYES_00,HAS_PACKAGE,
OPT_IN_CAPS autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: chkrootkit
Version: 0.44-2
Severity: normal
When chkrootkit is started from anacron directly after booting, I get a
very annoying mail that "find" couln't open lots of files, which is
correct, because they are on a root_squash nfs mount.
RUN_DAILY_OPTS="-n -q" in chkrootkit.conf does not help (as in #234469,
which this bug possibly relates to).
I put some debugging code at the start of the /usr/sbin/chkrootkit
script:
set -x
set
id
/usr/bin/pstree -aAlu
which (only in this special invocation by anacron, not when called from
the shell or by the repeated daily invocation (I filed a bug against
anacron for this some minutes ago)) print:
/etc/cron.daily/chkrootkit:
+ set
AUTOBOOT='YES'
BOOT_IMAGE='linux'
CONSOLE='/dev/console'
HOME='/'
IFS='
'
INIT_VERSION='sysvinit-2.86'
OPTIND='1'
PATH='/sbin:/bin:/usr/sbin:/usr/bin'
PPID='3522'
PREVLEVEL='N'
PS1='# '
PS2='> '
PS4='+ '
PWD='/'
RUNLEVEL='2'
SHELL='/bin/sh'
TERM='linux'
devfs='nomount'
es1371='0x200'
js='auto'
previous='N'
runlevel='2'
+ id
uid=0(root) gid=0(root)
+ /usr/bin/pstree -aAlu
init
|-S20xprint /etc/rc2.d/S20xprint start
| |-S20xprint /etc/rc2.d/S20xprint start
| | `-Xprt -ac -pn -nolisten tcp -audit 4
+-fp/usr/X11R6/lib/X11/fonts/Type1,/usr/lib/X11/fonts/Type1,/var/lib/defoma/x-tt
+cidfont
| `-S20xprint /etc/rc2.d/S20xprint start
|-anacron -s
| `-sh -c nice\040run-parts\040--report\040/etc/cron.daily
| `-run-parts --report /etc/cron.daily
| `-chkrootkit -e /etc/cron.daily/chkrootkit
| `-chkrootkit /usr/sbin/chkrootkit -n -q
| `-pstree -aAlu
[--snip--]
and later after many lines of script execution:
+ [ -f /bin/imin -o -f /bin/imout ]
+ [ t != t ]
+ [ t != t ]
+ D=/usr/include
+ [ -f /usr/include/icekey.h -o -f /usr/include/iceconf.h -o -f
+/usr/include/iceseed.h ]
+ [ t != t ]
+ [ t != t ]
+ files=
+ [ ! -z /bin/rbash -a ! -z / ]
+ /usr/bin/find // -name .*history -size 0
/usr/bin/find: //mnt/media/lost+found: Permission denied
/usr/bin/find: //mnt/media/cds: Permission denied
/usr/bin/find: //mnt/media/grab: Permission denied
[...list of all not world readable files on this NFS mount...]
This output corresponds with the following lines in
/usr/sbin/chkrootkit (note the $HOME = / from before...):
###
### shell history anomalies
###
if [ "${QUIET}" != "t" ]; then \
printn "Searching for anomalies in shell history files... "; fi
files=""
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
files=`${find} ${ROOTDIR}${HOME} -name '.*history' -size 0`
[ ! -z "${files}" ] && \
echo "Warning: \`${files}' file size is zero"
files=`${find} ${ROOTDIR}${HOME} -name '.*history' \( -links 2 -o
-type l
\)`
[ ! -z "${files}" ] && \
echo "Warning: \`${files}' is linked to another file"
fi
I still couldn't find out, why $SHELL changes from /bin/sh to /bin/rbash
during the script (there are no "SHELL=..."-assignments in the log,
/bin/sh is symlinked to dash on my machines), but
searching ${ROOTDIR}${HOME} seems wrong here, even if anacron had
assigned the correct $HOME from /etc/passwd; it is the only place in
chkrootkit where this variable is expanded, and only can be assumed to
be root's home, because the UID is checked somewhere else.
Anyway, -n is ignored here as well, as an aftereffect (~root being on /
seems wise).
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (801, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-noname.2
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages chkrootkit depends on:
ii binutils 2.15-5 The GNU assembler, linker and bina
ii debconf 1.4.30.12 Debian configuration management sy
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii net-tools 1.60-10 The NET-3 networking toolkit
---------------------------------------
Received: (at 297680-close) by bugs.debian.org; 24 Nov 2005 23:11:35 +0000
>From [EMAIL PROTECTED] Thu Nov 24 15:11:35 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EfQ6S-0002Ql-RY; Thu, 24 Nov 2005 15:02:08 -0800
From: lantz moore <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#297680: fixed in chkrootkit 0.46a-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 24 Nov 2005 15:02:08 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: chkrootkit
Source-Version: 0.46a-1
We believe that the bug you reported is fixed in the latest version of
chkrootkit, which is due to be installed in the Debian FTP archive:
chkrootkit_0.46a-1.diff.gz
to pool/main/c/chkrootkit/chkrootkit_0.46a-1.diff.gz
chkrootkit_0.46a-1.dsc
to pool/main/c/chkrootkit/chkrootkit_0.46a-1.dsc
chkrootkit_0.46a-1_i386.deb
to pool/main/c/chkrootkit/chkrootkit_0.46a-1_i386.deb
chkrootkit_0.46a.orig.tar.gz
to pool/main/c/chkrootkit/chkrootkit_0.46a.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
lantz moore <[EMAIL PROTECTED]> (supplier of updated chkrootkit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 24 Nov 2005 13:17:21 -0800
Source: chkrootkit
Binary: chkrootkit
Architecture: source i386
Version: 0.46a-1
Distribution: unstable
Urgency: low
Maintainer: lantz moore <[EMAIL PROTECTED]>
Changed-By: lantz moore <[EMAIL PROTECTED]>
Description:
chkrootkit - Checks for signs of rootkits on the local system
Closes: 297680 306263 306648 306784 307349 309386 309387 309942 310029 311107
313250 316610 318873 323191 326139 331777 333487 333710 334394 337943 337962
Changes:
chkrootkit (0.46a-1) unstable; urgency=low
.
* New upstream release (closes: 337943)
* added findargs to the 'shell history anomalies' test (closes: 297680)
* added quieting capability to chklastlog (closes: 306263)
* the wted test was running even when no wtmp file was found, fixed (see:
306449)
* added note to README.FALSE-POSITIVE
- mindi has hidden files (closes: 306784)
- erlang-base's epmd listens on a bindshell port (closes: 309386)
- perl has .packlist files (closes: 309387)
- realplay has .realplayerrc (closes: 309942)
- smlnj has .{cm,run,heap} files (closes: 323191)
- gnustep-make has .GNUsteprc (closes: 337962)
- pipsecd listens on a scalper port (closes: 307349)
* added optional depends debconf-2.0 (closes: 331777)
* added debconf translations (closes:
310029,326139,306648,311107,313250,333487,318873,334394)
* output suspicious files on separate lines (closes: 316610)
* added dependency on procps (closes: 333710)
Files:
ba67ee18f030545be5893e056395bdc3 605 misc optional chkrootkit_0.46a-1.dsc
1302d9b19f47da62bf45714ab376e2cc 36609 misc optional
chkrootkit_0.46a.orig.tar.gz
cf2db5facf635daca8ec95074d3b73fb 16156 misc optional chkrootkit_0.46a-1.diff.gz
e320dde000aaa8b5181981e67f8cb4b4 251344 misc optional
chkrootkit_0.46a-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFDhkJINFhjq9qkdRERAnzIAJ4jjAFY1FTYabRm7N7Y5eoEIs4bNwCggDW+
P2Sw47HdT192UGnErKAXOhY=
=VzBG
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
