Package: chkrootkit
Version: 0.44-2
Severity: normal
When chkrootkit is started from anacron directly after booting, I get a
very annoying mail that "find" couln't open lots of files, which is
correct, because they are on a root_squash nfs mount.
RUN_DAILY_OPTS="-n -q" in chkrootkit.conf does not help (as in #234469,
which this bug possibly relates to).
I put some debugging code at the start of the /usr/sbin/chkrootkit
script:
set -x
set
id
/usr/bin/pstree -aAlu
which (only in this special invocation by anacron, not when called from
the shell or by the repeated daily invocation (I filed a bug against
anacron for this some minutes ago)) print:
/etc/cron.daily/chkrootkit:
+ set
AUTOBOOT='YES'
BOOT_IMAGE='linux'
CONSOLE='/dev/console'
HOME='/'
IFS='
'
INIT_VERSION='sysvinit-2.86'
OPTIND='1'
PATH='/sbin:/bin:/usr/sbin:/usr/bin'
PPID='3522'
PREVLEVEL='N'
PS1='# '
PS2='> '
PS4='+ '
PWD='/'
RUNLEVEL='2'
SHELL='/bin/sh'
TERM='linux'
devfs='nomount'
es1371='0x200'
js='auto'
previous='N'
runlevel='2'
+ id
uid=0(root) gid=0(root)
+ /usr/bin/pstree -aAlu
init
|-S20xprint /etc/rc2.d/S20xprint start
| |-S20xprint /etc/rc2.d/S20xprint start
| | `-Xprt -ac -pn -nolisten tcp -audit 4
+-fp/usr/X11R6/lib/X11/fonts/Type1,/usr/lib/X11/fonts/Type1,/var/lib/defoma/x-tt
+cidfont
| `-S20xprint /etc/rc2.d/S20xprint start
|-anacron -s
| `-sh -c nice\040run-parts\040--report\040/etc/cron.daily
| `-run-parts --report /etc/cron.daily
| `-chkrootkit -e /etc/cron.daily/chkrootkit
| `-chkrootkit /usr/sbin/chkrootkit -n -q
| `-pstree -aAlu
[--snip--]
and later after many lines of script execution:
+ [ -f /bin/imin -o -f /bin/imout ]
+ [ t != t ]
+ [ t != t ]
+ D=/usr/include
+ [ -f /usr/include/icekey.h -o -f /usr/include/iceconf.h -o -f
+/usr/include/iceseed.h ]
+ [ t != t ]
+ [ t != t ]
+ files=
+ [ ! -z /bin/rbash -a ! -z / ]
+ /usr/bin/find // -name .*history -size 0
/usr/bin/find: //mnt/media/lost+found: Permission denied
/usr/bin/find: //mnt/media/cds: Permission denied
/usr/bin/find: //mnt/media/grab: Permission denied
[...list of all not world readable files on this NFS mount...]
This output corresponds with the following lines in
/usr/sbin/chkrootkit (note the $HOME = / from before...):
###
### shell history anomalies
###
if [ "${QUIET}" != "t" ]; then \
printn "Searching for anomalies in shell history files... "; fi
files=""
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
files=`${find} ${ROOTDIR}${HOME} -name '.*history' -size 0`
[ ! -z "${files}" ] && \
echo "Warning: \`${files}' file size is zero"
files=`${find} ${ROOTDIR}${HOME} -name '.*history' \( -links 2 -o
-type l
\)`
[ ! -z "${files}" ] && \
echo "Warning: \`${files}' is linked to another file"
fi
I still couldn't find out, why $SHELL changes from /bin/sh to /bin/rbash
during the script (there are no "SHELL=..."-assignments in the log,
/bin/sh is symlinked to dash on my machines), but
searching ${ROOTDIR}${HOME} seems wrong here, even if anacron had
assigned the correct $HOME from /etc/passwd; it is the only place in
chkrootkit where this variable is expanded, and only can be assumed to
be root's home, because the UID is checked somewhere else.
Anyway, -n is ignored here as well, as an aftereffect (~root being on /
seems wise).
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (801, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-noname.2
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages chkrootkit depends on:
ii binutils 2.15-5 The GNU assembler, linker and bina
ii debconf 1.4.30.12 Debian configuration management sy
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii net-tools 1.60-10 The NET-3 networking toolkit
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
