On Tue, 04 Nov 2008 22:28:09 +0000, John Horne wrote about Re:
[Rkhunter-users] False warning about /usr/sbin/vipw:
>On Tue, 2008-11-04 at 22:03 +0000, Dick Gevers wrote:
>> On Tue, 04 Nov 2008 12:33:05 +0000, John Horne wrote about Re:
>> [Rkhunter-users] False warning about /usr/sbin/vipw:
>>
>> >On Fri, 2008-10-31 at 18:14 +0000, Dick Gevers wrote:
>> >> Using rkhunter 1.3.3. cvs of 6th October 2008 I have to report that
>> >> once only I get a warning for this file in today's 16.50 h cronjob.
>> >> Not before and not after:
>> >>
>> >>
>> >> [16:52:35] //usr/sbin/vipw
>> >> [ Warning ] [16:52:35] Warning: The file properties have changed:
>> >> [16:52:35] File: //usr/sbin/vipw
>> >> [16:52:35] Current hash:
>> >> 37f1adce84d73bb92921c3bbdc074e919ce01d3d [16:52:35] Stored
>> >> hash : 575d90229ec34de850e99c08c6eb4bec
>> >>
>> >Looks like the hash function has changed - possibly from MD5 to SHA1.
>>
>> I don't think so:
>>
>> # sha1sum /usr/sbin/vipw
>> 37f1adce84d73bb92921c3bbdc074e919ce01d3d /usr/sbin/vipw
>>
>Yes, so what does 'md5sum /usr/sbin/vipw' show?
# md5sum /usr/sbin/vipw
575d90229ec34de850e99c08c6eb4bec /usr/sbin/vipw
>Can you also run:
>
> rpm -qf '[%{FILEINODES}:%{FILEMODES:octal}:%{FILEUSERNAME}:
>%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:
>%{FILENAMES}\n]' /usr/sbin/vipw
>and let me know what it shows (the above command should all be on one
>line).
It returns 'No such file or directory'.
# rpm -qfvvvv /usr/sbin/vipw
D: opening db environment /var/lib/rpm/Packages create:cdb:mpool:joinenv
D: acquire_extra_lock: locked 3
D: opening db index /var/lib/rpm/Packages rdonly mode=0x0
D: locked db index /var/lib/rpm/Packages
D: opening db index /var/lib/rpm/Basenames rdonly mode=0x0
D: read h# 60305 Header SHA1 digest: OK
(15dd24eaac876336b7f56b978fbb1f946bf7a0a8) shadow-utils-4.0.12-17mdv2009.0
D: closed db index /var/lib/rpm/Basenames
D: closed db index /var/lib/rpm/Packages
D: release_extra_lock_may_clean(/var/lib/rpm, 3)
D: cleaning db regions (ie db__* files) in /var/lib/rpm
D: closed db environment /var/lib/rpm/Packages
D: May free Score board((nil))
>I'm tending to think that it was some interaction between the file
>concerned and your package manager. If the check with the package
>manager fails (albeit it depends where it fails), then RKH assumes the
>file is not part of a package and so treats it like an ordinary file. In
>that respect the hash check would fail, the inode would also fail if
>prelinking is used.
As far as I know Mdv does not have any prelinking (I know Fedora does; I
don't think we do).
> However, I would also then perhaps have expected
>things like the DTM to have failed too.
>
>Obviously, next time around if the package manager command works, then
>RKH sees no error.
>
>Part of the problem is that we deliberately do not record package
>manager failures for the simple reason that they are not failures for
>non-packaged files. I'll have a think about this, and perhaps see if we
>can see if a bit more info can be stored/logged if a package manager
>command fails.
Well vipw is a packaged file, not created by any rpm package script.
Okay. I suspect it is totally unreproducible, but didn't want to keep it
from you guys.
Thanks for all.
Ciao,
=Dick Gevers=
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
