On Tue, 2008-11-04 at 22:42 +0000, Dick Gevers wrote:
> On Tue, 04 Nov 2008 22:28:09 +0000, John Horne wrote about Re:
> [Rkhunter-users] False warning about /usr/sbin/vipw:
>
> >On Tue, 2008-11-04 at 22:03 +0000, Dick Gevers wrote:
> >> On Tue, 04 Nov 2008 12:33:05 +0000, John Horne wrote about Re:
> >> [Rkhunter-users] False warning about /usr/sbin/vipw:
> >>
> >> >On Fri, 2008-10-31 at 18:14 +0000, Dick Gevers wrote:
> >> >> Using rkhunter 1.3.3. cvs of 6th October 2008 I have to report that
> >> >> once only I get a warning for this file in today's 16.50 h cronjob.
> >> >> Not before and not after:
> >> >>
> >> >>
> >> >> [16:52:35] //usr/sbin/vipw
> >> >> [ Warning ] [16:52:35] Warning: The file properties have changed:
> >> >> [16:52:35] File: //usr/sbin/vipw
> >> >> [16:52:35] Current hash:
> >> >> 37f1adce84d73bb92921c3bbdc074e919ce01d3d [16:52:35] Stored
> >> >> hash : 575d90229ec34de850e99c08c6eb4bec
> >> >>
> >> >Looks like the hash function has changed - possibly from MD5 to SHA1.
> >>
> >> I don't think so:
> >>
> >> # sha1sum /usr/sbin/vipw
> >> 37f1adce84d73bb92921c3bbdc074e919ce01d3d /usr/sbin/vipw
> >>
> >Yes, so what does 'md5sum /usr/sbin/vipw' show?
>
> # md5sum /usr/sbin/vipw
> 575d90229ec34de850e99c08c6eb4bec /usr/sbin/vipw
>
Okay, so the stored hash was the MD5 one, and the 'current' one (when
RKH ran) was the SHA1 hash. The package manager will use MD5, but RKH
defaults to using SHA1 for non-packaged files. So I would still go for
some 'glitch' in the package manager.
>
> >Can you also run:
> >
> > rpm -qf '[%{FILEINODES}:%{FILEMODES:octal}:%{FILEUSERNAME}:
> >%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:
> >%{FILENAMES}\n]' /usr/sbin/vipw
> >and let me know what it shows (the above command should all be on one
> >line).
>
>
> It returns 'No such file or directory'.
>
Doh! That should have been:
rpm -qf --queryformat '[%{FILEINODES}:%{FILEMODES:octal}:
%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:
%{FILENAMES}\n]' /usr/sbin/vipw | grep ':/usr/sbin/vipw$'
>
> As far as I know Mdv does not have any prelinking (I know Fedora does; I
> don't think we do).
>
The log file will say if prelinking is being used. I doubt you are using
it since prelinking affects the hash values (you can't run run md5sum on
a prelinked file and get the 'correct' hash value).
>
> Okay. I suspect it is totally unreproducible, but didn't want to keep it
> from you guys.
>
I agree it is probably not reproducible. However, it is something to
bear in mind that RKH may run and give warnings which then don't appear
because the package manager (and/or prelinking) sorts itself out. As
said, I'll see if we can get RKH to be a bit more helpful in saying what
is going on.
Thanks for reporting it.
John.
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
