Bug#1025257: chkrootkit: Add possibility to skip large directory scans in find

2022-12-08 Thread Richard Lewis 
control: tags -1 - patch
thanks

On Thu, 1 Dec 2022, 15:06 Peter Gervai,  wrote:

Hi -

> Would be nice to skip extremely large >directories which the admin choose
to skip in >the scan.
>Typical examples are /var/lib/backuppc or >similar backup dirs, or various
large mounts.

>

not sure i would use this feature myself, but doesnt seem unreasonable. are
there other use cases than large files?

 (I think most people use chkrootkit via the daily cron job - how does this
interact with that?)


does the patch apply against the version of chkrootkit with the - many tens
of - existing debian patches?

also, can you add autopktests for the new feature and add the option to the
man page too(i didnt find what was written in the patch to the 'help'
output very clear, if you could find a clearer explanation of what this is
for that would help too). if you do all that,  ill take a closer look.



The following patch contains only a few changes in the find calls where it
> uses a complete root dir scan.
> I hope I was successful doing it POSIX safe, but please check.
>

i havent looked in detail but i think there are some issues that need
fixing:
` ...` should be replaced by $(...).
And variables look like they need quoting.
you can use shellcheck to spot some of these issues.

...chkrootkit is itself full of issues like this, but we should be making
it better with every patch.


> (Sidenote: I see you commented out '-o' at the end of the $findargs, is it
> correct this way?)
>

i dont know, but you should provide a recommendation as part of the patch.
i wouldnt be surprised if it was an error - it wouldnt be the first bit if
dubious code spotted in chkrootkit. But equally why would it end in -o ?

Bug#1025257: chkrootkit: Add possibility to skip large directory scans in find

2022-12-01 Thread Peter Gervai 
Package: chkrootkit
Version: 0.55-4+b2
Severity: wishlist
Tags: patch upstream

Would be nice to skip extremely large directories which the admin choose to 
skip in the scan.
Typical examples are /var/lib/backuppc or similar backup dirs, or various large 
mounts.
The following patch contains only a few changes in the find calls where it uses 
a complete root dir scan.
I hope I was successful doing it POSIX safe, but please check.

(Sidenote: I see you commented out '-o' at the end of the $findargs, is it 
correct this way?)


--- chkrootkit.orig 2022-08-17 15:47:55.0 +0200
+++ chkrootkit  2022-12-01 15:38:30.214332133 +0100
@@ -417,7 +417,7 @@
 [ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} 
${ROOTDIR}/usr/lib/lib.so1.so
 ### sniffer's logs
 expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
-   ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o 
-name \
+   ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} 
${FIND_EXCLUDE_ARGS} -name tcp.log -o -name \
 .linux-sniff -o -name sniff-l0g -o -name core_ -o -wholename 
${ROOTDIR}usr/lib/in.httpd -o \
 -wholename ${ROOTDIR}usr/lib/in.pop3d"
 
@@ -707,7 +707,7 @@
if [ "${QUIET}" != "t" ]; then \
   printn "Searching for sniffer's logs, it may take a while... "; fi
files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc 
${ROOTDIR}var \
-   ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" 
-o -name "core_" \) \
+   ${findargs} ${FIND_EXCLUDE_ARGS} \( -name "tcp.log" -o -name ".linux-sniff" 
-o -name "sniff-l0g" -o -name "core_" \) \
2>/dev/null`
if [ "${files}" = "" ]
then
@@ -2943,6 +2943,9 @@
 
 -e) shift
 EXCLUDES="$1 $EXCLUDES";;
+
+-E) shift
+EXCLUDE_DIRS="$1 $EXCLUDE_DIRS";;
 
 -s) shift
 EXCLUDES_SNIF="$1";;
@@ -2969,6 +2972,7 @@
 -xexpert mode
 -e 'FILE1 FILE2'  exclude files/dirs from results. Must be followed by 
a space-separated list of files/dirs.
   Read 
/usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
+-E 'DIR1 DIR2'exclude dirs (actually 'find' path patterns) from 
scanning.
 -s REGEXP filter results of sniffer test through 'grep -Ev 
REGEXP' to exclude expected
   PACKET_SNIFFERs. Read 
/usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
 -r DIRuse DIR as the root directory
@@ -3002,6 +3006,14 @@
 pth=`echo $PATH | sed -e "s/:/ /g"`
 pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec ."
 
+### Excluded paths from find (split the string, POSIX style)
+set -f
+FIND_EXCLUDE_ARGS=""
+for p in $EXCLUDE_DIRS; do
+   FIND_EXCLUDE_ARGS="${FIND_EXCLUDE_ARGS} -path ${p} -prune -o "
+done
+set +f
+
 ### external command's PATH
 if [ "${CHKRKPATH}" = "" ]; then
   chkrkpth=${pth}



-- System Information:
Debian Release: bookworm/sid
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'unstable'), (500, 
'oldstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.0.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, 
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages chkrootkit depends on:
ii  libc6  2.36-4

Versions of packages chkrootkit recommends:
ii  binutils   2.39-8
ii  iproute2   6.0.0-1+b1
ii  net-tools  1.60+git20181103.0eebece-1
ii  procps 2:3.3.17-7+b1

chkrootkit suggests no packages.

-- Configuration Files:
/etc/cron.daily/chkrootkit changed [not included]