Bug#542139: rkhunter: Spurious warnings when access to /proc/kallsyms is disabled for security reasons

2009-08-18 Thread Julien Valroff 
Le mardi 18 août 2009 à 14:56 +1200, Francois Marier a écrit :
 Package: rkhunter
 Version: 1.3.4-6
 Severity: normal
 Tags: patch
 
 Certain security frameworks (e.g. grsecurity) prevent programs from reading 
 /proc/kallsyms.
 
 The file exists but it returns error when you try to read from it. I end up 
 receiving
 these emails every day:
[...]
 
 I have attached a patch which disables this check (as if /proc/kallsyms was 
 missing) if
 the file is not readable.

What about simply changing the test call as follows:

-elif [ -f ${RKHROOTDIR}/proc/kallsyms ]; then
+elif [ -r ${RKHROOTDIR}/proc/kallsyms ]; then

Given your explanations, I would say it should work, would you please
test?

Cheers,
Julien




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#542139: rkhunter: Spurious warnings when access to /proc/kallsyms is disabled for security reasons

2009-08-18 Thread Francois Marier 
On 2009-08-18 at 08:25:23, Julien Valroff wrote:
 What about simply changing the test call as follows:
 
 -elif [ -f ${RKHROOTDIR}/proc/kallsyms ]; then
 +elif [ -r ${RKHROOTDIR}/proc/kallsyms ]; then
 
 Given your explanations, I would say it should work, would you please
 test?

I just tried it and it didn't work. It still prints out these errors
messages.

Permission-wise, it looks like the file is readable, but when you start
reading it, you get only errors out of it.

Cheers,
Francois



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#542139: rkhunter: Spurious warnings when access to /proc/kallsyms is disabled for security reasons

2009-08-18 Thread Julien Valroff 
Le mardi 18 août 2009 à 18:56 +1200, Francois Marier a écrit :
 On 2009-08-18 at 08:25:23, Julien Valroff wrote:
  What about simply changing the test call as follows:
  
  -elif [ -f ${RKHROOTDIR}/proc/kallsyms ]; then
  +elif [ -r ${RKHROOTDIR}/proc/kallsyms ]; then
  
  Given your explanations, I would say it should work, would you please
  test?
 
 I just tried it and it didn't work. It still prints out these errors
 messages.
 
 Permission-wise, it looks like the file is readable, but when you start
 reading it, you get only errors out of it.

OK, I will add your patch to the next Debian upload, and will report
this upstream so that this can be fixed for the next release.

Thanks for your work.

Cheers,
Julien




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#542139: rkhunter: Spurious warnings when access to /proc/kallsyms is disabled for security reasons

2009-08-17 Thread Francois Marier 
Package: rkhunter
Version: 1.3.4-6
Severity: normal
Tags: patch

Certain security frameworks (e.g. grsecurity) prevent programs from reading 
/proc/kallsyms.

The file exists but it returns error when you try to read from it. I end up 
receiving
these emails every day:

  From: Anacron r...@localhost
  To: r...@localhost
  Subject: Anacron job 'cron.daily' on localhost
  
  /etc/cron.daily/rkhunter:
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error

I have attached a patch which disables this check (as if /proc/kallsyms was 
missing) if
the file is not readable.

Cheers,
Francois

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30.5-grsec (SMP w/2 CPU cores; PREEMPT)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils  2.19.51.20090805-1 The GNU assembler, linker and bina
ii  debconf [debconf-2.0] 1.5.27 Debian configuration management sy
ii  exim4 4.69-11metapackage to ease Exim MTA (v4) 
ii  exim4-daemon-light [m 4.69-11lightweight Exim MTA (v4) daemon
ii  file  5.03-1 Determines file type using magic
ii  net-tools 1.60-23The NET-3 networking toolkit
ii  perl  5.10.0-24  Larry Wall's Practical Extraction 

Versions of packages rkhunter recommends:
ii  curl   7.19.5-1  Get a file from an HTTP, HTTPS or 
ii  iproute20090324-1networking and traffic control too
ii  lsof   4.81.dfsg.1-1 List open files
pn  unhide none(no description available)
ii  wget   1.11.4-4  retrieves files from the web

Versions of packages rkhunter suggests:
pn  bsd-mailx none (no description available)
pn  tripwire  none (no description available)

-- debconf information:
* rkhunter/apt_autogen: true
* rkhunter/cron_daily_run: true
* rkhunter/cron_db_update: true
--- /usr/bin/rkhunter   2009-07-29 05:01:56.0 +1200
+++ rkhunter2009-08-18 14:31:47.0 +1200
@@ -12316,6 +12316,15 @@
elif [ -f ${RKHROOTDIR}/proc/kallsyms ]; then
KSYMS_FILE=${RKHROOTDIR}/proc/kallsyms
fi
+
+   #
+   # Check to make sure that the symbols are readable
+   # as certain security frameworks hide this.
+   #
+
+   if ! head -1 /proc/kallsyms  /dev/null 21 ; then
+   KSYMS_FILE=
+   fi
 fi