From nobody Thu Jul 8 12:16:44 2021 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 24F53122774C; Thu, 8 Jul 2021 12:16:48 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [IPv6:2001:41d0:701:1000::1685]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4GLFdq6yv5z4pxq; Thu, 8 Jul 2021 12:16:47 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from smtpclient.apple (p200300FB4F03f5013d64EC276C99a51F.dip0.t-ipconnect.de [IPv6:2003:fb:4f03:f501:3d64:ec27:6c99:a51f]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.enfer-du-nord.net (Postfix) with ESMTPSA id 4GLFdm5t1Yz6jd; Thu, 8 Jul 2021 14:16:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ellael.org; s=dkim; t=1625746604; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wqzz6QbVDXeMjJ3ZuLP69RKqgsI5cOcEOzjr1QgyLbs=; b=bgdVigHaUv6KY8OOvRAPIKtRXyawJaRcLWcpIviBENWgjjlhBOH48gBSvwspCBbkVQHgmt 1IHR7VCRRf0d5C+Q8pDI4YZhaNyXbP08FqXGzb8jYCisd6wOytrVJLpqROh6+J42AfyArc zbvCWEjbGKzg1NQzmGGEeCXENec/FptS6fr1fxaT6FTIkmsJwTN9qdSa/4Bm7BttTkJD+k 4fUdO1w57QcNJpMjS53hA2e/p+IdlTlcGbjetWpbBLvFltmxb29h+PL42rfUH8JlEFIyJM 8TSie4uRkbDh8bvw2aMYqGRi5b+A2OODlmv80Y0CBB9j5sHfx7y0UTxNP1nIJg== Content-Type: text/plain; charset=utf-8 List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\)) Subject: Re: security/rkhunter without hashes after recent STABLE-13 update In-Reply-To: <4355013a-0be1-829f-2fe5-86eeb4ba80f7@freebsd.org> Date: Thu, 8 Jul 2021 14:16:44 +0200 Cc: Warner Losh , FreeBSD-STABLE Mailing List , FreeBSD ports , lukasz@wasikowski.net Content-Transfer-Encoding: quoted-printable Message-Id: References: <416D3033-138D-4BBB-84FA-FAEA2944C837@ellael.org> <08637D0D-9D65-4F53-9A64-F4742BA8E415@ellael.org> <0B2C7AEA-27C6-4259-9DCF-D20C19737A50@ellael.org> <4355013a-0be1-829f-2fe5-86eeb4ba80f7@freebsd.org> To: Stefan Esser X-Mailer: Apple Mail (2.3654.100.0.2.22) X-Rspamd-Queue-Id: 4GLFdq6yv5z4pxq X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Reply-To: trashcan@ellael.org From: Michael Grimm via freebsd-stable X-Original-From: Michael Grimm X-ThisMailContainsUnwantedMimeParts: N Hi Stefan, Stefan Esser wrote > Am 07.07.21 um 22:24 schrieb Michael Grimm: >> Warner Losh wrote: >>> On Wed, Jul 7, 2021 at 12:47 PM Michael Grimm = wrote: >>>> Warner Losh wrote: >>>>> Sorry for any hassle this work is causing. >>>>=20 >>>> No big deal for rkhunter, a workaround exists ;-) >>>=20 >>> I think the reason is that it automatically switched to using = sha256sum >>> because it was present, but it didn't automatically change = #HASH_FLD_IDX=3D4 >>> to be 1. The shell script is tricky enough that I've not looked = through it >>> all. I'd argue this is a bug in the get_sha_hash_function which = doesn't >>> adjust the HASH_FLD_IDX based on which version it finds. Instead, it = sets >>> it unconditionally to 4 on *BSD or DragonFly. > [...] >>=20 >> But anyway, you nailed it! That fixes rkhunter. It will now produce = hashes for both /sbin/sha256 and /sbin/sha256sum. >>=20 >> The attached patch (diff to new rkhunter script with both succeeding = hunks) will work for the rkhunter-1.4.6 script. >=20 > Hi Warner and Michael, >=20 > the reason I added full support for the -c option was that a port = build failed > since it assumed that if the name of the hash program ended in "sum" = it was > fully compatible with the Coreutils program of that name and that is = supported > the "-c digestfile" option. >=20 > This is a general problem when we gain compatibility with some other = OS (TM): > Ports often assume that availability of a program (MACRO, include = file, ...) > means it is the real thing, and not only attempt of an emulation of = the most > important feature (i.e. only considering a very specific use case). >=20 > An alternative (and my preferred fix) would be to not search for the = *sum > functions on FreeBSD, and thus not having to adjust the HASH_FLD_IDX = variable: >=20 > -- files/rkhunter.orig 2018-02-24 23:08:27 UTC > +++ files/rkhunter > @@ -4750,7 +4750,12 @@ get_sha_hash_function() { > return > fi >=20 > - HFUNC=3D`find_cmd sha${SHA_SIZE}sum` > + case ${OPERATING_SYSTEM} in > + FreeBSD) > + HFUNC=3D`find_cmd sha${SHA_SIZE}` ;; > + *) > + HFUNC=3D`find_cmd sha${SHA_SIZE}sum` ;; > + esac >=20 > if [ -z "${HFUNC}" ]; then > HFUNC=3D`find_cmd sha${SHA_SIZE}` >=20 > The suggested patch is attached. I did not want to change more lines = than > required, and other BSDs could easily added to the special case, = should > they be affected, too. >=20 > And I'd assume that this patch could be accepted by the upstream ... >=20 > Michael, could you please test this patch? I can confirm that your patch works perfectly well.=20 No more workaround needed, now rkhunter calculates sha256 hashes as = usual. Thanks for that.=20 Now, =C5=81ukasz need's to confirm that rkhunter at 12.2-RELEASE will = calculate those hashes as well. Regards, Michael=