Date: Thu, 8 Jul 2021 14:16:44 +0200 From: Michael Grimm via freebsd-stable <freebsd-stable@freebsd.org> To: Stefan Esser <se@freebsd.org> Cc: Warner Losh <imp@bsdimp.com>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, FreeBSD ports <freebsd-ports@freebsd.org>, lukasz@wasikowski.net Subject: Re: security/rkhunter without hashes after recent STABLE-13 update Message-ID: <C9EA0672-82A3-4A84-87AC-E5AAAB5B14CA@ellael.org> In-Reply-To: <4355013a-0be1-829f-2fe5-86eeb4ba80f7@freebsd.org> References: <416D3033-138D-4BBB-84FA-FAEA2944C837@ellael.org> <CANCZdfr3Ye2hbZJtvBmYqKMF9S_KbGHCzsoRWbMjCxwPEOJSkQ@mail.gmail.com> <B829235A-3C8F-46F4-8D25-00A6125CE264@ellael.org> <CANCZdfojJ%2BiG9dcZ=nPZ65qsON6v2rnG6PLQwQFMJ0N-U8bohQ@mail.gmail.com> <08637D0D-9D65-4F53-9A64-F4742BA8E415@ellael.org> <CANCZdfpQCVm%2BaEbimzrkX%2BXkfXcbx2tJPgPXriqzMCYjZJ8kKg@mail.gmail.com> <0B2C7AEA-27C6-4259-9DCF-D20C19737A50@ellael.org> <4355013a-0be1-829f-2fe5-86eeb4ba80f7@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Stefan,
Stefan Esser <se@freebsd.org> wrote
> Am 07.07.21 um 22:24 schrieb Michael Grimm:
>> Warner Losh <imp@bsdimp.com> wrote:
>>> On Wed, Jul 7, 2021 at 12:47 PM Michael Grimm <trashcan@ellael.org> =
wrote:
>>>> Warner Losh <imp@bsdimp.com> wrote:
>>>>> Sorry for any hassle this work is causing.
>>>>=20
>>>> No big deal for rkhunter, a workaround exists ;-)
>>>=20
>>> I think the reason is that it automatically switched to using =
sha256sum
>>> because it was present, but it didn't automatically change =
#HASH_FLD_IDX=3D4
>>> to be 1. The shell script is tricky enough that I've not looked =
through it
>>> all. I'd argue this is a bug in the get_sha_hash_function which =
doesn't
>>> adjust the HASH_FLD_IDX based on which version it finds. Instead, it =
sets
>>> it unconditionally to 4 on *BSD or DragonFly.
> [...]
>>=20
>> But anyway, you nailed it! That fixes rkhunter. It will now produce =
hashes for both /sbin/sha256 and /sbin/sha256sum.
>>=20
>> The attached patch (diff to new rkhunter script with both succeeding =
hunks) will work for the rkhunter-1.4.6 script.
>=20
> Hi Warner and Michael,
>=20
> the reason I added full support for the -c option was that a port =
build failed
> since it assumed that if the name of the hash program ended in "sum" =
it was
> fully compatible with the Coreutils program of that name and that is =
supported
> the "-c digestfile" option.
>=20
> This is a general problem when we gain compatibility with some other =
OS (TM):
> Ports often assume that availability of a program (MACRO, include =
file, ...)
> means it is the real thing, and not only attempt of an emulation of =
the most
> important feature (i.e. only considering a very specific use case).
>=20
> An alternative (and my preferred fix) would be to not search for the =
*sum
> functions on FreeBSD, and thus not having to adjust the HASH_FLD_IDX =
variable:
>=20
> -- files/rkhunter.orig 2018-02-24 23:08:27 UTC
> +++ files/rkhunter
> @@ -4750,7 +4750,12 @@ get_sha_hash_function() {
> return
> fi
>=20
> - HFUNC=3D`find_cmd sha${SHA_SIZE}sum`
> + case ${OPERATING_SYSTEM} in
> + FreeBSD)
> + HFUNC=3D`find_cmd sha${SHA_SIZE}` ;;
> + *)
> + HFUNC=3D`find_cmd sha${SHA_SIZE}sum` ;;
> + esac
>=20
> if [ -z "${HFUNC}" ]; then
> HFUNC=3D`find_cmd sha${SHA_SIZE}`
>=20
> The suggested patch is attached. I did not want to change more lines =
than
> required, and other BSDs could easily added to the special case, =
should
> they be affected, too.
>=20
> And I'd assume that this patch could be accepted by the upstream ...
>=20
> Michael, could you please test this patch?
I can confirm that your patch works perfectly well.=20
No more workaround needed, now rkhunter calculates sha256 hashes as =
usual.
Thanks for that.=20
Now, =C5=81ukasz need's to confirm that rkhunter at 12.2-RELEASE will =
calculate those hashes as well.
Regards,
Michael=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C9EA0672-82A3-4A84-87AC-E5AAAB5B14CA>