Date: Thu, 8 Jul 2021 14:16:44 +0200 From: Michael Grimm via freebsd-stable <freebsd-stable@freebsd.org> To: Stefan Esser <se@freebsd.org> Cc: Warner Losh <imp@bsdimp.com>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, FreeBSD ports <freebsd-ports@freebsd.org>, lukasz@wasikowski.net Subject: Re: security/rkhunter without hashes after recent STABLE-13 update Message-ID: <C9EA0672-82A3-4A84-87AC-E5AAAB5B14CA@ellael.org> In-Reply-To: <4355013a-0be1-829f-2fe5-86eeb4ba80f7@freebsd.org> References: <416D3033-138D-4BBB-84FA-FAEA2944C837@ellael.org> <CANCZdfr3Ye2hbZJtvBmYqKMF9S_KbGHCzsoRWbMjCxwPEOJSkQ@mail.gmail.com> <B829235A-3C8F-46F4-8D25-00A6125CE264@ellael.org> <CANCZdfojJ%2BiG9dcZ=nPZ65qsON6v2rnG6PLQwQFMJ0N-U8bohQ@mail.gmail.com> <08637D0D-9D65-4F53-9A64-F4742BA8E415@ellael.org> <CANCZdfpQCVm%2BaEbimzrkX%2BXkfXcbx2tJPgPXriqzMCYjZJ8kKg@mail.gmail.com> <0B2C7AEA-27C6-4259-9DCF-D20C19737A50@ellael.org> <4355013a-0be1-829f-2fe5-86eeb4ba80f7@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Stefan, Stefan Esser <se@freebsd.org> wrote > Am 07.07.21 um 22:24 schrieb Michael Grimm: >> Warner Losh <imp@bsdimp.com> wrote: >>> On Wed, Jul 7, 2021 at 12:47 PM Michael Grimm <trashcan@ellael.org> = wrote: >>>> Warner Losh <imp@bsdimp.com> wrote: >>>>> Sorry for any hassle this work is causing. >>>>=20 >>>> No big deal for rkhunter, a workaround exists ;-) >>>=20 >>> I think the reason is that it automatically switched to using = sha256sum >>> because it was present, but it didn't automatically change = #HASH_FLD_IDX=3D4 >>> to be 1. The shell script is tricky enough that I've not looked = through it >>> all. I'd argue this is a bug in the get_sha_hash_function which = doesn't >>> adjust the HASH_FLD_IDX based on which version it finds. Instead, it = sets >>> it unconditionally to 4 on *BSD or DragonFly. > [...] >>=20 >> But anyway, you nailed it! That fixes rkhunter. It will now produce = hashes for both /sbin/sha256 and /sbin/sha256sum. >>=20 >> The attached patch (diff to new rkhunter script with both succeeding = hunks) will work for the rkhunter-1.4.6 script. >=20 > Hi Warner and Michael, >=20 > the reason I added full support for the -c option was that a port = build failed > since it assumed that if the name of the hash program ended in "sum" = it was > fully compatible with the Coreutils program of that name and that is = supported > the "-c digestfile" option. >=20 > This is a general problem when we gain compatibility with some other = OS (TM): > Ports often assume that availability of a program (MACRO, include = file, ...) > means it is the real thing, and not only attempt of an emulation of = the most > important feature (i.e. only considering a very specific use case). >=20 > An alternative (and my preferred fix) would be to not search for the = *sum > functions on FreeBSD, and thus not having to adjust the HASH_FLD_IDX = variable: >=20 > -- files/rkhunter.orig 2018-02-24 23:08:27 UTC > +++ files/rkhunter > @@ -4750,7 +4750,12 @@ get_sha_hash_function() { > return > fi >=20 > - HFUNC=3D`find_cmd sha${SHA_SIZE}sum` > + case ${OPERATING_SYSTEM} in > + FreeBSD) > + HFUNC=3D`find_cmd sha${SHA_SIZE}` ;; > + *) > + HFUNC=3D`find_cmd sha${SHA_SIZE}sum` ;; > + esac >=20 > if [ -z "${HFUNC}" ]; then > HFUNC=3D`find_cmd sha${SHA_SIZE}` >=20 > The suggested patch is attached. I did not want to change more lines = than > required, and other BSDs could easily added to the special case, = should > they be affected, too. >=20 > And I'd assume that this patch could be accepted by the upstream ... >=20 > Michael, could you please test this patch? I can confirm that your patch works perfectly well.=20 No more workaround needed, now rkhunter calculates sha256 hashes as = usual. Thanks for that.=20 Now, =C5=81ukasz need's to confirm that rkhunter at 12.2-RELEASE will = calculate those hashes as well. Regards, Michael=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C9EA0672-82A3-4A84-87AC-E5AAAB5B14CA>