Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 456340 - "no copy of the passwd file exists" after reboot
Summary: "no copy of the passwd file exists" after reboot
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: rkhunter
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Kevin Fenzi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-22 23:08 UTC by Nerijus Baliūnas
Modified: 2009-01-24 02:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-24 02:33:59 UTC


Attachments (Terms of Use)

Description Nerijus Baliūnas 2008-07-22 23:08:18 UTC
When I reboot PC, the first rkhunter run from cron sends email:

---------------------- Start Rootkit Hunter Scan ----------------------

Warning: Unable to check for passwd file differences: no copy of the passwd file
exists.

Warning: Unable to check for group file differences: no copy of the group file
exists.



One or more warnings have been found while checking the system.

Please check the log file (/var/log/rkhunter/rkhunter.log)



----------------------- End Rootkit Hunter Scan -----------------------

From /var/log/rkhunter/rkhunter.log:
[02:04:15]   Checking for passwd file                        [ Found ]
[02:04:15] Info: Found password file: /etc/passwd
[02:04:15]   Checking for root equivalent (UID 0) accounts   [ None found ]
[02:04:15] Info: Found shadow file: /etc/shadow
[02:04:15]   Checking for passwordless accounts              [ None found ]
[02:04:15] Info: Starting test name 'passwd_changes'
[02:04:15]   Checking for passwd file changes                [ Warning ]
[02:04:15] Warning: Unable to check for passwd file differences: no copy of the
passwd file exists.
[02:04:15] Info: Starting test name 'group_changes'
[02:04:15]   Checking for group file changes                 [ Warning ]
[02:04:16] Warning: Unable to check for group file differences: no copy of the
group file exists.
[02:04:16]   Checking root account shell history files       [ OK ]

Comment 1 Kevin Fenzi 2008-07-23 04:13:32 UTC
Correct. This is expected by upstream... 
You must run 'rkhunter --propupd' to create copies of those files for it to
check against. 

From the man page: 

       --propupd
              One of the checks rkhunter performs is to compare  various  current
              file  properties  of  various commands, against those it has previ-
              ously stored. This command option causes  rkhunter  to  update  its
              data file of stored values with the current values.

              WARNING: It is the users responsibility to ensure that the files on
              the system are genuine and from a  reliable  source.  rkhunter  can
              only  report  if a file has changed, but not on what has caused the
              change. Hence, if a file has changed,  and  the  --propupd  command
              option is used, then rkhunter will assume that the file is genuine.

I'm not sure there is anything I can do package wise to get around this, 
as it's expected that the end user decides that their install is ok. 

Comment 2 Nerijus Baliūnas 2008-07-23 11:16:12 UTC
But I ran rkhunter --propupd, and rkhunter runs w/o warnings, it only happens
when I reboot. Then copies of passwd and group files disappear.

Comment 3 Kevin Fenzi 2008-07-23 19:16:47 UTC
Ah, I see what you are saying... 

Yeah, this is partially a upstream issue, and partially my fault. 
rkhunter in Fedora uses /var/run/rkhunter as it's tmpdir. This unfortunately
gets wiped on every reboot, so thats why you have to re-run it on boot. 

Possible solutions would be: 

1. Get upstream to not save passwd/shadow info in tmpdir. If those are expected
to be persistent, they shouldn't go to the tmpdir.

2. I could move them to another dir that is persistent. 

3. We could just leave it as is. After a reboot you may well want to check why
the reboot happened and that your files are ok and re-run propupd. 

I'm not sure which way to go off hand... will ponder on it. 
Any thoughts?

Comment 4 manuel wolfshant 2008-08-31 03:37:57 UTC
I suggest saving them under /var/lib/rkhunter.

Comment 5 Kevin Fenzi 2008-09-08 22:16:09 UTC
Yeah, we could do that, but upstream seems to want people to have to decide after each reboot that their setup is ok and right by running --propupd. 
If we store them in a persistent way we are changing the behavior of upstream... 

I think this is a discussion thats better made upstream. 

Nerijus / Wolfy: Would one of you be willing to take this up on the upstream lists? Or would you like me to?

Comment 6 manuel wolfshant 2008-09-12 10:24:45 UTC
Thing is that a long time ago I packaged rkhunter myself (1.2.9 at the time, upgraded to 1.3.0pre and 1.3.0 next). I have used a similar but different spec and a completely different cronjob (very simple, basically it boils down to one line: rkhunter --update && rkhunter XXXX | mail -s "rkunter job" ). And I have never seen the behaviour exhibited by the package from Fedora EPEL.

Comment 7 Kevin Fenzi 2008-12-14 01:09:44 UTC
sorry for the long delay here. ;( 

I can change it to use /usr/lib/rkhunter for it's tmpdir, but thats set in the /etc/rkhunter.conf file, so on update people will get a /etc/rkhunter.conf.rpmnew file. ;( 

Should we just do that? or is there any better solution here?

Comment 8 Nerijus Baliūnas 2008-12-15 16:00:39 UTC
No problem, there are times when *.rpmnew files appear. Admins should check them.

Comment 9 Kevin Fenzi 2008-12-15 22:11:05 UTC
True. The other issue here is that with that change rkhunter is going to use /var/lib/rkhunter for all it's temp files, which is not very selinux friendly. 
:( 

Better would be a patch to make it store passwd/shadow in it's normal db dir, and use them from there. I can try and look at a patch to do that, but if one of you wants to do so that would be great.

Comment 10 Kevin Fenzi 2009-01-04 22:25:07 UTC
Can you guys try the new package in rawhide ? 
(I can scratch build it as well if you need me to). 

I think I have propupd persisting thru reboots. 
If you guys can confirm I can push this and several other fixes to F9/F10.

Comment 11 manuel wolfshant 2009-01-04 22:51:30 UTC
I'll give it a spin in Centos 4/5 as soon as I manage to persuade my mock to restart building packages.

Comment 12 manuel wolfshant 2009-01-05 00:26:52 UTC
Just tested, as follows:
- removed /var/lib/rkhunter/{group, passwd}
- updated rkhunter to 1.3.4 (local built copy based on the src.rpm from koji/rawhide)
- reboot and received :
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
Warning: Unable to check for group file differences: no copy of the group file exists.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

----------------------- End Rootkit Hunter Scan -----------------------
- checked  /var/lib/rkhunter/ and the two files were there
- reboot again
- rechecked  /var/lib/rkhunter/ and the two files were still there

So I guess it's OK, at least after my very fast test

Comment 13 Kevin Fenzi 2009-01-05 05:14:25 UTC
ok, great. I will push updates to testing for f10/f9 and we can get some more widespread testing.

Comment 14 Fedora Update System 2009-01-05 05:32:59 UTC
rkhunter-1.3.4-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rkhunter-1.3.4-1.fc10

Comment 15 Fedora Update System 2009-01-05 05:41:50 UTC
rkhunter-1.3.4-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/rkhunter-1.3.4-1.fc9

Comment 16 Fedora Update System 2009-01-07 09:24:51 UTC
rkhunter-1.3.4-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rkhunter'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-0153

Comment 17 Fedora Update System 2009-01-07 09:25:50 UTC
rkhunter-1.3.4-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update rkhunter'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2009-0163

Comment 18 Fedora Update System 2009-01-24 02:33:51 UTC
rkhunter-1.3.4-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2009-01-24 02:39:09 UTC
rkhunter-1.3.4-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.