security/rkhunter without hashes after recent STABLE-13 update

From: Stefan Esser <se_at_freebsd.org>
Date: Thu, 8 Jul 2021 11:17:07 +0200
Am 07.07.21 um 22:24 schrieb Michael Grimm:
> Warner Losh <imp_at_bsdimp.com> wrote:
>>
>> On Wed, Jul 7, 2021 at 12:47 PM Michael Grimm <trashcan_at_ellael.org> wrote:
>>> Warner Losh <imp_at_bsdimp.com> wrote:
> 
>>>> Sorry for any hassle this work is causing.
>>>
>>> No big deal for rkhunter, a workaround exists ;-)
>>
>> I think the reason is that it automatically switched to using sha256sum
>> because it was present, but it didn't automatically change #HASH_FLD_IDX=4
>> to be 1. The shell script is tricky enough that I've not looked through it
>> all. I'd argue this is a bug in the get_sha_hash_function which doesn't
>> adjust the HASH_FLD_IDX based on which version it finds. Instead, it sets
>> it unconditionally to 4 on *BSD or DragonFly.
[...]
> 
> But anyway, you nailed it! That fixes rkhunter. It will now produce hashes for both /sbin/sha256 and /sbin/sha256sum.
> 
> The attached patch (diff to new rkhunter script with both succeeding hunks) will work for the rkhunter-1.4.6 script.
> 
> Thanks and with kind regards,
> Michael

Hi Warner and Michael,

the reason I added full support for the -c option was that a port build failed
since it assumed that if the name of the hash program ended in "sum" it was
fully compatible with the Coreutils program of that name and that is supported
the "-c digestfile" option.

This is a general problem when we gain compatibility with some other OS (TM):
Ports often assume that availability of a program (MACRO, include file, ...)
means it is the real thing, and not only attempt of an emulation of the most
important feature (i.e. only considering a very specific use case).

An alternative (and my preferred fix) would be to not search for the *sum
functions on FreeBSD, and thus not having to adjust the HASH_FLD_IDX variable:

-- files/rkhunter.orig 2018-02-24 23:08:27 UTC
+++ files/rkhunter
_at__at_ -4750,7 +4750,12 _at__at_ get_sha_hash_function() {
                return
        fi

-       HFUNC=`find_cmd sha${SHA_SIZE}sum`
+       case ${OPERATING_SYSTEM} in
+       FreeBSD)
+               HFUNC=`find_cmd sha${SHA_SIZE}` ;;
+       *)
+               HFUNC=`find_cmd sha${SHA_SIZE}sum` ;;
+       esac

        if [ -z "${HFUNC}" ]; then
                HFUNC=`find_cmd sha${SHA_SIZE}`

The suggested patch is attached. I did not want to change more lines than
required, and other BSDs could easily added to the special case, should
they be affected, too.

And I'd assume that this patch could be accepted by the upstream ...

Michael, could you please test this patch?

(I do not have rkhunter installed on my system ...)

Regards, STefan

Received on Thu Jul 08 2021 - 09:17:07 UTC

Original text of this message