Re: security/rkhunter without hashes after recent STABLE-13 update

From: Michael Grimm via freebsd-stable <freebsd-stable_at_freebsd.org>
Date: Thu, 8 Jul 2021 14:16:44 +0200
Hi Stefan,

Stefan Esser <se_at_freebsd.org> wrote
> Am 07.07.21 um 22:24 schrieb Michael Grimm:
>> Warner Losh <imp_at_bsdimp.com> wrote:
>>> On Wed, Jul 7, 2021 at 12:47 PM Michael Grimm <trashcan_at_ellael.org> wrote:
>>>> Warner Losh <imp_at_bsdimp.com> wrote:

>>>>> Sorry for any hassle this work is causing.
>>>> 
>>>> No big deal for rkhunter, a workaround exists ;-)
>>> 
>>> I think the reason is that it automatically switched to using sha256sum
>>> because it was present, but it didn't automatically change #HASH_FLD_IDX=4
>>> to be 1. The shell script is tricky enough that I've not looked through it
>>> all. I'd argue this is a bug in the get_sha_hash_function which doesn't
>>> adjust the HASH_FLD_IDX based on which version it finds. Instead, it sets
>>> it unconditionally to 4 on *BSD or DragonFly.
> [...]
>> 
>> But anyway, you nailed it! That fixes rkhunter. It will now produce hashes for both /sbin/sha256 and /sbin/sha256sum.
>> 
>> The attached patch (diff to new rkhunter script with both succeeding hunks) will work for the rkhunter-1.4.6 script.
> 
> Hi Warner and Michael,
> 
> the reason I added full support for the -c option was that a port build failed
> since it assumed that if the name of the hash program ended in "sum" it was
> fully compatible with the Coreutils program of that name and that is supported
> the "-c digestfile" option.
> 
> This is a general problem when we gain compatibility with some other OS (TM):
> Ports often assume that availability of a program (MACRO, include file, ...)
> means it is the real thing, and not only attempt of an emulation of the most
> important feature (i.e. only considering a very specific use case).
> 
> An alternative (and my preferred fix) would be to not search for the *sum
> functions on FreeBSD, and thus not having to adjust the HASH_FLD_IDX variable:
> 
> -- files/rkhunter.orig 2018-02-24 23:08:27 UTC
> +++ files/rkhunter
> _at__at_ -4750,7 +4750,12 _at__at_ get_sha_hash_function() {
>                return
>        fi
> 
> -       HFUNC=`find_cmd sha${SHA_SIZE}sum`
> +       case ${OPERATING_SYSTEM} in
> +       FreeBSD)
> +               HFUNC=`find_cmd sha${SHA_SIZE}` ;;
> +       *)
> +               HFUNC=`find_cmd sha${SHA_SIZE}sum` ;;
> +       esac
> 
>        if [ -z "${HFUNC}" ]; then
>                HFUNC=`find_cmd sha${SHA_SIZE}`
> 
> The suggested patch is attached. I did not want to change more lines than
> required, and other BSDs could easily added to the special case, should
> they be affected, too.
> 
> And I'd assume that this patch could be accepted by the upstream ...
> 
> Michael, could you please test this patch?

I can confirm that your patch works perfectly well. 
No more workaround needed, now rkhunter calculates sha256 hashes as usual.

Thanks for that. 

Now, Ɓukasz need's to confirm that rkhunter at 12.2-RELEASE will calculate those hashes as well.

Regards,
Michael
Received on Thu Jul 08 2021 - 12:16:44 UTC

Original text of this message