reopen 593120 retitle 593120 security of files copied by rkhunter forwarded 593120 https://sourceforge.net/p/rkhunter/bugs/121/ tags 593120 + security severity 593120 important stop
Hi Julien, et al. Now that the new upstream version got into Debian I've stumbled again over this issue. I think you haven't answered my last mail back then and I oversaw it when this bug got closed and archived. As you can see I've forwarded both problems now upstream, but if they shouldn't react I still think we should. As I state in the upstream bug: 1) We cannot assume how the root group is used, and whether it is secure or not, to copy files which should be perhaps only in root-user readable directories to one that is also group-readable. In some cases even the filename itself could be security sensitive. 2) Not copying with -a (i.e. forgetting ACLs, XATTRs and SELinux context) may be security critical as well. Even XATTRs may be used by people to e.g. store integrity information in their file, or to mark files which e.g. should be handled more restrictively by programs. 3) Even more actually: The copying of files a long is in principle already a problem, since they may e.g. be copied from encrypted disks to unencrypted disks,... thereby being recoverable via digital forensics. For that reason, I think, a files should only be copied to a tmpfs which is mounted by rkhunter upon /var/lib/rkhunter/tmp/ (I'll add that to the upstream bug in a minute). Since both are IMHO quite clear security problems (even though perhaps not the most pressing ones,... well at least I have no direct exploit), I mark this as severity=important as well. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
