Hi Francois,
Le dimanche 23 mars 2008 à 21:08 +1300, Francois Marier a écrit :
> Package: rkhunter
> Version: 1.3.2-1
> Severity: normal
>
> While replying to the upstream author regarding bug #472114, I
> realized something.
>
> Consider this scenario:
>
> 1- I install rkhunter and build the first properties db
> 2- A hacker comes in and installed a hostile /bin/ls
> 3- I install a new package which does NOT overwrite /bin/ls
> and the apt-get post-invoke script gets run.
> 4- The nightly rkhunter script runs and doesn't report any problems?
>
> The problem I see is that the update run in step 3 would picks up the
> new /bin/ls and
> assume that it was installed by apt-get.
>
> This would catch this problem:
>
> - Run a quick check with rkhunter in the pre-invoke to make sure
> that all of the hashes are still good.
>
> But an attacker could still install his trojaned /bin/ls between the
> pre-invoke and the post-invoke. So we could also:
>
> - After running apt-get, run the quick check again to see if any of
> the files have changed and display the ones that have before asking
> the user whether or not the properties should be updated in the
> rkhunter DB.
>
> Do I make sense or am I misunderstanding what happens when we run
> --propupd?
You are 100% right about this potential risk which is directly linked to
using the apt_autogen debconf entry.
I would think that on a highly protected machine, it is better to
process as follows:
1/ disable apt_autogen
2/ Run a full check before updating/installing packages
3/ Upgrade the existing packages or install a new package
4/ Run again a full check
5/ Run --propupd if the previous test is ok
I am not too keen on running these both checks automatically in
{pre,post}-invoke as this would sensibly increase the time taken by each
upgrade or install.
What do you think about adding a note about this risk in README.Debian
(or even in the debconf template)?
Cheers,
Julien
