Re: [Rkhunter-users] False warning about /usr/sbin/vipw

Wed, 05 Nov 2008 12:33:40 -0800 

On Tue, 04 Nov 2008 23:10:25 +0000, John Horne wrote about Re:
[Rkhunter-users] False warning about /usr/sbin/vipw:

>That should have been:
>
>     rpm -qf --queryformat '[%{FILEINODES}:%{FILEMODES:octal}:
>%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:
>%{FILENAMES}\n]' /usr/sbin/vipw | grep ':/usr/sbin/vipw$'

# rpm -qf --queryformat '[%{FILEINODES}:%{FILEMODES:octal}:%{FILEUSERNAME}:%
{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{FILENAMES}
\n]' /usr/sbin/vipw | grep ':/usr/sbin/vipw$'
14172689:100755:root:root:47676:1219861835:575d90229ec34de850e99c08c6eb4bec:/usr/sbin/vipw

As against:
grep vipw /var/lib/rkhunter/db/rk*
/var/lib/rkhunter/db/rkhunter.dat:File:/usr/sbin/vipw:575d90229ec34de850e99c08c6eb4bec:14172689:0755:0:0:47676:1219861835:shadow-utils:
/var/lib/rkhunter/db/rkhunter.dat.old:File:/usr/sbin/vipw:575d90229ec34de850e99c08c6eb4bec:14172689:0755:0:0:47676:1219861835:shadow-utils:

>The log file will say if prelinking is being used. I doubt you are using
>it since prelinking affects the hash values (you can't run run md5sum on
>a prelinked file and get the 'correct' hash value).

Aye:
grep prelin /var/log/*
/var/log/rkhunter.log:[16:50:04] Info: System is not using prelinking

>I agree it is probably not reproducible. However, it is something to
>bear in mind that RKH may run and give warnings which then don't appear
>because the package manager (and/or prelinking) sorts itself out.

If you feel that maybe rpm (my version is from rpm-4.4.2.3-22mnb2.i586.rpm)
is not stable, shouldn't we take this upstream with rpm?

>As
>said, I'll see if we can get RKH to be a bit more helpful in saying what
>is going on.

Much obliged!

Ciao,
=Dick Gevers=

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to