Bug#593120: security of files copied by rkhunter

Christoph Anton Mitterer calestyo at scientia.net
Sat Oct 18 21:13:26 UTC 2014

reopen 593120
retitle 593120 security of files copied by rkhunter
forwarded 593120 https://sourceforge.net/p/rkhunter/bugs/121/
tags 593120 + security
severity 593120 important

Hi Julien, et al.

Now that the new upstream version got into Debian I've stumbled again
over this issue.
I think you haven't answered my last mail back then and I oversaw it
when this bug got closed and archived.

As you can see I've forwarded both problems now upstream, but if they
shouldn't react I still think we should.

As I state in the upstream bug:

1) We cannot assume how the root group is used, and whether it is secure
or not, to copy files which should be perhaps only in root-user readable
directories to one that is also group-readable.

In some cases even the filename itself could be security sensitive.

2) Not copying with -a (i.e. forgetting ACLs, XATTRs and SELinux
context) may be security critical as well.
Even XATTRs may be used by people to e.g. store integrity information in
their file, or to mark files which e.g. should be handled more
restrictively by programs.

3) Even more actually:
The copying of files a long is in principle already a problem, since
they may e.g. be copied from encrypted disks to unencrypted disks,...
thereby being recoverable via digital forensics.
For that reason, I think, a files should only be copied to a tmpfs which
is mounted by rkhunter upon /var/lib/rkhunter/tmp/
(I'll add that to the upstream bug in a minute).

Since both are IMHO quite clear security problems (even though perhaps
not the most pressing ones,... well at least I have no direct exploit),
I mark this as severity=important as well.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20141018/c7804c2b/attachment-0001.bin>

More information about the forensics-devel mailing list