Bug#890635: chkrootkit: Errors when trying to exclude known false positives

Maxim Biro nurupocontributions at gmail.com
Sat Feb 17 01:35:37 UTC 2018 

Package: chkrootkit
Version: 0.50-4+b2
Severity: important

Dear Maintainer,

I have installed both fail2ban and chkrootkit on Debian Stretch. It is not the
system I'm writing this report from. When running chkrootkit, it complains
about hidden files from fail2ban:

===
$ sudo chkrootkit -q

/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/file/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_anon/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_time/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/noentry/.htaccess
===

When attempting to tell chkrootkit to exclude those files, chkrootkit errors
with a weird error:

===
$ sudo chkrootkit -q -e '/usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/file/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/authz_owner/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_anon/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_time/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess'

 The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! grelm/.htpasswd       0 l2ban/tests/files/config/apache-augrelm/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess
! wd              0 iles/config/apache-auth/digest_wrowd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/noentry/.htaccess
===

Just to assure you, those files do infact exist and there doesn't seem to be
any typo or special character in there, as ls finds those files just fine:

===
$ ls -lbh /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/file/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_anon/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_time/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/noentry/.htaccess
-rw-r--r-- 1 root root 136 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
-rw-r--r-- 1 root root  47 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
-rw-r--r-- 1 root root 129 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
-rw-r--r-- 1 root root  47 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd
-rw-r--r-- 1 root root 231 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
-rw-r--r-- 1 root root 117 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
-rw-r--r-- 1 root root 159 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
-rw-r--r-- 1 root root  62 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
-rw-r--r-- 1 root root 195 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
-rw-r--r-- 1 root root  62 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
-rw-r--r-- 1 root root 179 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
-rw-r--r-- 1 root root  62 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
-rw-r--r-- 1 root root  14 Dec  9  2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess
===

The issue seems to be that chkrootkit doesn't parse its arguments correctly or
it has a limit on how long the -e argument can be. In fact, if you remove
several file paths from either the beginning or the end of the -e argument,
chkrootkit works as intended and lists just the removed file paths as false
positives. Ideally users should be able to specify any number of file paths to
be excluded.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chkrootkit depends on:
ii  binutils               2.30-4
ii  debconf [debconf-2.0]  1.5.65
ii  libc6                  2.26-6
ii  net-tools              1.60+git20161116.90da8a0-1
ii  openssh-client         1:7.6p1-4
ii  procps                 2:3.3.12-4

chkrootkit recommends no packages.

chkrootkit suggests no packages.

More information about the Pkg-security-team mailing list