Package: rkhunter Version: 1.3.2-1 Severity: normal While replying to the upstream author regarding bug #472114, I realized something.
Consider this scenario: 1- I install rkhunter and build the first properties db 2- A hacker comes in and installed a hostile /bin/ls 3- I install a new package which does NOT overwrite /bin/ls and the apt-get post-invoke script gets run. 4- The nightly rkhunter script runs and doesn't report any problems? The problem I see is that the update run in step 3 would picks up the new /bin/ls and assume that it was installed by apt-get. This would catch this problem: - Run a quick check with rkhunter in the pre-invoke to make sure that all of the hashes are still good. But an attacker could still install his trojaned /bin/ls between the pre-invoke and the post-invoke. So we could also: - After running apt-get, run the quick check again to see if any of the files have changed and display the ones that have before asking the user whether or not the properties should be updated in the rkhunter DB. Do I make sense or am I misunderstanding what happens when we run --propupd? Francois -- debconf information: * rkhunter/apt_autogen: true * rkhunter/cron_daily_run: true * rkhunter/cron_db_update: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
