SOLVED: RKHUNTER: patch for egrep

dynosaw · 2022-09-13 09:55:21

This question concerns a general upate of Arch Linux on 11 sept 2022
and its effect on rkhunter. The computer is a stand-alone, domestic,
work-station (64-bit Intel chipset).

With the update of Arch, the contents of the script /usr/bin/egrep was
changed. Now each attempt to run egrep yields a message to the effect
that "egrep" is obselescent and should be replaced by "grep -E".
No problem with that, since executable scripts with root permissions can
be vulnerable to attack. The fewer the better.

However when rkhunter --propupd is run, the message is displayed well
over 100 times, I suspect once for each executable file tested in /usr/bin.
The rkhunter version is 1.4.4 installed from the Arch repo using pacman.

We have attempted to update the rkhunter shell script, changing each
occurrence of "egrep" by hand to "grep -E"; in addition "egrep" was
removed from the lists ABSOLUTELY_REQUIRED_CMDS and REQCMDS.
But this makes no difference at all. I still get 100-plus messages when
rkhunter --update is run.

Thus the question: What have I missed or done wrong?????
Thanks in advance for any assistance
Dynosaw
--

Last edited by dynosaw (2022-09-23 09:03:33)

schard · 2022-09-13 10:17:34

I just installed rkhunter for the fun of it and tested it.
After replacing all "egrep" with "grep -E" and removing egrep from said arrays, I do not get the warning any longer.

$ sudo sha256sum /usr/bin/rkhunter 
db8b661f4778b9ccb3e740c6b4d97b0f2ba8e20a3b4deb32479ed060fd925a36  /usr/bin/rkhunter

As you've said that you've changed each occurrence "by hand", I would assume that you missed some.
I used vim and ":%s/egrep/grep -E/g".
https://srv.richard-neumann.de/rkhunter.txt

Last edited by schard (2022-09-13 10:28:26)

Use**ame · 2022-09-13 11:18:09

This issue has already been reported. You can follow the instructions in https://sourceforge.net/p/rkhunter/bugs/176/

dynosaw · 2022-09-13 13:00:57

1. Thanks Use**ame for the reference to sourceforge, which I have read.
This reference concerns rhkunter 1.4.6; presently I have version 1.4.4.
and I can't find the code that is reported as the villain of the piece.
(see later)

2. Thanks Schard for your reaction. When I edited "by hand" I specifically
avoided automatic search-and-replace methods. I confined the automation
to "search only", then I could first inspect the code I was changing.
(and which I didn't always understand).
Yet another (case-sensitive) search with nano has shown four occurrences
of the string "egrep" remaining; three on lines commented out with a hash (#)
and one as "gegrep" in a list intended for SUN-OS (which I don't have).
Interesting that your mods worked straight out of the box. This confirms
the presence of "memory" in the system which remembers the result of
previous runs of rkhunter. (sourceforge posting)

Which raises on new question. In the initial post I said that I installed
rkhunter (v. 1.4.4) from the Arch repo. When I checked the Arch repo a few
days ago I found that the current version of rkhunter being offered was 1.4.6.
Yet when I updated my Arch installation two days ago, using pacman -Syu,
pacman seems to have skipped over rkhunter and left the version 1.4.4 in place.
I have no explanation for this.

Dynosaw

graysky · 2022-09-13 13:13:33

If upstream is going to tag a new release with the fix, probably no need but if not, recommend you open a ticket against our packaging referencing the issue and the upstream fix.

dynosaw · 2022-09-14 08:16:26

To wq:
Thanks for your advice. I'll wait a few weeks to give people
time to react. They may already have full agendas.
Meanwhile I'll leave the thread open for now.
Dynosaw

dynosaw · 2022-09-21 08:49:51

A LITANY OF CONFUSION (Sorry it's a bit long.)

After further investigation, some additional facts
emerged.
1. There were two versions of rkhunter simultaneously
available on my PC:
/usr/local/bin/rkhunter (version 1.4.4)
/usr/bin (version 1.4.6)

2. The PATH environment variable gave preference to
/usr/local/bin and this determined the version
that was run from the command line. It also
explains why the more recent version 1.4.6 was
ignored. How the sneak version 1.4.4 of rkhunter came
to be in /usr/local/bin is not at all clear to me.
Arch was installed in January of this year into
a brand new PC [purchased without op-sys installed].
Nor was it detected by rkhunter.

3. Unaware of the sneak executable file in in
/usr/local/bin, I had modified the file in
/usr/bin, (v. 1.4.6) changing egrep to grep -E.
Unfortunately the latter file never ran and that
created the false illusion of an error.

4. What remains unexplained is the unexpected reaction
of grep -E to certain regular expressions, which
now produces output like:
"grep: warning: stray \ before +"; and
"grep: warning: stray \ before !" .
Independent tests using "grep -E" to parse a test
file reproduced similar results.

5. The behaviour of pacman seems to be correct, which
is very reassuring;
The strange behaviour of grep -E is off-topic and
this posting can be closed out.

My thanks to all who responded to this posting.

V1del · 2022-09-21 09:12:13

Please use [SOLVED] instead of CLOSED as that might denote a thread lock by a mod which hasn't happened.

PS: You don't need to actively line break your posts to a certain format, the viewer's browser can do that, it reads a bit weird to have all of your text limited to a small space artificially.

Arch Linux

#1 2022-09-13 09:55:21

SOLVED: RKHUNTER: patch for egrep

#2 2022-09-13 10:17:34

Re: SOLVED: RKHUNTER: patch for egrep

#3 2022-09-13 11:18:09

Re: SOLVED: RKHUNTER: patch for egrep

#4 2022-09-13 13:00:57

Re: SOLVED: RKHUNTER: patch for egrep

#5 2022-09-13 13:13:33

Re: SOLVED: RKHUNTER: patch for egrep

#6 2022-09-14 08:16:26

Re: SOLVED: RKHUNTER: patch for egrep

#7 2022-09-21 08:49:51

Re: SOLVED: RKHUNTER: patch for egrep

#8 2022-09-21 09:12:13

Re: SOLVED: RKHUNTER: patch for egrep

Board footer