[Integrit-users] trailing slash (was Re: none)

[Ed L C. <ec...@te...>]

(Cc'ed to the integrit-users mailing list.  For info, see:
  http://sourceforge.net/mail/?group_id=3D15369)

Ra=81=FAl N=81=FA=81=F1ez de Arenas Coronado <der...@ja...> writes:

>     Hello Ed :))
>=20
>     First of all: thanks for integrit. It's a very good job :)

Thanks!  I like it too.

>     I don't use it for security reasons, since I don't have sensitive
> information and nobody's gonna tamper my home PC anyway ;)). I use it
> because I had a not very reliable hard disk and I wanted to check if
> all my binary data remained incorrupted. Now I have a new disk, but
> I'm used to integrit and now, after a fsck, I perfectly know if any
> file has been broken by the power failure and the like. Simply
> fantastic :))

I've heard about several interesting ways people have been using
integrit.  One sysadmin liked using it to find out the users and
developers were doing on a box he inherited.

>     But let's go to the matter: I think that I've discovered a bug in
> integrit. Being sincere, I haven't had enough time to take a look at
> the sources, and so I don't know if it's a known bug. Well, the think
> is that I get a segfault when running integrit, and I've isolated the
> problem: the proc filesystem.

You can't run integrit on the /proc filesystem because it's really not
a filesystem but an interface to the kernel.  Mucking with that
interface as root results in behavior that varies from platform to
platform.

>     I have a rule in the config file saying "!/proc/", *with* the
> trailing slash, and it seems that this way /proc is recursed :?? When
> I remove that slash then integrit runs ok.

That's because integrit is simple: there is no directory named
"/proc/".  Your rule won't apply to "/proc" (which does exist) but
rather to "/proc/" (which probably doesn't).

For 2.03.01, I added a note to the documentation that makes this
explicit, but I think I'm going to add this to the FAQ and the
web page.=20=20

>     Even if the problem is that slash, meaning that the subdirs at
> /proc/ get checked, or if the user wants /proc checked, or if the
> user by mistake forgets to include the rule excluding /proc of the
> running, the program shouldn't crash with a segfault, don't you think
> so?=20

Not in principle.  Like I said above, mucking with the kernel is not
something integrit is designed to do, so if you run integrit on /proc
the results are "undefined".

However, a bugfix in 2.03 might coincidentally fix the crashing.  If
the crashes occur because of failed reads after successful opens, then
the bugfix will eliminate those crashes.  So reports Robert Weber.

...
>     I think that the segfault is due to the use of 'mmap()', and if
> so the only way of getting rid of it is to disable 'mmap()' at
> compile time. If this is the case, please excuse me for this bug
> report: obviously integrit cannot fix anything.

I suspect the segfault isn't an mmap thing.

>     Well, thanks a lot for such a good program, and if you need more
> information for investigating the bug please don't doubt contacting
> me. And excuse my poor english: I come from Spain.

Your message was very readable.  Thank you for the feedback.

--=20
--Ed Cashin                   PGP public key:
  ec...@te...       http://www.terry.uga.edu/~ecashin/pgp/