Re: [Linux-ima-user] Interpreter instead of script in IMA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2012-04-25 at 12:05 +0200, Andrew Lunn wrote:
> Hi Folks
> 
> I've found something which does not make much sense to me. 
> 
> Linux kernel 3.3.0
> 
> In /sys/kernel/security/ima/ascii_runtime_measurements i have lots of
> entries, nearly all as expected. However, i also have:
> 
> 10 c6e74a02c40124914c1dc367f7b140b1ccadb017 ima c8df4bc0118711ae391df58e9a4381a0f64a458d /etc/init.d/rcS
> 10 29de86918f2697f1c8b83a5cde7105f415835a7b ima 968c2722e58d7851e8cd1d346131aebc36ef8774 /etc/init.d/rcS
> 
> and
> 
> 10 6df04e744253accd8243b5efa7eb1c7cadc8a038 ima 35dcb0f1d0d47395bc9c76c7922f7e7b25dbb4da /sbin/dhclient-script
> 10 e0eb67d8d2ca1e7ef7e86e47330863cb41336123 ima 5515a54302e5eecc6338ef7ff1300d2e94d204c3 /sbin/dhclient-script
> 
> The first of each pair is O.K:
> 
> sha1sum /etc/init.d/rcS /sbin/dhclient-script 
> c8df4bc0118711ae391df58e9a4381a0f64a458d  /etc/init.d/rcS
> 35dcb0f1d0d47395bc9c76c7922f7e7b25dbb4da  /sbin/dhclient-script
> 
> But the second entry for each pair causes lots of confusion. However,
> what i found is:
> 
> 968c2722e58d7851e8cd1d346131aebc36ef8774  /bin/dash
> 5515a54302e5eecc6338ef7ff1300d2e94d204c3  /bin/bash
> 
> So the second entry for each is the interpreter of the script, not the
> script itself as suggested by the filename hint.
> 
> Is this expected behavior?
> 
> Thanks
> 	Andrew

It's definitely not the 'expected behavior', nor did it behave this way
originally.  I'm looking into it.

thanks,

Mimi