Menu

#148 "Found preloaded shared library" test not understanding comments

main
closed-fixed
John Horne
None
5
2016-11-15
2016-04-02
Francois Marier
No

A Debian user reported the following on the Debian tracker (http://bugs.debian.org/816089):

"A commented out entry in /etc/ld.so.preload is interpreted as a filename in rkhunter:

pi> cat /etc/ld.so.preload
#/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so

This alerts:
Warning: Found preloaded shared library: #/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so

If I add this commented out entry to SHARED_LIB_WHITELIST to try to
fool rkhunter, naturally it doesn't like that this doesn't look like
an absolute filename:

SHARED_LIB_WHITELIST="/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so #/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so"

Invalid SHARED_LIB_WHITELIST configuration option: Relative pathname: #/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so

It'd be better if rkhunter understood the comment meant the library
wasn't loaded and hence could not possibly be a threat that had to be
tested."

Discussion

  • John Horne

    John Horne - 2016-04-03

    You are correct. This is a bug. I have now fixed this in the CVS version of rkhunter.

     

  • unSpawn

    unSpawn - 2016-11-15
    • status: open --> closed-fixed
    • assigned_to: John Horne
     

  • unSpawn

    unSpawn - 2016-11-15

    Closed as fixed by John.

     

Log in to post a comment.