There are two reasons why chkrootkit is descending into NFS directories
despite the -n option:
---
First, when run by cron, $HOME == '/'. So, in the aliens function,
the find commands that use $HOME go through the whole disk, which is
already going to be relatively slow.
expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name
.*history -size 0"
But these commands don't really care about recursion in fact. So I'd
suggest rewriting them as:
expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name
.*history -size 0"
Unless -maxdepth 1 is not portable enough? The tnfs() function seems to
think it isn't.
Furthermore this check is pretty useless if HOME does not point to
root's HOME directory. So I'd suggest something like this:
if [ \( -z "${HOME}" -o "${HOME}" = "/" \) -a `id -u` = "0" -a -d
"/root" ]; then
HOME="/root"
fi
---
Second, '! -fstype nfs' will not stop find from recursing through the
NFS directories. All it does is stop further rules from matching files
on NFS filesystems. What was meant is probably the following:
findargs=" -fstype nfs -prune -o "
This means that if the file or directory is on NFS then we go no
further. Otherwise we apply the rules following the '-o'.
All in all this gives the attached patch.
--
Francois Gouget <[EMAIL PROTECTED]> http://fgouget.free.fr/
The last time religion ruled, it was called the dark ages.--- chkrootkit.orig 2006-06-21 18:05:06.000000000 +0200
+++ chkrootkit 2006-06-21 18:55:21.000000000 +0200
@@ -334,6 +334,9 @@
}
aliens () {
+ if [ \( -z "${HOME}" -o "${HOME}" = "/" \) -a `id -u` = "0" -a -d "/root"
]; then
+ HOME="/root"
+ fi
if [ "${EXPERT}" = "t" ]; then
### suspicious files
FILES="usr/bin/sourcemask usr/bin/ras2xm usr/sbin/in.telnet \
@@ -551,9 +554,9 @@
### shell history file check
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
- expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history
\
+ expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history
\
-size 0"
- expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history
\
+ expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history
\
\( -links 2 -o -type l \)"
fi
@@ -1078,10 +1081,10 @@
printn "Searching for anomalies in shell history files... "; fi
files=""
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
- files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0`
+ files=`${find} ${ROOTDIR}${HOME} -maxdepth 1 -name '.*history' -size 0`
[ ! -z "${files}" ] && \
echo "Warning: \`${files}' file size is zero"
- files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links
2 -o -type l \)`
+ files=`${find} ${ROOTDIR}${HOME} -maxdepth 1 -name '.*history' \( -links
2 -o -type l \)`
[ ! -z "${files}" ] && \
echo "Warning: \`${files}' is linked to another file"
fi
@@ -1163,10 +1166,10 @@
findargs=""
if find /etc -maxdepth 0 >/dev/null 2>&1; then
find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \
- findargs="! -fstype nfs "
+ findargs=" -fstype nfs -prune -o "
elif find /etc -prune > /dev/null 2>&1; then
find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \
- findargs="! -fstype nfs "
+ findargs=" -fstype nfs -prune -o "
fi
}
