[Aide] AIDE equals matching broken after 0.10

Robert Griffin rmg at ua.edu
Thu Dec 20 14:09:52 EET 2007 

Thank you!

I spotted that when I started using AIDE:

https://mailman.cs.tut.fi/pipermail/aide/2007-May/000818.html

But nobody ever replied to my question about which was the correct
behavior. I've since had to advise others not to use regexp special
characters in equals lines:

https://mailman.cs.tut.fi/pipermail/aide/2007-October/000864.html

So yes, I'd like to see the bug reported and fixed (though I have
yet to review your patch carefully).

	--Robby

On Dec 19, 2007, at 19:54, Brian De Wolf wrote:

> Greetings,
>
> We were recently upgrading packages and we moved from 0.10 to  
> 0.13.1 of AIDE. Unfortunately, our matching stopped working  
> correctly after this upgrade.  The equals matches would not match,  
> leaving us with directories and files that reported changes that we  
> were not concerned about.
>
> I have tracked this issue down to a patch that was applied for a  
> bug that didn't fix the issue it encountered correctly.  This was  
> between CVS revisions 1.6 and 1.7.  The bug that is related is at  
> http://sourceforge.net/tracker/index.php? 
> func=detail&aid=984424&group_id=86976&atid=581581 also known as bug  
> 984424.
>
> Now, the original issue certainly is an actual bug.  During the  
> check_node_for_match recursion, the equals list was checked for  
> every parent node, rather than being checked only on the first  
> node.  However, Zhi Wen Wong's fix did not remove these checks.   
> Instead, when one was matched as a regex, he made it also do a  
> string comparison of the file and the regex, without the '^'.  Of  
> course, as is in all of the examples, equal matches are recommended  
> to have '$' at the end.  Since it seemed like a good idea we did  
> this for all of our equal matches and, as you can guess, all of our  
> equal matches failed to match after we upgraded.
>
> Basically, instead of removing the erroneous checks, he converted  
> equal checks into string comparisons which causes all equal checks  
> in parent nodes to fail. (it is impossible for a match in /var to  
> pass a string comparison with a file in /var/log/, since if it  
> would match a string comparison it should have been in the /var/ 
> log/ node.)
>
> I have written a patch that removes the string comparison code (so  
> equal matches can be regexes like they're supposed to be) and fixes  
> the check_node_for_match functionality to match that of the pseudo- 
> code listed in the 0.13 manual.  This allows equal matches to work  
> correctly.  I have attached this patch.
>
> Should I also make a bug in the sourceforge tracker?
>
> Thanks!
> Brian De Wolf
> --- src/gen_list.c.orig	2007-12-19 15:37:13.000000000 -0800
> +++ src/gen_list.c	2007-12-19 16:19:43.000000000 -0800
> @@ -732,33 +732,6 @@
>    return retval;
>  }
>
> -//this is used to check if $text if equal to a node in $rxrlist
> -//should be used to check equ_rx_lst only
> -int check_list_for_equal(list* rxrlist,char* text,DB_ATTR_TYPE* attr)
> -{
> -  list* r=NULL;
> -  int retval=1;
> -  char *temp;
> -
> -  for(r=rxrlist;r;r=r->next){
> -    temp=((rx_rule*)r->data)->rx;
> -
> -    //FIXME, if rx not begin with ^, may need to do something else
> -    if(temp[0]=='^') //^ is for reg exp, we can ignore this character
> -      temp++;
> -
> -    //we don't need to worry about buff-overflow, so strcmp is safe
> -    if((retval=strcmp(temp, text))==0){
> -      *attr=((rx_rule*)r->data)->attr;
> -      error(231,"\"%s\" matches string from line #%ld: %s\n",text, 
> ((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx);
> -      break;
> -    } else {
> -      error(231,"\"%s\" doesn't match string from line #%ld: %s 
> \n",text,((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx);
> -    }
> -  }
> -  return retval;
> -}
> -
>  /*
>   * Function check_node_for_match()
>   * calls itself recursively to go to the top and then back down.
> @@ -783,35 +756,24 @@
>      return retval;
>    }
>
> -  /* We need this to check whether this was the first one *
> -   * to be called and not a recursive call */
> -  if(!((retval&16)==16)){
> -    retval|=16;
> +  /* if this call is not recursive we check the equals list and we  
> set top *
> +   * and retval so we know following calls are recursive */
> +  if(!(retval&16)){
>      top=1;
> -  } else {
> -    top=0;
> -  }
> -
> -  /* if no deeper match found */
> -  if(!((retval&8)==8)&&!((retval&4)==4)){
> +    retval|=16;
> +
>      if(!check_list_for_match(node->equ_rx_lst,text,attr)){
> -      /*
> -	Zhi Wen Wong added this line to fix bug that equ not work for
> -	compare
> -	if we do "=/bin", we should only check /bin
> -	so, /bin/bash or /bin/something should return 0 as neg
> -      */
> -      if(!check_list_for_equal(node->equ_rx_lst,text,attr))
> -	retval|=(2|4);
> -    };
> -  };
> +      retval|=2|4;
> +    }
> +  }
>    /* We'll use retval to pass information on whether to recurse
>     * the dir or not */
>
>
> -  if(!((retval&8)==8)&&!((retval&4)==4)){
> +  /* If 4 and 8 are not set, we will check for matches */
> +  if(!(retval&(4|8))){
>      if(!check_list_for_match(node->sel_rx_lst,text,attr))
> -      retval|=(1|8);
> +      retval|=1|8;
>    }
>
>    /* Now let's check the ancestors */
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide

More information about the Aide mailing list