https://github.com/osquery/osquery logo
Join Slack
Powered by
Oops. 5.10 broke `magic`: ```pemberton:updates sep...
# core
s
Oops. 5.10 broke `magic`:
Copy code
pemberton:updates seph$ ./osqueryd/5.9.1/osqueryd -S 'SELECT * FROM magic WHERE path="/bin/ls"'
+---------+-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------+---------------------------+--------------------+
| path    | magic_db_files                                      | data                                                                                                                            | mime_type                 | mime_encoding      |
+---------+-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------+---------------------------+--------------------+
| /bin/ls | /usr/share/file/magic.mgc:/usr/share/misc/magic.mgc | Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64] [arm64e:Mach-O 64-bit executable arm64e] | application/x-mach-binary | (null)(null)binary |
+---------+-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------+---------------------------+--------------------+

pemberton:updates seph$ ./osqueryd/5.10.2/osqueryd -S 'SELECT * FROM magic WHERE path="/bin/ls"'
/usr/share/file/magic.mgc, 1: Warning: offset `?' invalid
Version=' invalidagic.mgc, 2: Warning: offset `
/usr/share/file/magic.mgc, 3: Warning: offset `' invalid
/usr/share/file/magic.mgc, 6: Warning: offset `Firmware v' invalid
/usr/share/file/magic.mgc, 12: Warning: offset `' invalid
Corel Corporation' invalid 13: Warning: offset `
I’m inclined to blame the libmagic upgrade in https://github.com/osquery/osquery/pull/8142
s
Not really, the magic table is sort of broken since a while
the problem is that the magic file we have to use is not from the system, because its format is connected to the libmagic version
The magic table has to be changed to enable a custom path for magic files, and then we have to ship the magic file that comes with the library
There should be an issue open already
(oh you've found it)
s
Yeah,. that issue made it pretty clear that the underlying cause is that our statically linked libmagic diverges from the OS distributed database.
I wonder what the right answer is. The only other table that requires something outside the bare osquery binary is augeas. So it feels a little weird to suddenly require a separate DB.
I wonder if we want to prepend an osquery path to the stock path. Then either you get the osquery one, or you get the system one, if it works
Yuck.
This file 🙄 It has entries to identify what area your Quake 1 save file is from.
👌 1
s
Ah yeah, it's a collection of everything and more haha
I forgot that the table already accepts 
magic_db_files
as a constraint, and then joins the system available files. I think we should just change the system available ones with the ones we ship
Putting them under our 
share
folder, like with augeas
The alternative is less battery included (if we fear that people will question that dependency); we can still ship the file but to work the table then needs that constraint to pass the files (or a flag that points to a folder). Meaning there's no default file being used. That is obviously a breaking change.
s
I think we should follow the pattern from augeas. And also move conversation to GitHub 🙂
5 Views
Open in Slack
PreviousNext
Powered by