False positive when process started by running a symlink to the binary
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
unhide.rb |
Fix Released
|
Undecided
|
Johan Walles | ||
unhide.rb (Debian) |
New
|
Undecided
|
Unassigned |
Bug Description
Check PID 3379: I think this is related to the process having been launched froma symlink.
The PID 4606 problem looks to be a race condition with the pre-forked children and I'll try to characterize it later.
Thanks!
--lbruno
10:21:54 root@lithium:~> ls -l "/usr/sbin/apache2"
lrwxrwxrwx 1 root root 30 Dec 30 2010 /usr/sbin/apache2 -> ../lib/
10:33:35 root@lithium:~> unhide.rb
Scanning for hidden processes...
Suspicious PID 3379:
Seen by ps ("/usr/
Seen by /proc tasks ("/usr/
Not seen by getsid()
Not seen by getpgid()
Not seen by getpriority()
Not seen by sched_getparam()
Not seen by sched_getaffinity()
Not seen by sched_getschedu
Not seen by sched_rr_
Suspicious PID 4606:
Not seen by ps
Seen by /proc ("/usr/
Seen by getsid()
Seen by getpgid()
Seen by getpriority()
Seen by sched_getparam()
Seen by sched_getaffinity()
Seen by sched_getschedu
Seen by sched_rr_
10:34:42 root@lithium:~>
Hi!
Both of these issues are because unhide.rb is racing with process shutdown (3379) and startup (4606). Symlinks have nothing to do with this.
I just committed a fix for this: bazaar. launchpad. net/~walles/ unhide. rb/trunk/ revision/ 13
http://
The fix is to check suspicious processes again. If they don't trigger any warning the second time around they aren't listed.
Also, I fixed a discrepancy between the docs and the actual behavior. All warnings are now printed on stderr.
Regards //Johan