False positive when process started by running a symlink to the binary
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| unhide.rb |
Fix Released
|
Undecided
|
Johan Walles | ||
| unhide.rb (Debian) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Check PID 3379: I think this is related to the process having been launched froma symlink.
The PID 4606 problem looks to be a race condition with the pre-forked children and I'll try to characterize it later.
Thanks!
--lbruno
10:21:54 root@lithium:~> ls -l "/usr/sbin/apache2"
lrwxrwxrwx 1 root root 30 Dec 30 2010 /usr/sbin/apache2 -> ../lib/
10:33:35 root@lithium:~> unhide.rb
Scanning for hidden processes...
Suspicious PID 3379:
Seen by ps ("/usr/
Seen by /proc tasks ("/usr/
Not seen by getsid()
Not seen by getpgid()
Not seen by getpriority()
Not seen by sched_getparam()
Not seen by sched_getaffinity()
Not seen by sched_getschedu
Not seen by sched_rr_
Suspicious PID 4606:
Not seen by ps
Seen by /proc ("/usr/
Seen by getsid()
Seen by getpgid()
Seen by getpriority()
Seen by sched_getparam()
Seen by sched_getaffinity()
Seen by sched_getschedu
Seen by sched_rr_
10:34:42 root@lithium:~>
| Johan Walles (walles) wrote | #1 |
| Changed in unhide.rb: | |
| status: | New → Fix Released |
| tags: | removed: symlink |
| Changed in unhide.rb: | |
| assignee: | nobody → Johan Walles (walles) |
| Luis Bruno (d-it) wrote | #2 |
Hi!
Both of these issues are because unhide.rb is racing with process shutdown (3379) and startup (4606). Symlinks have nothing to do with this.
I just committed a fix for this:
http://
The fix is to check suspicious processes again. If they don't trigger any warning the second time around they aren't listed.
Also, I fixed a discrepancy between the docs and the actual behavior. All warnings are now printed on stderr.
Regards //Johan