Le ven. 17 août 2012 16:44:32 CEST, NoOp a écrit:
> ...
> And from Fedora 17 (rpm)
> LO3.6:
> $ lsof -U | grep soffice
> soffice.b 30094 gg 6u unix 0xf4440b40 0t0 116738 socket
> soffice.b 30094 gg 10u unix 0xf4441d40 0t0 116742
> /tmp/OSL_PIPE_1000_SingleOfficeIPC_5d6a40e77981cf59bf3a90df38dfa5f7
> soffice.b 30094 gg 27u unix 0xf44406c0 0t0 116776 socket
> soffice.b 30094 gg 28u unix 0xf4441680 0t0 116778 socket
> soffice.b 30094 gg 33u unix 0xdb205680 0t0 116782 socket
>
> $ rkhunter --version
> Rootkit Hunter 1.4.0
>
> No warnings regarding anything 'soffice' in the rkhunter logs.
Thanks for your input. Can you confirm that this command doesn't
produce any result related to LibreOffice :
rkhunter --enable packet_cap_apps --report-warnings-only
After investigating a bit more, and running rkhunter in debug mode,
here is what I found :
rkhunter search inodes listed in /proc/net/packet and then search these
inodes in the output of lsof (to get the command which created the
process). But this second search is a simple grep, and can match with
something else than a PID.
In my case, I get :
$ cat /proc/net/packet
sk RefCnt Type Proto Iface R Rmem User Inode
ffff8100bdbe0c00 3 3 0003 2 1 0 0 8374
This is probably dhclient, but I need to confirm it.
$ lsof -lMnPw -d 1-20 | egrep 8374
# this is the command used by rkhunter
soffice.b 15012 1058 15r REG 8,2 8374 1954680
/opt/libreoffice3.6/program/resource/ofaen-US.res
Here, the inode found in /proc/net/packet match with the size
of ofaen-US.res, not his inode !
The relevant part of the debug logs produced by rkhunter is :
[snip]
+ INODE_LIST=
++ egrep -v '^sk|888e' /proc/net/packet
++ awk '{ print $9 }'
+ for INODE in '`egrep -v '\''^sk|888e'\'' /proc/net/packet | awk '\''{ print
$9 }'\''`'
+ INODE_LIST='|8374'
++ echo '|8374'
++ sed -e 's/^|//'
+ INODE_LIST=8374
[snip]
+ for PID in '`${LSOF_CMD} -lMnPw -d 1-20 | egrep "[ ](${INODE_LIST})[
]" | awk '\''{ print $2 }'\''`'
+ NAME=
+ '[' -h /proc/15012/exe -a 1 -eq 1 ']'
++ /usr/bin/readlink -f /proc/15012/exe
++ cut '-d ' -f1
+ NAME=/opt/libreoffice3.6/program/soffice.bin
+ test -z /opt/libreoffice3.6/program/soffice.bin
+ AMATCH=1
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /sbin/dhclient ']'
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /usr/bin/dhcpcd ']'
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /usr/sbin/dhcpd ']'
+ '[' 1 -eq 0 ']'
+ FOUND=1
+ BLACKPROC='
/opt/libreoffice3.6/program/soffice.bin 15012'
[snip]
I'll contact the authors of rkhunter to get confirmation, and
hopefully correction, of this problem.
Thanks again for helping to clarify the situation,
--
Philippe Naudin
--
For unsubscribe instructions e-mail to: [email protected]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
