Date: prev next · Thread: first prev next last
2012 Archives by date, by thread · List index


Le ven. 17 août 2012 16:44:32 CEST, NoOp a écrit:
...
And from Fedora 17 (rpm)
LO3.6:
$ lsof -U | grep soffice
soffice.b 30094   gg    6u  unix 0xf4440b40      0t0 116738 socket
soffice.b 30094   gg   10u  unix 0xf4441d40      0t0 116742
/tmp/OSL_PIPE_1000_SingleOfficeIPC_5d6a40e77981cf59bf3a90df38dfa5f7
soffice.b 30094   gg   27u  unix 0xf44406c0      0t0 116776 socket
soffice.b 30094   gg   28u  unix 0xf4441680      0t0 116778 socket
soffice.b 30094   gg   33u  unix 0xdb205680      0t0 116782 socket

$ rkhunter --version
Rootkit Hunter 1.4.0

No warnings regarding anything 'soffice' in the rkhunter logs.

Thanks for your input. Can you confirm that this command doesn't 
produce any result related to LibreOffice :
rkhunter --enable packet_cap_apps --report-warnings-only

After investigating a bit more, and running rkhunter in debug mode,
here is what I found :
rkhunter search inodes listed in /proc/net/packet and then search these 
inodes in the output of lsof (to get the command which created the 
process). But this second search is a simple grep, and can match with
something else than a PID.

In my case, I get :
$ cat /proc/net/packet
sk               RefCnt Type Proto  Iface R Rmem   User   Inode
ffff8100bdbe0c00 3      3    0003   2     1 0      0      8374

This is probably dhclient, but I need to confirm it.

$ lsof -lMnPw -d 1-20 | egrep 8374
 # this is the command used by rkhunter
soffice.b 15012  1058   15r   REG   8,2  8374 1954680 
/opt/libreoffice3.6/program/resource/ofaen-US.res

Here, the inode found in /proc/net/packet match with the size
of ofaen-US.res, not his inode !

The relevant part of the debug logs produced by rkhunter is :
[snip]
+ INODE_LIST=
++ egrep -v '^sk|888e' /proc/net/packet
++ awk '{ print $9 }'
+ for INODE in '`egrep -v '\''^sk|888e'\'' /proc/net/packet | awk '\''{ print $9 }'\''`'
+ INODE_LIST='|8374'
++ echo '|8374'
++ sed -e 's/^|//'
+ INODE_LIST=8374
[snip]
+ for PID in '`${LSOF_CMD} -lMnPw -d 1-20 | egrep "[    ](${INODE_LIST})[       ]" | awk '\''{ 
print $2 }'\''`'
+ NAME=
+ '[' -h /proc/15012/exe -a 1 -eq 1 ']'
++ /usr/bin/readlink -f /proc/15012/exe
++ cut '-d ' -f1
+ NAME=/opt/libreoffice3.6/program/soffice.bin
+ test -z /opt/libreoffice3.6/program/soffice.bin
+ AMATCH=1
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /sbin/dhclient ']'
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /usr/bin/dhcpcd ']'
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /usr/sbin/dhcpd ']'
+ '[' 1 -eq 0 ']'
+ FOUND=1
+ BLACKPROC='
/opt/libreoffice3.6/program/soffice.bin 15012'
[snip]

I'll contact the authors of rkhunter to get confirmation, and 
hopefully correction, of this problem.

Thanks again for helping to clarify the situation,

-- 
Philippe Naudin

-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.