Le ven. 17 août 2012 16:44:32 CEST, NoOp a écrit:
...
And from Fedora 17 (rpm)
LO3.6:
$ lsof -U | grep soffice
soffice.b 30094 gg 6u unix 0xf4440b40 0t0 116738 socket
soffice.b 30094 gg 10u unix 0xf4441d40 0t0 116742
/tmp/OSL_PIPE_1000_SingleOfficeIPC_5d6a40e77981cf59bf3a90df38dfa5f7
soffice.b 30094 gg 27u unix 0xf44406c0 0t0 116776 socket
soffice.b 30094 gg 28u unix 0xf4441680 0t0 116778 socket
soffice.b 30094 gg 33u unix 0xdb205680 0t0 116782 socket
$ rkhunter --version
Rootkit Hunter 1.4.0
No warnings regarding anything 'soffice' in the rkhunter logs.
Thanks for your input. Can you confirm that this command doesn't
produce any result related to LibreOffice :
rkhunter --enable packet_cap_apps --report-warnings-only
After investigating a bit more, and running rkhunter in debug mode,
here is what I found :
rkhunter search inodes listed in /proc/net/packet and then search these
inodes in the output of lsof (to get the command which created the
process). But this second search is a simple grep, and can match with
something else than a PID.
In my case, I get :
$ cat /proc/net/packet
sk RefCnt Type Proto Iface R Rmem User Inode
ffff8100bdbe0c00 3 3 0003 2 1 0 0 8374
This is probably dhclient, but I need to confirm it.
$ lsof -lMnPw -d 1-20 | egrep 8374
# this is the command used by rkhunter
soffice.b 15012 1058 15r REG 8,2 8374 1954680
/opt/libreoffice3.6/program/resource/ofaen-US.res
Here, the inode found in /proc/net/packet match with the size
of ofaen-US.res, not his inode !
The relevant part of the debug logs produced by rkhunter is :
[snip]
+ INODE_LIST=
++ egrep -v '^sk|888e' /proc/net/packet
++ awk '{ print $9 }'
+ for INODE in '`egrep -v '\''^sk|888e'\'' /proc/net/packet | awk '\''{ print $9 }'\''`'
+ INODE_LIST='|8374'
++ echo '|8374'
++ sed -e 's/^|//'
+ INODE_LIST=8374
[snip]
+ for PID in '`${LSOF_CMD} -lMnPw -d 1-20 | egrep "[ ](${INODE_LIST})[ ]" | awk '\''{
print $2 }'\''`'
+ NAME=
+ '[' -h /proc/15012/exe -a 1 -eq 1 ']'
++ /usr/bin/readlink -f /proc/15012/exe
++ cut '-d ' -f1
+ NAME=/opt/libreoffice3.6/program/soffice.bin
+ test -z /opt/libreoffice3.6/program/soffice.bin
+ AMATCH=1
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /sbin/dhclient ']'
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /usr/bin/dhcpcd ']'
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /usr/sbin/dhcpd ']'
+ '[' 1 -eq 0 ']'
+ FOUND=1
+ BLACKPROC='
/opt/libreoffice3.6/program/soffice.bin 15012'
[snip]
I'll contact the authors of rkhunter to get confirmation, and
hopefully correction, of this problem.
Thanks again for helping to clarify the situation,
--
Philippe Naudin
--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.