Debian Bug report logs - #222179
/etc/init.d/nis creates hidden processes?

version graph

Package: chkrootkit; Maintainer for chkrootkit is Giuseppe Iuculano <iuculano@debian.org>; Source for chkrootkit is src:chkrootkit.

Reported by: Shaul Karl <shaulk@actcom.net.il>

Date: Wed, 26 Nov 2003 00:03:06 UTC

Severity: important

Tags: patch

Merged with 230907, 246667, 260905

Found in versions 0.43-1, 0.43

Done: lmoore <lmoore@tump.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Miquel van Smoorenburg <miquels@cistron.nl>:
Bug#222179; Package nis. Full text and rfc822 format available.

Acknowledgement sent to Shaul Karl <shaulk@actcom.net.il>:
New Bug report received and forwarded. Copy sent to Miquel van Smoorenburg <miquels@cistron.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Shaul Karl <shaulk@actcom.net.il>
To: submit@bugs.debian.org
Subject: /etc/init.d/nis creates hidden processes?
Date: Wed, 26 Nov 2003 02:00:56 +0200
Package: nis
Version: 3.9-6.3
Severity: normal

  The following script was obtained by booting into single user mode, 
cd /tmp and start running the init scripts by the order that a normal
boot would run them. The whole thing was done because chkrootkit 
reports that there are 2 hidden processes.


Script started on Wed Nov 26 01:24:25 2003
/tmp# /etc/init.d/sysklogd start
Starting system log daemon: syslogd.
/tmp# /etc/init.d/klogd start
Starting kernel log daemon: klogd.
/tmp# /etc/init.d/ppp start
/tmp# /usr/lib/chkrootkit/chkproc -v
/tmp# /etc/init.d/nis start
Setting NIS domainname to: my.nis.domain
Starting NIS services: ypbind 
/tmp# /usr/lib/chkrootkit/chkproc -v
PID   293: not in readdir output
PID   293: not in ps output
PID   294: not in readdir output
PID   294: not in ps output
You have     2 process hidden for readdir command
You have     2 process hidden for ps command
/tmp# 
exit

Script done on Wed Nov 26 01:27:17 2003

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux calanit 2.6.0-test9.custom486.4 #1 Fri Nov 21 09:04:51 IST 2003 i486
Locale: LANG=C, LC_CTYPE=C

Versions of packages nis depends on:
ii  debconf                     1.3.20       Debian configuration management sy
ii  libc6                       2.3.2.ds1-10 GNU C Library: Shared libraries an
ii  libgdbm3                    1.8.3-2      GNU dbm database routines (runtime
ii  make                        3.80-4       The GNU version of the "make" util
ii  netbase                     4.14         Basic TCP/IP networking system
ii  portmap                     5-2.1        The RPC portmapper

-- debconf information:
  nis/not-yet-configured: 
* nis/domain: my.nis.domain
-- 
"If you have an apple and I have  an apple and we  exchange apples then
you and I will still each have  one apple. But  if you have an idea and I
have an idea and we exchange these ideas, then each of us will have two
ideas." -- George Bernard Shaw     (sent by  shaulk @ actcom . net . il)



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#222179; Package nis. Full text and rfc822 format available.

Acknowledgement sent to Miquel van Smoorenburg <miquels@cistron.nl>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 222179@bugs.debian.org (full text, mbox):

From: Miquel van Smoorenburg <miquels@cistron.nl>
To: Shaul Karl <shaulk@actcom.net.il>
Cc: 222179@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#222179: /etc/init.d/nis creates hidden processes?
Date: Wed, 26 Nov 2003 02:18:40 +0100
reassign 222179 chkrootkit
severity 222179 important
thanks

On Wed, 26 Nov 2003 01:00:56, Shaul Karl wrote:
> Package: nis
> Version: 3.9-6.3
> Severity: normal
> 
>   The following script was obtained by booting into single user mode, 
> cd /tmp and start running the init scripts by the order that a normal
> boot would run them. The whole thing was done because chkrootkit 
> reports that there are 2 hidden processes.

That's a bug in chkrootkit. With the latest glibc and 2.6 kernel, the
threading model has changed. Threads no longer show up as individual
processes. Chkrootkit should be updated to work with the latest glibc
and 2.6 kernel (i.e. it should check /proc/<pid>/task too)

I'm reassigning this bug to chkrootkit. It's probably the same as
bug #217278, but triggered by a user-level threaded program.


> Script started on Wed Nov 26 01:24:25 2003
> /tmp# /etc/init.d/sysklogd start
> Starting system log daemon: syslogd.
> /tmp# /etc/init.d/klogd start
> Starting kernel log daemon: klogd.
> /tmp# /etc/init.d/ppp start
> /tmp# /usr/lib/chkrootkit/chkproc -v
> /tmp# /etc/init.d/nis start
> Setting NIS domainname to: my.nis.domain
> Starting NIS services: ypbind 
> /tmp# /usr/lib/chkrootkit/chkproc -v
> PID   293: not in readdir output
> PID   293: not in ps output
> PID   294: not in readdir output
> PID   294: not in ps output
> You have     2 process hidden for readdir command
> You have     2 process hidden for ps command
> /tmp# 
> exit
> 
> Script done on Wed Nov 26 01:27:17 2003
> 
> -- System Information:
> Debian Release: testing/unstable
> Architecture: i386
> Kernel: Linux calanit 2.6.0-test9.custom486.4 #1 Fri Nov 21 09:04:51 IST 2003 i486
> Locale: LANG=C, LC_CTYPE=C
> 
> Versions of packages nis depends on:
> ii  debconf                     1.3.20       Debian configuration management sy
> ii  libc6                       2.3.2.ds1-10 GNU C Library: Shared libraries an
> ii  libgdbm3                    1.8.3-2      GNU dbm database routines (runtime
> ii  make                        3.80-4       The GNU version of the "make" util
> ii  netbase                     4.14         Basic TCP/IP networking system
> ii  portmap                     5-2.1        The RPC portmapper
> 
> -- debconf information:
>   nis/not-yet-configured: 
> * nis/domain: my.nis.domain
> -- 
> "If you have an apple and I have  an apple and we  exchange apples then
> you and I will still each have  one apple. But  if you have an idea and I
> have an idea and we exchange these ideas, then each of us will have two
> ideas." -- George Bernard Shaw     (sent by  shaulk @ actcom . net . il)
> 
> 
> 



Bug reassigned from package `nis' to `chkrootkit'. Request was from Miquel van Smoorenburg <miquels@cistron.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `important'. Request was from Miquel van Smoorenburg <miquels@cistron.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#222179; Package chkrootkit. Full text and rfc822 format available.

Acknowledgement sent to lantz moore <lmoore@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #19 received at 222179@bugs.debian.org (full text, mbox):

From: lantz moore <lmoore@debian.org>
To: shaulk@actcom.net.il
Cc: 222179@bugs.debian.org
Subject: Re: chkrootkit vs nis
Date: Fri, 05 Dec 2003 14:56:36 -0800
lmoore@debian.org writes:

> i need some more info.  what kernel version are you running?
>
> could you reproduce the problem and send me the output of the following
> command:
>
> egrep '^(Name|Tgid|Pid)' /proc/${pids}/status
>
> where ${pids} is replaced with the pids that chkproc is complaining about?

an ls -latr of those /proc/${pids} dirs would also be helpful.

thanks again.

-l



Information forwarded to debian-bugs-dist@lists.debian.org, lantz moore <lmoore@debian.org>:
Bug#222179; Package chkrootkit. Full text and rfc822 format available.

Acknowledgement sent to lmoore@debian.org:
Extra info received and forwarded to list. Copy sent to lantz moore <lmoore@debian.org>. Full text and rfc822 format available.

Message #24 received at 222179@bugs.debian.org (full text, mbox):

From: lmoore@debian.org
To: shaulk@actcom.net.il
Cc: 222179@bugs.debian.org
Subject: chkrootkit vs nis
Date: Fri, 05 Dec 2003 14:49:46 -0800
i need some more info.  what kernel version are you running?

could you reproduce the problem and send me the output of the following
command:

egrep '^(Name|Tgid|Pid)' /proc/${pids}/status

where ${pids} is replaced with the pids that chkproc is complaining about?

hopefully, this will help me figure out what is going wrong.

i tried installing nis and couldn't reproduce the problem (kernel 2.4.22).

thanks.

-l



Information forwarded to debian-bugs-dist@lists.debian.org, lantz moore <lmoore@debian.org>:
Bug#222179; Package chkrootkit. Full text and rfc822 format available.

Acknowledgement sent to Shaul Karl <shaulk@actcom.net.il>:
Extra info received and forwarded to list. Copy sent to lantz moore <lmoore@debian.org>. Full text and rfc822 format available.

Message #29 received at 222179@bugs.debian.org (full text, mbox):

From: Shaul Karl <shaulk@actcom.net.il>
To: 222179@bugs.debian.org
Subject: Re: chkrootkit vs nis
Date: Sat, 6 Dec 2003 02:34:18 +0200
On Fri, Dec 05, 2003 at 02:56:36PM -0800, lantz moore wrote:
> lmoore@debian.org writes:
> 
> > i need some more info.  what kernel version are you running?
> >
> > could you reproduce the problem and send me the output of the following
> > command:
> >
> > egrep '^(Name|Tgid|Pid)' /proc/${pids}/status
> >
> > where ${pids} is replaced with the pids that chkproc is complaining about?
> 
> an ls -latr of those /proc/${pids} dirs would also be helpful.
> 


  It is 2.6.0-test9. /proc doesn't have those pids. It looks like the 
nis maintainer correctly identifies them as tasks:

$ /usr/lib/chkrootkit/chkproc -v
PID   291: not in readdir output
PID   291: not in ps output
PID   292: not in readdir output
PID   292: not in ps output
You have     2 process hidden for readdir command
You have     2 process hidden for ps command
$ ls /proc/29[12]
ls: /proc/29[12]: No such file or directory
$ ls /proc/290/task/
290  291  292

-- 
"If you have an apple and I have  an apple and we  exchange apples then
you and I will still each have  one apple. But  if you have an idea and I
have an idea and we exchange these ideas, then each of us will have two
ideas." -- George Bernard Shaw     (sent by  shaulk @ actcom . net . il)



Information forwarded to debian-bugs-dist@lists.debian.org, lantz moore <lmoore@debian.org>:
Bug#222179; Package chkrootkit. Full text and rfc822 format available.

Acknowledgement sent to Sven Klemm <sven@elektro-klemm.de>:
Extra info received and forwarded to list. Copy sent to lantz moore <lmoore@debian.org>. Full text and rfc822 format available.

Message #34 received at 222179@bugs.debian.org (full text, mbox):

From: Sven Klemm <sven@elektro-klemm.de>
To: 222179@bugs.debian.org
Subject: Hidden Processes
Date: Mon, 22 Dec 2003 21:09:36 +0100
Hi,

2 weeks ago I discovered a very similar bug on my system i initially 
found the bug with chkrootkit. But I think chkrootkit is not the source 
of the bug. Here is what I found out:

Booting from install-disk:

Everything is fine

Chrooting from install-disk into my installation:

ps shows pid's of [ksoftirqd_CPU0] [kswapd] [bdflush] [kupdated] as 0.
chkrootkit complains about 4 processes hidden for ps.
Those processes don't have pid 0 but 3,4,5,6 if I go to /proc I can see 
the directories of those processes with the appropriate pid's.
If i use the ps command of the rescue-system which only depends on libc 
but not libproc the output is fine and all processes have the right pid-

If I boot directly into my system with kernel 2.4.18 exactly the same 
things happen. And again the ps command from the rescue-system which is 
only linked against libc shows everything correct.

Really strange things happen if I boot with Kernel 2.6.0-test(6|11):

checkproc finds hidden processes. This processes are not only hidden 
from ps but also hidden from ls /proc. If I do ls /proc I can not see 
the directories of those hidden processes even though I can cd into 
these directories. The processes that are hiding are nautilus and 
mozilla-firebird. lsof does not show any open files of these processes 
even though /proc/$pid/fd/ is not empty.

Today I installed Debian on another Computer and after upgrading to sid 
I saw exactly the same ps output. I wiped the partition and installed 
Debian again. Under stable everything is okay but as soon as I upgraded 
to testing or unstable I got those processes with pid=0.

I believe the bug described here could be the same bug I saw on my system.

I hope my findings help you solve the bug.


-- 
Sven Klemm <sven@elektro-klemm.de>
GnuPG: 0x71084F86 | 1319 F0DF B317 91F0 E48E  1957 7AF9 604C 7108 4F86



Information forwarded to debian-bugs-dist@lists.debian.org, lantz moore <lmoore@debian.org>:
Bug#222179; Package chkrootkit. Full text and rfc822 format available.

Acknowledgement sent to Marco Nenciarini <mnencia@prato.linux.it>:
Extra info received and forwarded to list. Copy sent to lantz moore <lmoore@debian.org>. Full text and rfc822 format available.

Message #39 received at 222179@bugs.debian.org (full text, mbox):

From: Marco Nenciarini <mnencia@prato.linux.it>
To: 222179@bugs.debian.org, 230907@bugs.debian.org, 246667@bugs.debian.org, 260905@bugs.debian.org
Cc: control@bugs.debian.org
Subject: LKM false positive
Date: Thu, 19 Aug 2004 20:41:19 +0200
[Message part 1 (text/plain, inline)]
severity 230907 important
severity 246667 important
severity 260905 important
merge 222179 230907 246667 260905
tags 222179 patch
thanks

I made a patch for chkproc, to handle correctly the new /proc
structure introduced by kernel 2.6 family.

This patch has been tested on a 2.4.26 kernel and on a 2.6.7 kernel.

Regards

-- 
---------------------------------------------------------------------
|    Marco Nenciarini    | Debian/GNU Linux Developer - Plug Member |
| mnencia@prato.linux.it | http://www.prato.linux.it/~mnencia       |
---------------------------------------------------------------------
Key fingerprint = FED9 69C7 9E67 21F5 7D95  5270 6864 730D F095 E5E4

[chkproc.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Merged 222179 230907 246667 260905. Request was from Marco Nenciarini <mnencia@prato.linux.it> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from Marco Nenciarini <mnencia@prato.linux.it> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to lmoore <lmoore@tump.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Shaul Karl <shaulk@actcom.net.il>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #48 received at 222179-done@bugs.debian.org (full text, mbox):

From: lmoore <lmoore@tump.com>
To: 222179-done@bugs.debian.org
Subject: fixed by older upload
Date: Fri, 22 Apr 2005 11:45:23 -0700
the hidden process bugs for 2.6 seem to have been fixed with chkrootkit
0.44.

-l



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 15:49:08 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.