| View previous topic :: View next topic |
| Author |
Message |
PennyroyalFrog
Apprentice
Joined: 07 Oct 2004
Posts: 194
|
 Posted: Sat Jan 08, 2005 6:18 am Post subject: chkproc/chkrootkit while doing emerge |
 |
|
This post is more of a follow up on a previous post i did about a possible LKM trojan installed. However, the consensus with everybody seems that it was a false positve.
Anyway, to get more towards the point to my question, which is a question out of curiosity, when i run a chkproc -v while doing an emerge while in X (i use KDE as my desktop) i get a bunch of false positives for hidden processes, because of all the quickly terminating processes during the compile i learned.
However, if i'm not in X, and run emerge in one console and change to a second console via alt-F2, i don't get any 'hidden' processes no matter how many times i run chkproc -v to check for hidden processes. Like i said this is more a question out of curiosity why this is, sorry if it's a pointless question. I do have obsessive compulsive disorder so that's why i'm kinda obsessing over it.
Thanks. |
|
| Back to top |
|
 |
PennyroyalFrog
Apprentice
Joined: 07 Oct 2004
Posts: 194
|
| Posted: Sat Jan 08, 2005 8:14 pm Post subject: |
|
|
| nobody has any ideas? i would really like to know... thanks in advance |
|
| Back to top |
|
|
speed_bump
Tux's lil' helper
Joined: 10 Jan 2004
Posts: 92
Location: Wisconsin, USA
|
| Posted: Sat Jan 08, 2005 9:38 pm Post subject: |
|
|
Alrighty, this is largely conjecture at this point, but here it goes. The problem you're describing is in the general class of problems known as race conditions. This basically refers to two or more different processes accessing the same data set(s) in such a way that the ordering of events can affect the results. In the case of chkproc, it effectively executes a ps and then directly traverses the /proc directory comparing the results. So at the time of the comparison, you have the ps output and then the information from /proc collected at different points in time (most likely many milliseconds apart).
I have not done any timings to find out exaclty how the time it takes to traverse the /proc directory varies with respect to the number of entries in the directory, but I suspect that the more processes you have, the longer it takes (probably substantially longer). So when you have X11 running and something like KDE or Gnome fired up, you'll have on the order of 70-80 processes at a minimum. When you're just at a plain console, it's more like 20-30. So effectively, the time window during which the results of one action (ps) can diverge from the results of another (/proc directory traversal) has changed significantly. If that time window is small enough, everything works as you would expect. Lengthen the time window beyond a certain point (add more processes), and you have problems.
Classic race condition. In this case, not correctable. |
|
| Back to top |
|
|
PennyroyalFrog
Apprentice
Joined: 07 Oct 2004
Posts: 194
|
| Posted: Sun Jan 09, 2005 12:39 am Post subject: |
|
|
| thanks for the reply, you rock! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
