Project

General

Profile

Actions

Bug #1143

closed

rkhunter Warning: Suspicious file types found in /dev

Added by Calvin Taylor over 6 years ago. Updated about 6 years ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
12/06/2017
Due date:
% Done:

0%

Estimated time:

Description

[23:38:20] Warning: Suspicious file types found in /dev:
[23:38:20] /dev/shm/lttng-ust-wait-7-112: data
[23:38:20] /dev/shm/lttng-ust-wait-7: data

Hi All, I just joined to report the problem I've encountered after just installing rkhunter, which is that two files owned by the package you maintain get flagged as suspicious by rkhunter. I've found [[https://unix.stackexchange.com/questions/227184/what-is-dev-shm-lttng-ust-wait-5-for]] which the recommended action is to whitelist them. I don't think this is appropriate. I did some searches of your issues and didn't find anything so I thought I'd bring it to your attention.

I'm running ubuntu 1704, up to date.

Below I'm showing the related packages which have dependencies on your package.

Thanks again, I hope this helps.

@sudo aptitude search lttng
p liblttng-ctl-dev - LTTng control and utility library (development files)
p liblttng-ctl-dev:i386 - LTTng control and utility library (development files)
p liblttng-ctl0 - LTTng control and utility library
p liblttng-ctl0:i386 - LTTng control and utility library
p liblttng-ust-agent-java - LTTng 2.0 Userspace Tracer (Java agent library)
p liblttng-ust-agent-java-jni - LTTng 2.0 Userspace Tracer (Java agent JNI interface)
p liblttng-ust-agent-java-jni:i386 - LTTng 2.0 Userspace Tracer (Java agent JNI interface)
i A liblttng-ust-ctl2 - LTTng 2.0 Userspace Tracer (trace control library)
p liblttng-ust-ctl2:i386 - LTTng 2.0 Userspace Tracer (trace control library)
p liblttng-ust-dev - LTTng 2.0 Userspace Tracer (development files)
p liblttng-ust-dev:i386 - LTTng 2.0 Userspace Tracer (development files)
p liblttng-ust-java - LTTng 2.0 Userspace Tracer (Java support library)
v liblttng-ust-java:i386 -
p liblttng-ust-java-jni - LTTng 2.0 Userspace Tracer (JNI interface)
p liblttng-ust-java-jni:i386 - LTTng 2.0 Userspace Tracer (JNI interface)
p liblttng-ust-python-agent0 - LTTng 2.0 Userspace Tracer (Python agent native library)
p liblttng-ust-python-agent0:i386 - LTTng 2.0 Userspace Tracer (Python agent native library)
i A liblttng-ust0 - LTTng 2.0 Userspace Tracer (tracing libraries)
p liblttng-ust0:i386 - LTTng 2.0 Userspace Tracer (tracing libraries)
p lttng-modules-dkms - Linux Trace Toolkit (LTTng) kernel modules (DKMS)
p lttng-tools - LTTng control and utility programs
p lttng-tools:i386 - LTTng control and utility programs
p python3-lttng - LTTng control and utility Python bindings
p python3-lttng:i386 - LTTng control and utility Python bindings
p python3-lttnganalyses - LTTng 2.0 trace analysis tools (Python 3)
p python3-lttngust - LTTng 2.0 Userspace Tracer (Python 3 UST agent

sudo apt-cache rdepends liblttng-ust0
liblttng-ust0
Reverse Depends:
liblttng-ust-dev
mir-test-tools
ubuntu-app-launch-profiler
qtmir-android
python3-autopilot-trace
python-autopilot-trace
mir-test-tools
libubuntumetrics5-gles
liblttng-ust-java-jni
liblttng-ust-agent-java-jni
aethercast-tools
qtmir-desktop
qtdeclarative5-qtmir-plugin
libubuntumetrics5
libubuntumetrics5
libubuntu-app-launch4
liblttng-ust-python-agent0
liblttng-ust-dev
@

Actions #1

Updated by Mathieu Desnoyers over 6 years ago

What is the reason why you think whitelisting those files in rkhunter is, as you say, "not appropriate" ?

Actions #2

Updated by Jonathan Rajotte Julien over 6 years ago

  • Status changed from New to Feedback

Calvin Taylor wrote:

I did some searches of your issues and didn't find anything so I thought I'd bring it to your attention.

From your link , Mathieu Desnoyers, back in 2015, did give information regarding the origin and function of those files:

Those files are created by LTTng UST (User-Space Tracer). More specifically, those files are used in a rendez-vous mechanism between the user-space tracer and the lttng session daemon. See http://lttng.org for more information.

Do you have any further question?

Actions #3

Updated by Calvin Taylor over 6 years ago

Because it's a security flaw, if they are whitelisted, then they are not scanned, they are a vulnerability to a system, a person could manage to rewrite the files with whatever and the change would go unnoticed.

Actions #4

Updated by Mathieu Desnoyers over 6 years ago

Trying to understand the threat model you present here.

/dev/shm is:

drwxrwxrwt 2 root root 160 Dec 7 10:15 .

(with sticky bit)

If a lttng-sessiond is launched as root, the file is:

rw-rw-r- 1 root root 4096 Dec 7 10:15 lttng-ust-wait-7

which is not writeable, and cannot be unlinked, by normal users.

If a lttng-sessiond is launched as user, the file is, e.g.:

rw-rw--- 1 compudj compudj 4096 Dec 7 10:13 lttng-ust-wait-7-1000

And only that user can access the file.

In those scenarios, how can an attacker rewrite those files ?

Or do you imply an execution sequence where an attacker creates those files before lttng-sessiond is launched ?

Actions #5

Updated by Jonathan Rajotte Julien about 6 years ago

  • Status changed from Feedback to Invalid
Actions

Also available in: Atom PDF