Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260178 - app-forensics/chkrootkit-0.48-r1 uses a lot mem/cpu when ccache is installed and checks for php files....
Summary: app-forensics/chkrootkit-0.48-r1 uses a lot mem/cpu when ccache is installed ...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-24 20:46 UTC by pierre
Modified: 2017-08-30 18:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description pierre 2009-02-24 20:46:37 UTC
app-forensics/chkrootkit-0.48-r1 uses a lot mem/cpu when ccache is installed and checks for php files.... 
because it searches for php files in /tmp and /var/tmp.

as I use ccache, /var/tmp/ccache is about 2giga, so chkrootkit freezes when trying to :
Searching for suspect PHP files... ++ /usr/bin/find /tmp /var/tmp -name '*.php'
+ files=
++ /usr/bin/find /tmp /var/tmp -type f -exec head -n1 '{}' ';'
++ grep php

(those lines are chkrootkit -d aliens output...)

I think the solution is to patch chkrootkit so it does not scan /var/tmp/ccache when ccache is present.

this is what Nelson Murilo, one of the chkrootkit developers answer me :
"Surelly you can custom chkrootkit for your own usage, but maybe 
you keep in mind that attackes can use directory to hidden malware
and malicious files."

or should we just add a message in the ebuild to let people know about this issue...
pierre



Reproducible: Always

Steps to Reproduce:
1.install ccache in /var/tmp/ccache with a big enough dir
2.install app-forensics/chkrootkit-0.48-r1
3.run chkrootkit

Actual Results:  
freezes (or should I only say hangs) on 'Searching for suspect PHP files... '

Expected Results:  
not freeze

Portage 2.1.6.7 (default/linux/amd64/2008.0, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.27-gentoo-r8 x86_64)
=================================================================
System uname: Linux-2.6.27-gentoo-r8-x86_64-AMD_Turion-tm-_64_X2_Mobile_Technology_TL-58-with-glibc2.2.5
Timestamp of tree: Tue, 24 Feb 2009 17:30:10 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p39
dev-java/java-config: 2.1.6-r1
dev-lang/python:     2.5.2-r7
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.6.2-r1
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.5, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=k8 -msse3 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://mirror.ovh.net/gentoo-distfiles/ ftp://mirror.ovh.net/gentoo-distfiles/ ftp://gentoo.imj.fr/pub/gentoo/ ftp://ftp.free.fr/mirrors/ftp.gentoo.org/ "
LANG="fr_FR.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="fr en fr_FR en_US"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/pierre"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac aalib acl acpi alsa amd64 apache2 ati bash-completion berkdb bluetooth bzip2 cairo cdr cli cracklib crypt dbus dga dri dvd exif ffmpeg fglrx flac fortran gdbm gif gpm gtk hal iconv ipv6 isdnlog java java6 jpeg jpeg2k lm_sensors loop-aes madwifi midi mikmod mmx mmxext mp3 mpeg mudflap multilib mysql ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png pppd python radeon readline reflection session spl sse sse2 ssl startup-notification svg sysfs tcpd tiff truetype unicode usb v4l v4l2 vim-syntax vorbis x264 xinerama xml xml2 xorg xpm xv zlib" ALSA_CARDS=" hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" CAMERAS="canon" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="fr en fr_FR en_US" USERLAND="GNU" VIDEO_CARDS="ati fglrx radeon"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Patrick Lauer gentoo-dev 2009-03-01 01:42:08 UTC
I don't see this as a real problem, but I'm open to suggestions how to handle this better.
Comment 2 pierre 2009-03-01 20:35:08 UTC
I don't think it's a real problem either, I suggest a simple sentence in the ebuild file saying "be aware new chkrootkit checks for files in /tmp and /var/tmp, so if you have a lot of files there ( like if you use ccache default dir /var/tmp/ccache ) process ca be very long...".

of course, having an option not to perform php files scan would be better, but it's not a gentoo issue....
probably in the futur...
Comment 3 Pacho Ramos gentoo-dev 2017-08-30 18:24:51 UTC
This is likely WONTFIX... anyway, I think you could contact upstream if you know a faster way to perform the check (if this is still valid with latest version)