When coreutils is built with the "static" use-flag, chkrootkit apparently detects the binaries "/bin/du", and "/bin/ls" as "infected". Reproducible: Always Steps to Reproduce: 1. USE="static" emerge coreutils 2. chkrootkit ls du 3. ... 4. Profit! Actual Results: # chkrootkit du ls ROOTDIR is `/' Checking `du'... INFECTED Checking `ls'... INFECTED Expected Results: # chkrootkit du ls ROOTDIR is `/' Checking `du'... not infected Checking `ls'... not infected Portage 2.0.51-r3 (default-linux/x86/2004.3, gcc-3.4.3, glibc-2.3.4.20041102-r0, 2.6.8.1-ck9 i686) ================================================================= System uname: 2.6.8.1-ck9 i686 AMD Duron(tm) Gentoo Base System version 1.6.6 distcc 2.18 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.92.0.2-r1 Headers: sys-kernel/linux26-headers-2.6.8.1-r1 Libtools: sys-devel/libtool-1.5.2-r7 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-Os -march=athlon-xp -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-Os -march=athlon-xp -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://gentoo.osuosl.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow X aalib acpi alsa apache2 apm avi berkdb bitmap-fonts cdr chroot crypt cups dedicated directfb dvd encode esd f77 fam fbcon foomaticdb fortran freetype gd gdbm gif glx gnome gpm gstreamer gtk gtk2 imagemagick imlib ipv6 java jpeg kde libg++ libgd libncurses libwww libxml mad mikmod mmx motif mozilla mpeg mysql ncurses nls nptl oggvorbis opengl openldap oss pam pdflib perl php png ppds python qt quicktime readline rplay samba sdl sftplogging skey slang spell sse ssl svg svga tcpd tiff truetype usb v4l2 x86 xft xinerama xml xml2 xmms xtt xv yuv zlib"
Same Here. Portage 2.0.51-r3 (default-linux/x86/2004.3, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.9-nitro4 i686) ================================================================= System uname: 2.6.9-nitro4 i686 VIA Nehemiah Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.90.0.1.1-r3 Headers: sys-kernel/linux26-headers-2.6.8.1 Libtools: sys-devel/libtool-1.5.2-r7 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=i686 -msse -mmmx -mfpmath=sse -Os -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=i686 -msse -mmmx -mfpmath=sse -Os -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="ftp://ftp.heanet.ie/pub/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow X alsa apm arts avi bitmap-fonts cdparanoia cdr crypt cups dvd dvdr encode f77 fam flac flash foomaticdb fortran gdbm gif gphoto2 gpm gtk2 imagemagick imlib java jpeg kde libg++ libwww mad mikmod mmx mozilla mpeg msn ncurses nlsnptl nptlonly oggvorbis opengl pam pdflib perl pic png ppds python qt quicktimereadline sdl spell sse ssl svga tcpd threads tiff truetype usb userlocales wmf x86 xine xml2 xv zlib linguas_en_GB"
I'm not going to be able to attempt to reproduce this until bug 51328 is fixed. Although that's a different package, vapier says its the same bug that is causing coreutils to fail when USE=static. Daniel, maybe you'll have more luck on a different arch or something?
Doing the chkrootkit tests: $ strings -a `which du` | egrep "/dev/ttyof|/dev/pty[pqrsx]|w0rm|/prof|/dev/tux|file\.h" /var/profile $ strings -a `which ls` | egrep "/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|/prof|/dev/tux|/security|file\.h" /var/profile This happens because: $ strings /usr/lib/libc.a | fgrep /var/profile /var/profile Looking at glibc source code: fgrep -r -A 3 -B 3 /var/profile . ./glibc-2.3.3/ChangeLog.12-2001-01-08 Ulrich Drepper <drepper@redhat.com> ./glibc-2.3.3/ChangeLog.12- ./glibc-2.3.3/ChangeLog.12- * elf/rtld.c (process_envvars): Place output files for profiling ./glibc-2.3.3/ChangeLog.12: in SUID binaries in /var/profile. ./glibc-2.3.3/ChangeLog.12- ./glibc-2.3.3/ChangeLog.12- * elf/dl-load.c (_dl_map_object): Don't look in cache for ./glibc-2.3.3/ChangeLog.12- preloading in SUID binaries. -- ./glibc-2.3.3/elf/dl-support.c- _dl_profile_output = getenv ("LD_PROFILE_OUTPUT"); ./glibc-2.3.3/elf/dl-support.c- if (_dl_profile_output == NULL || _dl_profile_output[0] == '\0') ./glibc-2.3.3/elf/dl-support.c- _dl_profile_output ./glibc-2.3.3/elf/dl-support.c: = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0]; ./glibc-2.3.3/elf/dl-support.c- ./glibc-2.3.3/elf/dl-support.c- if (__libc_enable_secure) ./glibc-2.3.3/elf/dl-support.c- { -- ./glibc-2.3.3/elf/rtld.c- ./glibc-2.3.3/elf/rtld.c- /* This is the default place for profiling data file. */ ./glibc-2.3.3/elf/rtld.c- GLRO(dl_profile_output) ./glibc-2.3.3/elf/rtld.c: = &"/var/tmp\0/var/profile"[INTUSE(__libc_enable_secure) ? 9 : 0]; ./glibc-2.3.3/elf/rtld.c- ./glibc-2.3.3/elf/rtld.c- /* Extra security for SUID binaries. Remove all dangerous environment ./glibc-2.3.3/elf/rtld.c- variables. */ The solution: I looked around looking for what chkrootkit uses /prof as a pattern that should be searched however I couldn't find anything. If I found something I could of changed the pattern search so it maybe didn't find /var/profile. The other option it to remove /prof pattern from the chkrootkit however this leave a vunerablility. (sed -i -e 's:|/prof::g' /usr/sbin/chkrootkit) If you could email the chkrootkit author to what /prof matching then we could develop a pattern that wouldn't generate false positives.
fixed thanks to the author Nelson Murilo <nelson@pangeia.com.br>
