running chkrootkit-0.45 while a screen session is active gives a false positive. with the last stable version before 0.45 this didn't occur. Reproducible: Always Steps to Reproduce: 1. run a screen session 2. start chkrootkit Actual Results: The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! ed 11827 pts/1 -/bin/bash ! ed 25239 pts/1 irssi Expected Results: --- Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11- hardened-r13 i686) ================================================================= System uname: 2.6.11-hardened-r13 i686 Intel(R) Celeron(R) CPU 2.40GHz Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.5 [2.3.5 (#1, Apr 28 2005, 22:09:52)] ccache version 2.3 [enabled] dev-lang/python: 2.3.5 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.5, 1.9.5, 1.4_p6, 1.7.9-r1, 1.6.3, 1.8.5-r3 sys-devel/binutils: 2.15.92.0.2-r7 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/ control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo" LANG="de_DE" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 alsa apache2 arts avi bash-completion berkdb bitmap-fonts crypt curl devfs26 emboss encode foomaticdb gd gdbm gif hardened hardenedphpimagemagick imap imlib jpeg kde libg++ mbox memlimit mmx mmx2 motif mp3 ncurses nls nopop3d oggvorbis opengl oss pam pcre perl php png posix quicktime rtc sasl sdl sse sse2 ssl tcpd tiff truetype truetype-fonts type1 type1-fonts xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
are you using udev? can you include lsof -p <pid> to see what files they do have open? are you using any grsec proc restricted that would make chkroot not able to read proc.
(In reply to comment #1) > are you using udev? no, devfs > can you include lsof -p <pid> > to see what files they do have open? # lsof -p 11827 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME bash 11827 ed cwd DIR 3,5 4096 1359873 /home/ed bash 11827 ed rtd DIR 3,2 4096 2 / bash 11827 ed txt REG 3,2 526768 716734 /bin/bash bash 11827 ed mem REG 3,2 95596 1858205 /lib/ld-2.3.4.so bash 11827 ed mem REG 3,2 10616 1858207 /lib/libdl-2.3.4.so bash 11827 ed mem REG 3,2 1199880 1857319 /lib/libc-2.3.4.so bash 11827 ed mem REG 3,2 30888 1858161 /lib/libnss_compat-2.3.4.so bash 11827 ed mem REG 3,2 79656 1856881 /lib/libnsl-2.3.4.so bash 11827 ed mem REG 3,2 39624 1858215 /lib/libnss_nis-2.3.4.so bash 11827 ed mem REG 3,2 35348 1858157 /lib/libnss_files-2.3.4.so bash 11827 ed mem REG 3,2 9732 814467 /usr/lib/gconv/ISO8859-15.so bash 11827 ed mem REG 3,2 9732 814964 /usr/lib/gconv/ISO8859-1.so bash 11827 ed mem REG 3,2 207752 326923 /usr/lib/locale/de_DE/LC_CTYPE bash 11827 ed mem REG 3,2 21544 814647 /usr/lib/gconv/gconv-modules.cache bash 11827 ed mem REG 3,2 208004 330453 /usr/lib/locale/de_DE@euro/LC_CTYPE bash 11827 ed mem REG 3,2 59 326924 /usr/lib/locale/de_DE/LC_NUMERIC bash 11827 ed mem REG 3,2 2348 326925 /usr/lib/locale/de_DE/LC_TIME bash 11827 ed mem REG 3,2 21499 326926 /usr/lib/locale/de_DE/LC_COLLATE bash 11827 ed mem REG 3,2 299 326928 /usr/lib/locale/de_DE/LC_MONETARY bash 11827 ed mem REG 3,2 59 326929 /usr/lib/locale/de_DE/LC_MESSAGES/ SYS_LC_MESSAGES bash 11827 ed mem REG 3,2 39 326930 /usr/lib/locale/de_DE/LC_PAPER bash 11827 ed mem REG 3,2 87 326931 /usr/lib/locale/de_DE/LC_NAME bash 11827 ed mem REG 3,2 164 326933 /usr/lib/locale/de_DE/LC_ADDRESS bash 11827 ed mem REG 3,2 61 326934 /usr/lib/locale/de_DE/LC_TELEPHONE bash 11827 ed mem REG 3,2 28 326935 /usr/lib/locale/de_DE/LC_MEASUREMENT bash 11827 ed mem REG 3,2 380 330452 /usr/lib/locale/de_DE/LC_IDENTIFICATION bash 11827 ed 0u CHR 136,1 3 /dev/pts/1 bash 11827 ed 1u CHR 136,1 3 /dev/pts/1 bash 11827 ed 2u CHR 136,1 3 /dev/pts/1 bash 11827 ed 255u CHR 136,1 3 /dev/pts/1 # lsof -p 25239 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME irssi 25239 ed cwd DIR 3,5 4096 1359873 /home/ed irssi 25239 ed rtd DIR 3,2 4096 2 / irssi 25239 ed txt REG 3,2 760956 912440 /usr/bin/irssi irssi 25239 ed mem REG 3,2 95596 1858205 /lib/ld-2.3.4.so irssi 25239 ed mem REG 3,2 1018320 1384511 /usr/lib/libperl.so.1.5.8 irssi 25239 ed mem REG 3,2 142170 1858209 /lib/libpthread-0.10.so irssi 25239 ed mem REG 3,2 79656 1856881 /lib/libnsl-2.3.4.so irssi 25239 ed mem REG 3,2 154312 1858150 /lib/libm-2.3.4.so irssi 25239 ed mem REG 3,2 22516 1858152 /lib/libcrypt-2.3.4.so irssi 25239 ed mem REG 3,2 10304 1858217 /lib/libutil-2.3.4.so irssi 25239 ed mem REG 3,2 13852 1385602 /usr/lib/libgmodule-2.0.so.0.600.3 irssi 25239 ed mem REG 3,2 589120 1385337 /usr/lib/libglib-2.0.so.0.600.3 irssi 25239 ed mem REG 3,2 224476 1385376 /usr/lib/libssl.so.0.9.7 irssi 25239 ed mem REG 3,2 1283008 1385981 /usr/lib/libcrypto.so.0.9.7 irssi 25239 ed mem REG 3,2 10616 1858207 /lib/libdl-2.3.4.so irssi 25239 ed mem REG 3,2 308472 1858114 /lib/libncurses.so.5.4 irssi 25239 ed mem REG 3,2 1199880 1857319 /lib/libc-2.3.4.so irssi 25239 ed mem REG 3,2 30888 1858161 /lib/libnss_compat-2.3.4.so irssi 25239 ed mem REG 3,2 39624 1858215 /lib/libnss_nis-2.3.4.so irssi 25239 ed mem REG 3,2 35348 1858157 /lib/libnss_files-2.3.4.so irssi 25239 ed mem REG 3,2 94124 1727728 /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/ Irssi/Irssi.so irssi 25239 ed mem REG 3,2 47804 1727734 /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/ Irssi/UI/UI.so irssi 25239 ed mem REG 3,2 45068 1727731 /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/ Irssi/Irc/Irc.so irssi 25239 ed mem REG 3,2 9732 814467 /usr/lib/gconv/ISO8859-15.so irssi 25239 ed mem REG 3,2 21544 814647 /usr/lib/gconv/gconv-modules.cache irssi 25239 ed mem REG 3,2 123181 1710438 /usr/share/locale/de/LC_MESSAGES/libc.mo irssi 25239 ed mem REG 3,2 59 326924 /usr/lib/locale/de_DE/LC_NUMERIC irssi 25239 ed mem REG 3,2 2348 326925 /usr/lib/locale/de_DE/LC_TIME irssi 25239 ed mem REG 3,2 21499 326926 /usr/lib/locale/de_DE/LC_COLLATE irssi 25239 ed mem REG 3,2 299 326928 /usr/lib/locale/de_DE/LC_MONETARY irssi 25239 ed mem REG 3,2 59 326929 /usr/lib/locale/de_DE/LC_MESSAGES/ SYS_LC_MESSAGES irssi 25239 ed mem REG 3,2 39 326930 /usr/lib/locale/de_DE/LC_PAPER irssi 25239 ed mem REG 3,2 87 326931 /usr/lib/locale/de_DE/LC_NAME irssi 25239 ed mem REG 3,2 164 326933 /usr/lib/locale/de_DE/LC_ADDRESS irssi 25239 ed mem REG 3,2 61 326934 /usr/lib/locale/de_DE/LC_TELEPHONE irssi 25239 ed mem REG 3,2 28 326935 /usr/lib/locale/de_DE/LC_MEASUREMENT irssi 25239 ed mem REG 3,2 380 330452 /usr/lib/locale/de_DE/LC_IDENTIFICATION irssi 25239 ed mem REG 3,2 208004 330453 /usr/lib/locale/de_DE@euro/LC_CTYPE irssi 25239 ed 0u CHR 136,1 3 /dev/pts/1 irssi 25239 ed 1u CHR 136,1 3 /dev/pts/1 irssi 25239 ed 2u CHR 136,1 3 /dev/pts/1 (TCP Connections stripped) > are you using any grsec proc restricted that would make chkroot not able to > read proc. Kernel is running grsec with all available restrictions to /proc but chkrootkit was run as root. Same kernel and latest stable version of chkrootkit < 0.45 and no problem.
looking in README chkutmp is a new test in 0.45 which explains the clear state of things previously. chkutmp seems to compare: ps ax -o "tty,pid,ruser,args" with /var/run/utmp something like utmpdump /var/run/utmp | fgrep <pid> may help. its a comparison of the tty values in both outputs. chkutmp.c should help if you want to look a bit further. udev is pretty good if you want to consider a migration http://www.gentoo.org/doc/en/udev-guide.xml
this is not something that we should fix. You need to take this upstream if you think the apps behaviour is invalid
