Re: [libreoffice-users] Re: [3.6] listening on the network
Le ven. 17 août 2012 16:44:32 CEST, NoOp a écrit: ... And from Fedora 17 (rpm) LO3.6: $ lsof -U | grep soffice soffice.b 30094 gg6u unix 0xf4440b40 0t0 116738 socket soffice.b 30094 gg 10u unix 0xf4441d40 0t0 116742 /tmp/OSL_PIPE_1000_SingleOfficeIPC_5d6a40e77981cf59bf3a90df38dfa5f7 soffice.b 30094 gg 27u unix 0xf44406c0 0t0 116776 socket soffice.b 30094 gg 28u unix 0xf4441680 0t0 116778 socket soffice.b 30094 gg 33u unix 0xdb205680 0t0 116782 socket $ rkhunter --version Rootkit Hunter 1.4.0 No warnings regarding anything 'soffice' in the rkhunter logs. Thanks for your input. Can you confirm that this command doesn't produce any result related to LibreOffice : rkhunter --enable packet_cap_apps --report-warnings-only After investigating a bit more, and running rkhunter in debug mode, here is what I found : rkhunter search inodes listed in /proc/net/packet and then search these inodes in the output of lsof (to get the command which created the process). But this second search is a simple grep, and can match with something else than a PID. In my case, I get : $ cat /proc/net/packet sk RefCnt Type Proto Iface R Rmem User Inode 8100bdbe0c00 3 30003 2 1 0 0 8374 This is probably dhclient, but I need to confirm it. $ lsof -lMnPw -d 1-20 | egrep 8374 # this is the command used by rkhunter soffice.b 15012 1058 15r REG 8,2 8374 1954680 /opt/libreoffice3.6/program/resource/ofaen-US.res Here, the inode found in /proc/net/packet match with the size of ofaen-US.res, not his inode ! The relevant part of the debug logs produced by rkhunter is : [snip] + INODE_LIST= ++ egrep -v '^sk|888e' /proc/net/packet ++ awk '{ print $9 }' + for INODE in '`egrep -v '\''^sk|888e'\'' /proc/net/packet | awk '\''{ print $9 }'\''`' + INODE_LIST='|8374' ++ echo '|8374' ++ sed -e 's/^|//' + INODE_LIST=8374 [snip] + for PID in '`${LSOF_CMD} -lMnPw -d 1-20 | egrep [](${INODE_LIST})[ ] | awk '\''{ print $2 }'\''`' + NAME= + '[' -h /proc/15012/exe -a 1 -eq 1 ']' ++ /usr/bin/readlink -f /proc/15012/exe ++ cut '-d ' -f1 + NAME=/opt/libreoffice3.6/program/soffice.bin + test -z /opt/libreoffice3.6/program/soffice.bin + AMATCH=1 + for RKHTMPVAR in '${ALLOWPROCLISTENERS}' + '[' /opt/libreoffice3.6/program/soffice.bin = /sbin/dhclient ']' + for RKHTMPVAR in '${ALLOWPROCLISTENERS}' + '[' /opt/libreoffice3.6/program/soffice.bin = /usr/bin/dhcpcd ']' + for RKHTMPVAR in '${ALLOWPROCLISTENERS}' + '[' /opt/libreoffice3.6/program/soffice.bin = /usr/sbin/dhcpd ']' + '[' 1 -eq 0 ']' + FOUND=1 + BLACKPROC=' /opt/libreoffice3.6/program/soffice.bin 15012' [snip] I'll contact the authors of rkhunter to get confirmation, and hopefully correction, of this problem. Thanks again for helping to clarify the situation, -- Philippe Naudin -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: [3.6] listening on the network
Le jeu. 16 août 2012 19:38:31 CEST, NoOp a écrit: On 08/16/2012 04:45 AM, Philippe Naudin wrote: Hello, I am using LibreOffice x86_64 on Linux, installed from official rpms. Since it got updated to Version 3.6.0.4 (Build ID: 932b512), rkhunter whines : Checking for packet capturing applications Warning: Process '/opt/libreoffice3.6/program/soffice.bin' (PID 15079) is listening on the network. lsof -i doesn't show anything related to soffice, but lsof -U shows : COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME soffice.b 15079 naudin 11u unix 0x8100883b7c80 0t0 352208 socket X 2924root 44u unix 0x8100883b7980 0t0 352209 /tmp/.X11-unix/X0 soffice.b 15079 naudin 12u unix 0x8100883b7680 0t0 352210 /tmp/OSL_PIPE_1058_SingleOfficeIPC_474aee6e854ee537ef2ad5a42cd51fe9 soffice.b 15079 naudin 22u unix 0x8100883b7080 0t0 352223 socket X 2924root 46u unix 0x8100883b7380 0t0 352224 /tmp/.X11-unix/X0 The same rkhunter has no problem with LibreOffice 3.5.4.2, Build ID: 165a79a-7059095-e13bb37-fef39a4-9503d18, also an official rpm for Linux x86_64. But LibreOffice-3.5 only use one socket, the /tmp/OSL_PIPE one. Is there a way to turn off these extra sockets in 3.6 ? Thanks, I can't replicate on the deb version with: Rootkit Hunter version 1.3.8 What version of rkhunter have you: rkhunter --update to ensure that your rkhunter is up to date? Version 3.6.0.4 (Build ID: 932b512) I won't be able to check an rpm version until later - sorry. Hi, Thanks for your reply. I'm using a rpm ;), it is rkhunter-1.4.0-1.el5. Of course I can get rkhunter silent with something like DISABLE_TESTS=hidden_ports or ALLOWPROCLISTEN=soffice.bin. In this case it will not complain about LibreOffice listening on the network... even when I open a file with some malware inside. Can you check the output of this command : lsof -U | grep soffice With LibreOffice-3.5, I get only one line (/tmp/OSL_PIPE_...), but with LibreOffice-3.6 I get two more lines, two unix sockets. Regards, -- Philippe Naudin -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted