Re: [libreoffice-users] Re: [3.6] listening on the network
Le ven. 17 août 2012 16:44:32 CEST, NoOp a écrit:
...
And from Fedora 17 (rpm)
LO3.6:
$ lsof -U | grep soffice
soffice.b 30094 gg6u unix 0xf4440b40 0t0 116738 socket
soffice.b 30094 gg 10u unix 0xf4441d40 0t0 116742
/tmp/OSL_PIPE_1000_SingleOfficeIPC_5d6a40e77981cf59bf3a90df38dfa5f7
soffice.b 30094 gg 27u unix 0xf44406c0 0t0 116776 socket
soffice.b 30094 gg 28u unix 0xf4441680 0t0 116778 socket
soffice.b 30094 gg 33u unix 0xdb205680 0t0 116782 socket
$ rkhunter --version
Rootkit Hunter 1.4.0
No warnings regarding anything 'soffice' in the rkhunter logs.
Thanks for your input. Can you confirm that this command doesn't
produce any result related to LibreOffice :
rkhunter --enable packet_cap_apps --report-warnings-only
After investigating a bit more, and running rkhunter in debug mode,
here is what I found :
rkhunter search inodes listed in /proc/net/packet and then search these
inodes in the output of lsof (to get the command which created the
process). But this second search is a simple grep, and can match with
something else than a PID.
In my case, I get :
$ cat /proc/net/packet
sk RefCnt Type Proto Iface R Rmem User Inode
8100bdbe0c00 3 30003 2 1 0 0 8374
This is probably dhclient, but I need to confirm it.
$ lsof -lMnPw -d 1-20 | egrep 8374
# this is the command used by rkhunter
soffice.b 15012 1058 15r REG 8,2 8374 1954680
/opt/libreoffice3.6/program/resource/ofaen-US.res
Here, the inode found in /proc/net/packet match with the size
of ofaen-US.res, not his inode !
The relevant part of the debug logs produced by rkhunter is :
[snip]
+ INODE_LIST=
++ egrep -v '^sk|888e' /proc/net/packet
++ awk '{ print $9 }'
+ for INODE in '`egrep -v '\''^sk|888e'\'' /proc/net/packet | awk '\''{ print
$9 }'\''`'
+ INODE_LIST='|8374'
++ echo '|8374'
++ sed -e 's/^|//'
+ INODE_LIST=8374
[snip]
+ for PID in '`${LSOF_CMD} -lMnPw -d 1-20 | egrep [](${INODE_LIST})[
] | awk '\''{ print $2 }'\''`'
+ NAME=
+ '[' -h /proc/15012/exe -a 1 -eq 1 ']'
++ /usr/bin/readlink -f /proc/15012/exe
++ cut '-d ' -f1
+ NAME=/opt/libreoffice3.6/program/soffice.bin
+ test -z /opt/libreoffice3.6/program/soffice.bin
+ AMATCH=1
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /sbin/dhclient ']'
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /usr/bin/dhcpcd ']'
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /usr/sbin/dhcpd ']'
+ '[' 1 -eq 0 ']'
+ FOUND=1
+ BLACKPROC='
/opt/libreoffice3.6/program/soffice.bin 15012'
[snip]
I'll contact the authors of rkhunter to get confirmation, and
hopefully correction, of this problem.
Thanks again for helping to clarify the situation,
--
Philippe Naudin
--
For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: [3.6] listening on the network
Le jeu. 16 août 2012 19:38:31 CEST, NoOp a écrit: On 08/16/2012 04:45 AM, Philippe Naudin wrote: Hello, I am using LibreOffice x86_64 on Linux, installed from official rpms. Since it got updated to Version 3.6.0.4 (Build ID: 932b512), rkhunter whines : Checking for packet capturing applications Warning: Process '/opt/libreoffice3.6/program/soffice.bin' (PID 15079) is listening on the network. lsof -i doesn't show anything related to soffice, but lsof -U shows : COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME soffice.b 15079 naudin 11u unix 0x8100883b7c80 0t0 352208 socket X 2924root 44u unix 0x8100883b7980 0t0 352209 /tmp/.X11-unix/X0 soffice.b 15079 naudin 12u unix 0x8100883b7680 0t0 352210 /tmp/OSL_PIPE_1058_SingleOfficeIPC_474aee6e854ee537ef2ad5a42cd51fe9 soffice.b 15079 naudin 22u unix 0x8100883b7080 0t0 352223 socket X 2924root 46u unix 0x8100883b7380 0t0 352224 /tmp/.X11-unix/X0 The same rkhunter has no problem with LibreOffice 3.5.4.2, Build ID: 165a79a-7059095-e13bb37-fef39a4-9503d18, also an official rpm for Linux x86_64. But LibreOffice-3.5 only use one socket, the /tmp/OSL_PIPE one. Is there a way to turn off these extra sockets in 3.6 ? Thanks, I can't replicate on the deb version with: Rootkit Hunter version 1.3.8 What version of rkhunter have you: rkhunter --update to ensure that your rkhunter is up to date? Version 3.6.0.4 (Build ID: 932b512) I won't be able to check an rpm version until later - sorry. Hi, Thanks for your reply. I'm using a rpm ;), it is rkhunter-1.4.0-1.el5. Of course I can get rkhunter silent with something like DISABLE_TESTS=hidden_ports or ALLOWPROCLISTEN=soffice.bin. In this case it will not complain about LibreOffice listening on the network... even when I open a file with some malware inside. Can you check the output of this command : lsof -U | grep soffice With LibreOffice-3.5, I get only one line (/tmp/OSL_PIPE_...), but with LibreOffice-3.6 I get two more lines, two unix sockets. Regards, -- Philippe Naudin -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
