Package: chkrootkit Version: 0.50-4+b2 Severity: normal Dear Maintainer(s),
This issue does pertain to you guys, but it'll take a bit of explaining. Thanks for bearing with me. I upgraded Chromium from 60.0.3112.78-1~deb9u1 to 61.0.3163.100-1~deb9u1 on September 28th. Yesterday afternoon, I ran chkrootkit for the first time since the Chromium update. It was while I had a whole bunch of tabs open on different webpages. I run chkrootkit fairly routinely, but I've never before seen the output that I saw yesterday. The pertinent section is as follows: --- Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! 4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=0963B489F0013DC2F7325E 3553 ;3,16,3553;3,17,3553;4,0,3553;4,1,4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=0963B489F0013DC2F7325E 3;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=0963B489F0013DC2F7325E ! 4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=1413583FE8A783F0196ED5 3553 ;3,16,3553;3,17,3553;4,0,3553;4,1,4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=1413583FE8A783F0196ED5 3;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=1413583FE8A783F0196ED5 ! --- 10 more similar/identical were also listed, but I went ahead and truncated them. I think you get the idea. Basically, the newer version of Chromium appears to be running tty without including them in /var/run/utmp. (While the processes are not explicitly identified as being associated with Chromium, a quick search of the included command switches identified them as such.) While I imagine this is just a design oversight on the part of the Chromium devs, the fact remains that chkrootkit is getting false alarms from this. ...Unless, perhaps, I've somehow actually obtained a rootkit that is masquerading as a number of Chromium processes. :O (That seems highly unlikely to me; I try to run my system very conservatively. But I can't completely discount the possibility.) For context, I reported this first to the Chromium devs, since this is their change. This was the response I received: [Status: Won't-Fix] "It seems to me that the chrootkit and unhide issue is better suited for the maintainer of those tools. Unfortunately chromium developers are not familiar with them or the intricacies of your system." To be clear, I don't think you guys (or the unhide maintainers) should have to rewrite your applications according to Google's whims, but since a substantial number of Debian users are going to have Chromium installed, they ought to at least be made aware of this issue so they can whitelist it without losing sleep. Is this something you believe needs to be discussed further with the Chromium devs? It seems like it would be a trivial change for them to just go ahead and include the pertinent processes in /var/lig/utmp. In short, is this really a false alarm? If so, do you guys need more information from the Chromium devs in order to whitelist this behavior--with the assurance that it is legitimate? Thank you so much for taking the time to look into this issue. -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages chkrootkit depends on: ii binutils 2.28-5 ii debconf [debconf-2.0] 1.5.61 ii libc6 2.24-11+deb9u1 ii net-tools 1.60+git20161116.90da8a0-1 ii openssh-client 1:7.4p1-10+deb9u1 ii procps 2:3.3.12-3 chkrootkit recommends no packages. chkrootkit suggests no packages. -- debconf information: chkrootkit/run_daily_opts: -q chkrootkit/diff_mode: false chkrootkit/run_daily: false
