On Mon, 9 Dec 2024, 12:42 Julian Gilbey, <j...@debian.org> wrote: > Package: chkrootkit > Version: 0.58b-3 > Severity: normal > > I was wondering why my /tmp is never cleared by systemd-tmpfiles, and > tried playing around with the settings in /etc/tmpfiles.d, but it > didn't help. > > I then discovered the source of the problem: chkrootkit updates the > access times of all the files in /tmp as it checks them, meaning that > they are always viewed as recently accessed and so never cleaned. >
this is the check for suspicious php files, which does read the start of each file to see if it is a php script. It should > therefore record the access time prior to accessing the file and reset > it to that time afterwards (presumably using utimes(2) or similar). > the accessing is done from a shell script so is this even possible? what if someone else accesses the file during the test?
