On Sunday 17 May 2009, John Horne wrote: >On Sun, 2009-05-17 at 09:35 -0400, Gene Heskett wrote: >> Greetings all; >> >> What is /dev/shm? >> >> I've given up on rkhunter ever shutting up about the group and passwd >> files, > >What is it saying about the files? If necessary disable the relevant >passwd/group tests (use 'rkhunter --list test' to see the test names). I would rather not, I would rather rkhunter's bug was fixed. I have also copied those files manually into rkhunters db, but that made no diff. >From an email from rkhunter: Warning: Unable to check for passwd file differences: no copy of the passwd file exists. Warning: Unable to check for group file differences: no copy of the group file exists. ------------------- But they do exist: [root@coyote ~]# locate group|grep rkhunter /var/lib/rkhunter/db/group /var/lib/rkhunter/tmp/group /var/run/rkhunter/group [root@coyote ~]# locate passwd|grep rkhunter /var/lib/rkhunter/db/passwd /var/lib/rkhunter/tmp/passwd /var/run/rkhunter/passwd I'd druther rkhunter was fixed. --propupd, which is supposed to record the systems 'clean' state if I understand it correctly, doesn't fix this. >> but fussing about this is new. >> ---------------------- Start Rootkit Hunter Scan ---------------------- >> Warning: Suspicious file types found in /dev: >> /dev/shm/sem.ADBE_REL_root: data >> /dev/shm/sem.ADBE_WritePrefs_root: data >> /dev/shm/sem.ADBE_ReadPrefs_root: data > >Items in /dev/shm that are genuine can be whitelisted in rkhunter.conf. >There is an example of the pulse file whitelisted in the supplied >rkhunter.conf file. It is easy enough to do the same for the ADBE files. >No need to remove any packages. I realize that John & thank you for the reply, but that doesn't tell me IF they are _genuine_ or what the heck they are doing. And considering that most files in /dev don't get out of the inode they were created on, what the heck is a 67+ megabyte file full of $00 named pulse-some- hash-number being used for? If there was data in it, I maybe could see it had a use, but if I wanted 67+ megabytes of /dev/zero for something, I'd call dd and make it. So would most programmers except I'd sure pick some place besides /dev to store it. I did find out who owns /dev/shm though, its kded4, and even with x stopped, or a fresh reboot to runlevel 3, /dev/shm can be emptied, but cannot be deleted as its 'busy'. So I suppose the other files will reappear at some point in the course of my daily activities. What are the ADBE files? They actually do contain data, but only in the first 2-3 bytes of the 16 they occupy, the rest are $00. IMO this is stuff that probably belongs in /tmp, and it makes me nervous when some app decides to use just any old location where a rootkit might hide, for 67+megabytes of /dev/zero. Boggles the mind. FWIW, Since I posted this originally, I attempted to remove the shm stuff (crypto related?? damnifiknow) from the kernel, and the boot locks up at the end of the drive scan. Repeatedly. Thanks John -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Sweater, n.: A garment worn by a child when its mother feels chilly. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
