Another rkhunter question

[Gene Heskett]

On Monday 18 May 2009, Bill Davidsen wrote:
>Paulo Cavalcanti wrote:
>> On Sun, May 17, 2009 at 10:35 AM, Gene Heskett <gene.heskett at verizon.net
>> <mailto:gene.heskett at verizon.net>> wrote:
>>
>>     Greetings all;
>>
>>     What is /dev/shm?
>>
>>     I've given up on rkhunter ever shutting up about the group and
>>     passwd files,
>>     but fussing about this is new.
>>     ---------------------- Start Rootkit Hunter Scan
>> ---------------------- Warning: Suspicious file types found in /dev:
>>             /dev/shm/sem.ADBE_REL_root: data
>>             /dev/shm/sem.ADBE_WritePrefs_root: data
>>             /dev/shm/sem.ADBE_ReadPrefs_root: data
>>
>>     And indeed, these files that I nuked friday are back:
>>     [root at coyote linux-2.6.30-rc6]# ls -l /dev/shm
>>     total 24
>>     -r-------- 1 root root 67108904 2009-05-16 02:37 pulse-shm-3724332759
>>     -rw-rw-rw- 1 root root       16 2009-05-16 20:33
>> sem.ADBE_ReadPrefs_root -rw-rw-rw- 1 root root       16 2009-05-16 20:33
>> sem.ADBE_REL_root -rw-rw-rw- 1 root root       16 2009-05-16 20:33
>>     sem.ADBE_WritePrefs_root
>
>Do you have some Adobe stuff installed? And might you ever accidentally have
>used it as root? Just looking at the name, I know you're old enough to know
>better. ;-)
>
:-) KNOW better?  For me, its an arguable point.  I learned most of principles 
of a multi-user/multitasking system from os9 (now called nitros9 & I had a 
small hand in the rewrite) back in the 80's, and while it may seem to be an 
excuse to you, I have never gotten used to the permissions restrictions placed 
on the user by modern versions.  Since I learned without that, one could say I 
learned wrong I suppose.  OTOH, it IS my system.  Much of what runs and is 
exposed to attack, also runs as an unpriviledged user, with a looong passwd.  
I do what I think needs to be done to maintain a reasonable level of security, 
like using rkhunter or chkrootkit, and I use a router (dd-wrt)that has so far 
passed the test of time vis-a-vis the attackers, watched carefully since I log 
those attempts here.  The only thing missing in the router is a facility to 
blacklist and drop on the floor or better yet tarpit, those addresses that 
continue to play dictionary attack name games, some of them hundreds of times 
an hour.  Yeah, I use passwds I can remember, but they are also relatively 
secure just because of the length used.

>>     Anything with 'pulse' in its name has been nuked by an 'rpm -e', and I
>>
>>
>> You should have not, but it is your choice.
>
>Is there a better way to get rid of PulseAudio? Some install option which
>prevents infecting the system in the first place?

That would be very nice.  But from fedora?  Tain't gonna happen...  It is not 
only part of the 'branding', its also the fence between the paid up seat 
version and the freebie, so we scream & holler and get generally ignored or 
given just enough we don't all jump ship & they lose their guinea pigs, 
something they can't afford, so its a grand and glorious but frustrating 
experience, running all this bleeding edge stuff.  I even invite more 
bloodshed by running the latest snapshots of amanda, and linus's latest 
kernel, currently 2.6.30-rc6.  And generally, its fun to boot.

Get used to it.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
"All language designers are arrogant.  Goes with the territory..."
(By Larry Wall)