Bug#877666: chkrootkit: alleged Chromium processes not running in /var/run/utmp after browser's update--false alarm?

Subject: Bug#877666: chkrootkit: alleged Chromium processes not running in /var/run/utmp after browser's update--false alarm?
From: harlequin738@gmail.com (Crystalslave)
Date: Tue, 3 Oct 2017 19:30:09 -0500
Message-id: <[🔎] CABmDtUbyHaEBi7rO-nb0Xg_pTRC-76z5YZKDsN99pb2yyLjWmw@mail.gmail.com>

Package: chkrootkit
Version: 0.50-4+b2
Severity: normal

Dear Maintainer(s),

This issue does pertain to you guys, but it'll take a bit of
explaining. Thanks for bearing with me.

I upgraded Chromium from 60.0.3112.78-1~deb9u1 to
61.0.3163.100-1~deb9u1 on September 28th. Yesterday afternoon, I ran
chkrootkit for the first time since the Chromium update. It was while
I had a whole bunch of tabs open on different webpages.

I run chkrootkit fairly routinely, but I've never before seen the
output that I saw yesterday. The pertinent section is as follows:

---

Checking `chkutmp'...     The tty of the following user process(es)
were not found in /var/run/utmp !
! RUID          PID TTY    CMD
! 4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553
--disable-accelerated-video-decode --disable-gpu-compositing
--enable-gpu-async-worker-context
--service-request-channel-token=0963B489F0013DC2F7325E    3553
;3,16,3553;3,17,3553;4,0,3553;4,1,4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553
--disable-accelerated-video-decode --disable-gpu-compositing
--enable-gpu-async-worker-context
--service-request-channel-token=0963B489F0013DC2F7325E
3;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553
--disable-accelerated-video-decode --disable-gpu-compositing
--enable-gpu-async-worker-context
--service-request-channel-token=0963B489F0013DC2F7325E
! 4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553
--disable-accelerated-video-decode --disable-gpu-compositing
--enable-gpu-async-worker-context
--service-request-channel-token=1413583FE8A783F0196ED5    3553
;3,16,3553;3,17,3553;4,0,3553;4,1,4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553
--disable-accelerated-video-decode --disable-gpu-compositing
--enable-gpu-async-worker-context
--service-request-channel-token=1413583FE8A783F0196ED5
3;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553
--disable-accelerated-video-decode --disable-gpu-compositing
--enable-gpu-async-worker-context
--service-request-channel-token=1413583FE8A783F0196ED5
!

---

10 more similar/identical were also listed, but I went ahead and
truncated them. I think you get the idea.

Basically, the newer version of Chromium appears to be running tty
without including them in /var/run/utmp. (While the processes are not
explicitly identified as being associated with Chromium, a quick
search of the included command switches identified them as such.)

While I imagine this is just a design oversight on the part of the
Chromium devs, the fact remains that chkrootkit is getting false
alarms from this.

...Unless, perhaps, I've somehow actually obtained a rootkit that is
masquerading as a number of Chromium processes. :O

(That seems highly unlikely to me; I try to run my system very
conservatively. But I can't completely discount the possibility.)

For context, I reported this first to the Chromium devs, since this is
their change. This was the response I received:

[Status: Won't-Fix] "It seems to me that the chrootkit and unhide
issue is better suited for the maintainer of those tools.
Unfortunately chromium developers are not familiar with them or the
intricacies of your system."

To be clear, I don't think you guys (or the unhide maintainers) should
have to rewrite your applications according to Google's whims, but
since a substantial number of Debian users are going to have Chromium
installed, they ought to at least be made aware of this issue so they
can whitelist it without losing sleep.

Is this something you believe needs to be discussed further with the
Chromium devs? It seems like it would be a trivial change for them to
just go ahead and include the pertinent processes in /var/lig/utmp.

In short, is this really a false alarm?

If so, do you guys need more information from the Chromium devs in
order to whitelist this behavior--with the assurance that it is
legitimate?

Thank you so much for taking the time to look into this issue.

-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages chkrootkit depends on:
ii  binutils               2.28-5
ii  debconf [debconf-2.0]  1.5.61
ii  libc6                  2.24-11+deb9u1
ii  net-tools              1.60+git20161116.90da8a0-1
ii  openssh-client         1:7.4p1-10+deb9u1
ii  procps                 2:3.3.12-3

chkrootkit recommends no packages.

chkrootkit suggests no packages.

-- debconf information:
  chkrootkit/run_daily_opts: -q
  chkrootkit/diff_mode: false
  chkrootkit/run_daily: false

Reply to:

Prev by Date: sqlmap_1.1.10-1_source.changes ACCEPTED into unstable
Next by Date: forensics-all is marked for autoremoval from testing
Previous by thread: sqlmap_1.1.10-1_source.changes ACCEPTED into unstable
Next by thread: forensics-all is marked for autoremoval from testing
Index(es):
- Date
- Thread