Find the answer to your Linux question:
Results 1 to 4 of 4
I ran chkrootkit to see if my machine is alright, and it reports that I am - I'm not sure if I'm just slow here or what the story is ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133

    A bit worried about processes


    I ran chkrootkit to see if my machine is alright, and it reports that I am - I'm not sure if I'm just slow here or what the story is but I could do with a second opinion -

    The following process are running under uid 101. I don't have a user 101 on my system -
    Code:
    101      15384  0.0  0.3   5848  4120 ?        Ss   Feb20   0:01 /usr/sbin/hald --daemon=yes
    101      15426  0.0  0.0   2028   852 ?        S    Feb20   0:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
    101      15435  0.0  0.0   2024   864 ?        S    Feb20   0:00 hald-addon-keyboard: listening on /dev/input/event1
    I read before that uid's below 500 are reserved so this is probably fine. I just wanted a second opinion - do the processes above look okay?

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Is that ps -ef output?

    It's pretty strange. What might have occurred is during some upgrade, the user that normally runs hald (haldaemon on my box) was changed to a different UID.

    Consider this situation:

    1. Under Some-Linux-5.1.1, haldaemon corresponds to UID 101 in /etc/passwd.

    2. Following upgrade to Some-Linux-5.1.2, the hal maintainer decides that haldaemon should now correspond to UID 68 in /etc/password.

    3. The upgrade itself does not kill hald, thus the process is still running with its old UID.

    Rebooting your box or restarting hald should correct the problem. If it doesn't, there may be something else strange going on.

  3. #3
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    It seems after checking /etc/passwd that that is in fact the only haldaemon user. Also the default shell is /bin/false so I guess it is a regular service account. Cheers for the help.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Enthusiast KenJackson's Avatar
    Join Date
    Jun 2006
    Location
    Maryland, USA
    Posts
    510
    The executable /usr/bin/hald is the hal daemon. It's installed by default on my Mandriva system, and apparently on your system too.

    I've found the rpm -qf command invaluable for tracking down things like this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •