A bit worried about processes

[bigtomrodney]

I ran chkrootkit to see if my machine is alright, and it reports that I am - I'm not sure if I'm just slow here or what the story is but I could do with a second opinion -

The following process are running under uid 101. I don't have a user 101 on my system -

Code:

101      15384  0.0  0.3   5848  4120 ?        Ss   Feb20   0:01 /usr/sbin/hald --daemon=yes
101      15426  0.0  0.0   2028   852 ?        S    Feb20   0:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
101      15435  0.0  0.0   2024   864 ?        S    Feb20   0:00 hald-addon-keyboard: listening on /dev/input/event1

I read before that uid's below 500 are reserved so this is probably fine. I just wanted a second opinion - do the processes above look okay?

[anomie]

Is that ps -ef output?

It's pretty strange. What might have occurred is during some upgrade, the user that normally runs hald (haldaemon on my box) was changed to a different UID.

Consider this situation:

1. Under Some-Linux-5.1.1, haldaemon corresponds to UID 101 in /etc/passwd.

2. Following upgrade to Some-Linux-5.1.2, the hal maintainer decides that haldaemon should now correspond to UID 68 in /etc/password.

3. The upgrade itself does not kill hald, thus the process is still running with its old UID.

Rebooting your box or restarting hald should correct the problem. If it doesn't, there may be something else strange going on.

[bigtomrodney]

It seems after checking /etc/passwd that that is in fact the only haldaemon user. Also the default shell is /bin/false so I guess it is a regular service account. Cheers for the help.

[KenJackson]

The executable /usr/bin/hald is the hal daemon. It's installed by default on my Mandriva system, and apparently on your system too.

I've found the rpm -qf command invaluable for tracking down things like this.