CHKrootkit

"Grant" told the uncle and all the others:

> /proc is a pseudo filesystem built on demand, exclude it from this sort
> of check. I don't think you can create new entries in /proc.
>
> Grant.

I see and I thank you, Grant.

--
Uncle Jean
http://slacklinux.darkbb.com/index.htm

On Sat, 7 Nov 2009, Uncle Jean wrote:

> Hi all,
>
> I'm on Slackware 13. Here's what the CHKrootkit scan indicates:
> "WARNING: Hard link count is wrong for `/proc' (saw only st_nlink=112 but

What version, 0.49?
What fs?
Are you running this as -q ?

I get emails on output from nightly runs on all of our members/host
servers and I don't see this, can't recall ever seeing it, however we
value our data so use EXT3, certainly not using 13.0's default of EXT4.


--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

On Sun, 8 Nov 2009, Grant wrote:

> On Sat, 07 Nov 2009 19:20:24 GMT, Uncle Jean <aha DeleteThis @invalid.com> wrote:
>
>> Hi all,
>>
>> I'm on Slackware 13. Here's what the CHKrootkit scan indicates:
>>
>> "WARNING: Hard link count is wrong for `/proc' (saw only st_nlink=112 but
>> we already saw 110 subdirectories): this may be a bug in your file system
>> driver. Automatically turning on find's -noleaf option. Earlier results
>> may have failed to include directories that should have been searched."
>>
>> Any suggestions ?
>
> /proc is a pseudo filesystem built on demand, exclude it from
> this sort of check. I don't think you can create new entries
> in /proc.

He shouldn't need to, we don't
$check = `/opt/crk/chkrootkit -q`;

I'm curious if this is yet another ext4 anomaly


--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

"Res" told the uncle and all the others:

> What version, 0.49?

Yes.

> What fs?

Ext 4.

> Are you running this as -q ?

I just did a scan with -q and I didn't get the warning. But it doesn't
scan as many files this way.

> I get emails on output from nightly runs on all of our members/host
> servers and I don't see this, can't recall ever seeing it, however we
> value our data so use EXT3, certainly not using 13.0's default of EXT4.

OK. Thanks.

--
Uncle Jean
http://slacklinux.darkbb.com/index.htm

On Sun, 8 Nov 2009 08:38:37 +1000, Res <res.RemoveThis@ausics.net> wrote:

>On Sun, 8 Nov 2009, Grant wrote:
>
>> On Sat, 07 Nov 2009 19:20:24 GMT, Uncle Jean <aha.RemoveThis@invalid.com> wrote:
>>
>>> Hi all,
>>>
>>> I'm on Slackware 13. Here's what the CHKrootkit scan indicates:
>>>
>>> "WARNING: Hard link count is wrong for `/proc' (saw only st_nlink=112 but
>>> we already saw 110 subdirectories): this may be a bug in your file system
>>> driver. Automatically turning on find's -noleaf option. Earlier results
>>> may have failed to include directories that should have been searched."
>>>
>>> Any suggestions ?
>>
>> /proc is a pseudo filesystem built on demand, exclude it from
>> this sort of check. I don't think you can create new entries
>> in /proc.
>
>He shouldn't need to, we don't
> $check = `/opt/crk/chkrootkit -q`;
>
>I'm curious if this is yet another ext4 anomaly

Dunno, I've lost interest in testing ext4. I did notice other distros
default to it as well. More filesystem beta testers?

Grant.
--
http://bugsplatter.id.au

Grant wrote:

> On Sun, 8 Nov 2009 08:38:37 +1000, Res <res RemoveThis @ausics.net> wrote:
>
>>On Sun, 8 Nov 2009, Grant wrote:
>>
>>> On Sat, 07 Nov 2009 19:20:24 GMT, Uncle Jean <aha RemoveThis @invalid.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I'm on Slackware 13. Here's what the CHKrootkit scan indicates:
>>>>
>>>> "WARNING: Hard link count is wrong for `/proc' (saw only st_nlink=112
>>>> but we already saw 110 subdirectories): this may be a bug in your file
>>>> system
>>>> driver. Automatically turning on find's -noleaf option. Earlier
>>>> results may have failed to include directories that should have been
>>>> searched."
>>>>
>>>> Any suggestions ?
>>>
>>> /proc is a pseudo filesystem built on demand, exclude it from
>>> this sort of check. I don't think you can create new entries
>>> in /proc.
>>
>>He shouldn't need to, we don't
>> $check = `/opt/crk/chkrootkit -q`;
>>
>>I'm curious if this is yet another ext4 anomaly
>
> Dunno, I've lost interest in testing ext4. I did notice other distros
> default to it as well. More filesystem beta testers?

Are there any concrete advantages to ext4 at the moment? I've installed
Slack 13 with ext4 - should I "downgrade" to ext3 to obviate any problems?
EMWTK

--
Steveski

On Sun, 08 Nov 2009 00:57:50 +0000, steveski <steveski7 RemoveThis @invalid.com> wrote:

>Grant wrote:
>
>> On Sun, 8 Nov 2009 08:38:37 +1000, Res <res RemoveThis @ausics.net> wrote:
>>
>>>On Sun, 8 Nov 2009, Grant wrote:
>>>
>>>> On Sat, 07 Nov 2009 19:20:24 GMT, Uncle Jean <aha RemoveThis @invalid.com> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I'm on Slackware 13. Here's what the CHKrootkit scan indicates:
>>>>>
>>>>> "WARNING: Hard link count is wrong for `/proc' (saw only st_nlink=112
>>>>> but we already saw 110 subdirectories): this may be a bug in your file
>>>>> system
>>>>> driver. Automatically turning on find's -noleaf option. Earlier
>>>>> results may have failed to include directories that should have been
>>>>> searched."
>>>>>
>>>>> Any suggestions ?
>>>>
>>>> /proc is a pseudo filesystem built on demand, exclude it from
>>>> this sort of check. I don't think you can create new entries
>>>> in /proc.
>>>
>>>He shouldn't need to, we don't
>>> $check = `/opt/crk/chkrootkit -q`;
>>>
>>>I'm curious if this is yet another ext4 anomaly
>>
>> Dunno, I've lost interest in testing ext4. I did notice other distros
>> default to it as well. More filesystem beta testers?
>
>Are there any concrete advantages to ext4 at the moment? I've installed
>Slack 13 with ext4 - should I "downgrade" to ext3 to obviate any problems?
>EMWTK

I'm happy with reiserfs3 -- saw no advantage to ext4 when I tried it
back when it was beta in the kernel -- but I've done no benchmarks.

I wouldn't downgrade from ext4 to ext3 -- the problem I saw recently
on lkml was in development kernel -- but it did give data loss grief.

Ext4 is at that stage of mostly works -- apart from some 'dark
corners' the odd user might discover, only wide general usage
will sort remaining buglets.

Grant.
--
http://bugsplatter.id.au

On Sat, 7 Nov 2009, Uncle Jean wrote:

>> What fs?
>
> Ext 4.
>

OK, you might need to wait to see if anyone else runnig EXT4 has the same
issue, my bet is thats's where the problem lies.

>> Are you running this as -q ?
>
> I just did a scan with -q and I didn't get the warning. But it doesn't
> scan as many files this way.

It would be, it's just "quiet mode", reporting on actual/probable risks


--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

On Sun, 8 Nov 2009, Grant wrote:

>> He shouldn't need to, we don't
>> $check = `/opt/crk/chkrootkit -q`;
>>
>> I'm curious if this is yet another ext4 anomaly
>
> Dunno, I've lost interest in testing ext4. I did notice other distros
> default to it as well. More filesystem beta testers?

He's since confirmed it's EXT4, yes, BTW, I agree, anyone using EXT4 is a
BETA tester ... ' use ext4 at your own risk' ...

--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

"Res" told the uncle and all the others:

> It would be, it's just "quiet mode", reporting on actual/probable risks

OK but the scan takes much less time when I add the -q option. What's
the reason of this ?

--
Uncle Jean
http://slacklinux.darkbb.com/index.htm

"Res" told the uncle and all the others:

> no idea, maybe less printing out to the screen, maybe because of RAM, as
> you've already run the test.

45 seconds VS. 15 seconds ! There's a reason I dont know.

--
Uncle Jean
http://slacklinux.darkbb.com/index.htm

On Sun, 8 Nov 2009, Uncle Jean wrote:

> "Res" told the uncle and all the others:
>
>> It would be, it's just "quiet mode", reporting on actual/probable risks
>
> OK but the scan takes much less time when I add the -q option. What's
> the reason of this ?

no idea, maybe less printing out to the screen, maybe because of RAM, as
you've already run the test.


--
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!

Res wrote:

> On Sat, 7 Nov 2009, Uncle Jean wrote:
>
>>> What fs?
>>
>> Ext 4.
>>
>
> OK, you might need to wait to see if anyone else runnig EXT4 has the same
> issue, my bet is thats's where the problem lies.
>

root@indigo:~# mount
/dev/root on / type ext4 (rw,barrier=1,data=ordered)

And using chkrootkit-0.49 I don't see the OP's warning message.

I also fail to see how the file system used for / could have any bearing on
another file system mounted using a different file system.