You might want to stop running atop (opens in new tab)

(rachelbythebay.com)

323 pointssubract1y ago140 comments

140 comments

There's a lot of speculation about why, with the answer almost certainly security / exploitable (or backdoor), and I'll just throw an extra little tidbit in:

atop seems to run persistently as root, which may be the reason for preventing it from running/uninstalling.

the netatop part of atop installs a persistent kernel module, netatop.ko, as part of its installation. The module hooks netfilter to be able to monitor all traffic.

If there's an exploitable flaw in the kernel module, this would be a max-severity CVE.

netatop _also_ runs a persistent daemon, netatopd, which I believe from inspecting the source runs as root.

The article's language about uninstalling it kinda sorta makes you think one of these three parts is in some way exploitable or backdoored -- any which way it's a privileged process, and one that's monitoring network traffic.

(I'm not sure if netatop is installed by default on systems when you install atop, per czk's comment below)

cesarb1y ago

> atop seems to run persistently as root, which may be the reason for preventing it from running/uninstalling.

Some distributions (like Ubuntu) enable that service by default, but some others (like Fedora) don't.

tptacek1y ago

How severe it would be would depend on how exploitable it was in likely configurations.

netham450y ago

When we tried deploying it we had netatop crashing kernels with a use after free on a linked list, based on the stack traces and kernel dumps. Every box we trialed it on started going down multiple times a week.

czk1y ago

I'm not familiar with atop but the website mentions netatop is optional and what I've found suggests you have to manually install it. Do you know if any distributions/packages install this by default alongside the atop install?

mappu1y ago

netatop is not in Debian, and the atop package doesn't include any .ko files.

__turbobrew__1y ago

I don’t think netatop is installed in Ubuntu packages either.

dgacmu1y ago

This is a good question - I'm not sure. The rpmspec doesn't seem to install it, so perhaps it's not quite that bad. The atop program _itself_ runs persistently, though, so, uh, still bad. :)

1 more reply

AlexClickHouse1y ago

I vaguely remember an old bug in atop, leading to a very unusual consequence.

Atop will do an invalid memory write and crash with a segfault. But this writing is performed on a memory page mapped to a hardware timer. Despite not being able to write into that page, just touching it somehow changes how this hardware timer works. Then, the OS detects that this timer is inaccurate and switches to a different clock source (which you can see in /sys/devices/system/clocksource/clocksource0/current_clocksource). As a result, every call to clock_gettime becomes slower, and the system becomes slower as a whole until it restarts.

In short, a segfault in atop leads to the whole system's performance degradation. But this was found around maybe 7 years ago.

devoopsies1y ago

This was found by the very same Rachel that's sounding the alarm here

https://rachelbythebay.com/w/2014/03/02/sync/

anitil1y ago

That is such an interesting bug!

hanche1y ago

Rachel has posted a follow-up:

https://rachelbythebay.com/w/2025/03/26/atop/

> user1 does something... and gets user2 to blow up. If you can make that do something useful, then you get user2 to run stuff on your behalf.

Cyphase1y ago

https://news.ycombinator.com/item?id=43485980

jofzar1y ago

This screams NDA/disclosure but things are so mega super fucked that they feel obligated to pre warn as early as possible.

I wonder how long/old the problem is in atop?

plorkyeran1y ago

Yeah, from a rando this would be just bad vagueposting but Rachel is absolutely someone who could know about a very good reason why we should uninstall atop but be unable to legally say why. I would heed her warning.

bigstrat20031y ago

I would disagree and still say that this is bad vagueposting. It doesn't matter how reputable the source is: if you say "don't do X" but don't give a reason why, I'm not inclined to listen. Granted I don't use atop anyways, but I don't think a vague blog post - even one from a respected person - is sufficient justification to change what software one uses.

8 more replies

mjevans1y ago

That last line for sure reads as '(author) can't tell you now, but can (plans to) tell you later'; NDA and/or CVE as most likely reasons.

refulgentis1y ago

Presumably one step removed? I assume vague-posting would be an NDA violation, though now I'm second-guessing that...

czk1y ago

Seems like the latest version might be as old as July 2024?

https://www.atoptool.nl/allnews.php

For anyone interested, here are the latest commits to the GitHub: https://github.com/Atoptool/atop/commits/master/

jofzar1y ago

I have this weird gut feeling that it's going to be one of those "this was introduced in 2010 commit and has been in every build since"

Edit: I have no knowledge of what this is FYI.

DominoTree1y ago

Skimming through the code (particularly from past issues and PRs) highlights a number of things that look sketchy to me at first glance (in a coding practices way, not in a malicious way) - my gut feeling is that someone smarter than me going through much of this with a fine-toothed-comb would likely find something exploitable.

Rewrite it in Rust. /s

1 more reply

rybosome1y ago

Agreed. Severe CVE seems like the ticket here given the context.

imoreno1y ago

Why would there be an NDA on atop? It's under GPL.

lolinder1y ago

It might be covered under an NDA with some company that she's contracting with if she/they discovered the vulnerability in the course of their work.

2 more replies

spudlyo1y ago

At a previous gig, atop was running fleet-wide (> 1k servers) as sort of a resource monitoring tool of last resort, in a similar way as is described in this article[0]. I left a few years ago, but if memory serves, this thing was baked into base-image Puppet configs, and proved itself handy in past investigations of hard-to-find problems. If this turns to be real threat, I wouldn't be surprised if the blast radius for this is substantial.

[0]: https://www.bodhost.com/kb/how-to-monitor-system-resource-us...

rdtsc1y ago

It's Rachel. If she says to remove it, I'll remove it. I see people are suspicious, but I think I'll trust someone like her at least once to do this.

agnishom1y ago

I am out of the loop. Who is Rachel, and what are they famous for?

rdtsc1y ago

She is a known technology blogger https://rachelbythebay.com, active for more than a decade. Her posts often make it to front page.

I'd trust her enough to remove a non-essential component like atop basically.

1 more reply

TheDong1y ago

No one else seems to have run 'grep system(', so I will:

https://github.com/Atoptool/atop/blob/037a6d3e4ace6c7be6c5dc...

> system ("gunzip -c %s > %s", tmpname1, tmpname2")

tmpname2 is hardcoded as "/tmp/atopwrkXXXXXX", so that's fine. tmpname1 is '$irawname.gz'. '$irawname' is set by the '-r' flag.

So, presumably if you can get the rest of the code to play nice and get you there, you can escalate from having shell access to run atop, to having shell access. Oh, I guess that's nothing.

Anyway, still a really bad use of system + user-controlled input, don't do that.

lnxdork1y ago

Agree as a basic example. tmpname1 = "/tmp/file.txt; rm -rf /"; becomes gunzip -c /tmp/file.txt; rm -rf / > /tmp/atopwrkXXXXXX

Also tmpname2 could be symlinked to /etc/passwd before it is unlinked..

TheDong1y ago

> Also tmpname2 could be symlinked to /etc/passwd before it is unlinked..

Yeah, sure, but only if you run atop as root, otherwise it'll just get a "permission denied", and if you can run atop as root with whatever flags you like, you might as well just run 'rm' instead.

It's not a suid binary, so while it's bad code and a smell, I don't think the TOCTOU is a security issue in how it's commonly run (i.e. as an interactive CLI running as your user).

1 more reply

isotopp1y ago

Eh? Calling system() for a binary without a path? And why system() using execl() in the first place, when you could do something using execve() without a sh inbetween instead?

Even w/o an exploit this can be prettier and more secure.

TheDong1y ago

We're not disagreeing. Even if there's no 'sploit there, people have spaces in their directory or file names, and it's kinda nice for your tool to work with those, so obviously you should be using an execve variant to pass arguments properly.

I assume the reason for the incorrect system call is that doing a shell redirect ('>') does actually look prettier though.

Doing the actual right code is definitely less pretty looking IMO: https://github.com/luvit/zlib/blob/8de57bce969eb9dafc1f1f5c2...

emmelaich1y ago

There's a bunch of interesting recent commits from someone without a public signing key.

    Removed excess checks before free()
    Fixed possible wrong result bit shifting on 64bit after left op type overflow
    Fixed possible wrong result bit shifting on 64bit after left operand type overflow
    Fixed possible access out-of-bounds items array better check index before using

Could be legit or flawed. Or even fixes for the possible flaw.

TheDong1y ago

1. Unsigned commits is the norm. It's weird to sign git commits. It's weird to upload your gpg key to github. gpg is a nightmare mess.

2. They aren't introducing the bug, those are all unreleased commits, so advice to "uninstall now" for something no distros are shipping would be silly.

3. The diff is trivial, you can read it and figure out if it looks like they're fixing a real exploitable thing. The answer is obviously no.

twobiers1y ago

> It's weird to upload your gpg key to github. gpg is a nightmare mess.

I agree on that, but note that you're also able to use your existing SSH key for signing commits. https://docs.github.com/en/authentication/managing-commit-si...

wejick1y ago

Seems they also are not coming PR. Sus

TheDong1y ago

https://github.com/Atoptool/atop/pull/327 and https://github.com/Atoptool/atop/pull/325 are the PRs with those commits.

Come on.

teekert1y ago

I recently had a course from the author of atop. Seemed like a straight up FOSS friendly guy, I’ll forward him this page.

Hello711y ago

I stopped using atop when I found it installs several hooks which automatically run code as root and deposit files around the filesystem, including a "power management" hook.

lolinder1y ago

Do you have any references that describe this behavior? That sounds like exactly the kind of thing that could conceal a backdoor of the sort this seems to be warning about.

Hello711y ago

https://github.com/Atoptool/atop/blob/77e658ea04f4901adf44c7...

installed by default in most distributions, e.g. https://packages.debian.org/bookworm/amd64/atop/filelist

bitbasher1y ago

Pure speculation; but it sounds to me like she was doing some sysadmin triage and possibly stumbled onto a backdoor/exfiltration through atop.

She likely can't disclose anything right now.

nodesocket1y ago

Except, she kinda did disclose already. Seems a bit strange to circumvent standard embargo practices, only to publicly hint of an exploit but not give any details.

whazor1y ago

Maybe because it is a non-essential tool with many alternatives available? It could also be because there are already illicit parties using atop to hack companies? Still, publishing a CVE with the specific exploit and a recommendation to fully delete atop would be better. Even if there is no patch available.

keyle1y ago

Is atop included in any distributions?

Is there even a tool to search what is pre-installed in each major distribution(s)?

JamesLeonis1y ago

I can confirm my FreeBSD, Debian, and NixOS boxes don't have it installed by default. It's also not installed on my TrueNAS box.

Intralexical1y ago

Check in your available container images:

  docker images -q | xargs -I{} -t docker run --rm {} sh -c 'type atop && echo "DANGER!!!"'

May produce false negatives, because container images tend to be stripped down compared to desktop and server releases. Probably won't produce false positives, so use as a minimum.

I'd be surprised if any large distros shipped it in a stock configuration.

arp2421y ago

Doesn't say what's installed by default, but Repology gives an overview of packages: https://repology.org/project/atop/versions

senectus11y ago

not a default on my Debian bookwork, Ubuntu 24.04.2 LTS, Fedora 41, Proxmox 8.3.4 or OPNsense 25.1.3

vanc_cefepime1y ago

I typed 'atop' in my Linux Mint 22.1 laptop/desktop, says it's not found but can be installed. So I think Linux Mint is in the clear, I tried my Ubuntu 24.04 server and same thing there as well as my proxmox home lab instance. I checked that Repology link and I did see Ubuntu, but I guess that is for Ubuntu desktop but not sever edition?

ps. If I said anything wrong, please correct me. I'm a linux newb who jumped from Microsoft's world after getting fed up with their Win11 BS. I'm still learning quite a bit about linux daily.

__MatrixMan__1y ago

> I'm a linux newb who jumped from Microsoft's world after getting fed up

Welcome to the dark side my friend, it's better here.

> If I said anything wrong, please correct me

Nothing wrong, but if you ever want to see if something is present without actually running it, consider these commands:

    ps aux | grep atop # is there a running process named atop?

    which atop # is there a runnable command named atop on the PATH?

And since you've referenced some Debian-derived distros, maybe also

    apt list --installed | grep atop # has apt installed a package named atop?

If it does contain something troubling, running the command to see if it was present might expose you to whatever the trouble is.

keyle1y ago

No, that sounds about right.

LinuxBender1y ago

"Ubuntu, Debian, Red Hat Enterprise Linux, Fedora, Linux Mint, SUSE Linux Enterprise, CentOS, Manjaro, elementary OS, Gentoo, Oracle Linux, and Pop!_OS" ~--Google's AI.

I am not aware of any that install it by default.

Macha1y ago

Google's AI has just given you a plausible sounding but mostly wrong list of distros - it's not in the enterprise distros, elementary or pop os

1 more reply

ASalazarMX1y ago

Ubuntu 24.04 doesn't come with atop, but it's in the repos. The only package that depends on it is hollywood[0], which would be a damn shame to lose.

0. https://www.youtube.com/watch?v=rVMn3xk5mcY

Yes, it comes with that music.

imoreno1y ago

Luckily I use a much better *top, btop.

d3Xt3r1y ago

This. Not only that, I don't know of a single person (IRL or online) who used atop, like, ever. In fact, this is the first time I'm even hearing of atop.

IIRC, most folks went from top -> htop -> glances -> various btop variants (bashtop, bpytop, btop++ etc)

__turbobrew__1y ago

atop can record to a file and then be replayed in the future. Sometimes a node is so FUBARed that it won’t even emit metrics so atop can sometimes save your ass when it records metrics to disk.

1 more reply

radicality0y ago

I used atop sporadically at Facebook to debug performance issues. I actually learned about it there, was I think on all the machines. This was bunch of years ago, so not sure if it still is there fleetwide, but it was really helpful to get a past granular view of what happened on the machine on some exact second few days ago where error rate metrics indicate a particular host was struggling.

SubiculumCode1y ago

Btop variants, glances, why should I move from htop?

2 more replies

geerlingguy1y ago

atop was a happy medium between btop/htop and a full tracing tool like perf.

I used it when debugging deeper PCIe, CPU, or networking bottlenecks.

crmrc1141y ago

Well that ansible job was quickly ran, buhbye atop. Very concerning coming from Rachel and not some rando. I know a number of fortune 5's that use atop for troubleshooting as well. So as others have commented if you had this baked into images or loaded with puppet etc than now may be the time to cleanup.

geenat1y ago

Probably a backdoor.

Repositories controlled by accounts based in mainland China and Russia are always a risk- it's too easy for a dictatorship to force something to happen even if the authors themselves are trying to act in good faith.

XZ, Swoole... examples off the top of my head.

protocolture1y ago

> it's too easy for a dictatorship to force something

We really need to get rid of this mentality. Australia has laws that allow undisclosed, compelled, software updates. Verbally by ministers, but written (confidential) changes can be requested by federal agencies. Many western countries have followed to various degrees. There's no stable trusted government that doesn't want its fingers in your code.

geenat1y ago

I agree it's not good but being realistic: I'd be far less worried about the Australian government stealing/selling customer data, using my servers in a botnet, using my servers to spread malware.. etc.

Mainland China, Russia, North Korea, all have proven track records of doing these things and having corporate espionage rat lines: https://www.youtube.com/watch?v=y27B-sKIUHA

3 more replies

tetromino_1y ago

Where did you see signs of control by Russia or China? The project's github repo states that the project currently has one maintainer, and that maintainer has a very Dutch name and a .nl website.

ThePowerOfFuet1y ago

Talking about the author of the suspicious commits. In another repo:

https://github.com/xroche/httrack/pull/210/commits/e00339643...

lionkor1y ago

What about the fact that software is hosted on US/German/Australian/whatever else platforms and infrastructure, what's different with that, technically speaking? The fact that a majority of software we rely on is hosted on GitHub, isn't that scary the same way that a repo owned by someone in a other country is scary?

Does a government need to openly act in a specific way for there to be a risk, or is this perceived risk due to a media bias?

I'm genuinely curious if there's a good answer

geenat1y ago

GitHub has a lot to lose if it was leaked that they were knowingly facilitating backdoors behind the scenes- many pay for the convenience and trust.

By the same standard, what are the repercussions for these random fly by night accounts? Just make a new account and try again on an existing project or fork / tweak / rebrand another project.

Steam, VSCode, PyPI, NPM... it would ruin those platforms overnight if they were putting in backdoors themselves.

1 more reply

heavyset_go1y ago

These are all good questions where the answer is usually something along the lines of solving them with reproducible builds and Nix, which sounds good until someone points out where the Nix ecosystem gets its funding.

1 more reply

zertrin1y ago

Seems it's currently experiencing the HN hug of death (not responding for me), here's an archived version https://archive.is/MvNSk

LorenDB1y ago

For openSUSE users: `sudo zypper al atop` will prevent atop from being installed for any reason, as long as it's uninstalled before you add the lock.

spyc0y ago

If anyone wonders what atop looks like at runtime or what it would be useful for, there's a video dedicated to the tool at https://www.youtube.com/watch?v=27AtCR5ftyM .

jaffa21y ago

enigmatic? Anyone know why

subractOP1y ago

No clue personally, but the author is prolific enough here that I thought it merited posting.

ggm1y ago

I go with three paths out.

1. it consumes too much systems resources. So its net-negative impact on the system under observation

2. it's misleading and leads to false diagnoses of situations under review

3. she's under an NDA of some kind related to a CVE or some other high class risk which will come out in due course but she felt a burden to stop people being exposed to risk.

4. I can't count and there are 4, 5, 6 other reasons but these 3 are mine.

3 more replies

iJohnDoe1y ago

Very simple. From a state level, if they are trying to compromise a system, get persistent access, already have access, but need to escalate, then atop is a solution if it's already on the system.

Just like Notepad++ back in the day.

nextts1y ago

Is there a mechanism where this sort of advice can flow through security teams to everyone (assuming it is about security) without dropping the details. How are zero days dealt with?

TheDong1y ago

For non-public zero-days on packages in linux/BSD distros - https://oss-security.openwall.org/wiki/mailing-lists/distros

For public issues - https://oss-security.openwall.org/wiki/mailing-lists/oss-sec...

For vague-posting about unconfirmed CVEs and zero days - twitter.com and/or mastodon and/or your friend on signal

alsetmusic1y ago

I’m actually surprised I didn’t have it installed, what with all the packages I check out just through sheer curiosity. Thanks Rachel! I’ll avoid it in the future.

stavros1y ago

Alarmingly, I had it installed on my home server, for some odd reason. I don't remember ever using it.

ars1y ago

Same here. I installed, and I don't remember why, and I've never once used it.

ink_131y ago

For the purposes listed on the tin (as it were), it can be a useful forensic tool in the absence of other monitoring

vanc_cefepime1y ago

Linux newbie here. Jumped into the Linux world after getting tired of Microsoft's BS with Win 11. Running Linux mint on my laptop and desktop. Looks like 'atop' is not installed by default, but regular 'top'. Anyone know which distros I should be worried about that have it? Also I have been dabbling with proxmox, I checked and looks like 'top' is the default there too.

grayfaced1y ago

You're probably not running either unless you know what they are. Top is an equivalent of windows taskmanager, most often to used identify "top" processes using memory/cpu (and other resources) and only ran briefly. Atop is a different long-running version used to create logs of the same data to understand trends.

cesarb1y ago

> [...] and only ran briefly. Atop is a different long-running version used to create logs of the same data to understand trends.

atop is also normally only ran briefly. It has an optional mode (enabled by default in some, but not all distributions) in which it runs as a service and saves a snapshot of the system state every few seconds; atop can read and show these snapshots when ran briefly.

slicktux1y ago

Ominous, I’ll heed the warning!

j / k navigate · click thread line to collapse

140 comments

dgacmu1y ago

There's a lot of speculation about why, with the answer almost certainly security / exploitable (or backdoor), and I'll just throw an extra little tidbit in:

atop seems to run persistently as root, which may be the reason for preventing it from running/uninstalling.

the netatop part of atop installs a persistent kernel module, netatop.ko, as part of its installation. The module hooks netfilter to be able to monitor all traffic.

If there's an exploitable flaw in the kernel module, this would be a max-severity CVE.

netatop _also_ runs a persistent daemon, netatopd, which I believe from inspecting the source runs as root.

(I'm not sure if netatop is installed by default on systems when you install atop, per czk's comment below)

cesarb1y ago

> atop seems to run persistently as root, which may be the reason for preventing it from running/uninstalling.

Some distributions (like Ubuntu) enable that service by default, but some others (like Fedora) don't.

tptacek1y ago

How severe it would be would depend on how exploitable it was in likely configurations.

netham450y ago

czk1y ago

mappu1y ago

netatop is not in Debian, and the atop package doesn't include any .ko files.

__turbobrew__1y ago

I don’t think netatop is installed in Ubuntu packages either.

dgacmu1y ago

This is a good question - I'm not sure. The rpmspec doesn't seem to install it, so perhaps it's not quite that bad. The atop program _itself_ runs persistently, though, so, uh, still bad. :)

1 more reply

AlexClickHouse1y ago

I vaguely remember an old bug in atop, leading to a very unusual consequence.

In short, a segfault in atop leads to the whole system's performance degradation. But this was found around maybe 7 years ago.

devoopsies1y ago

This was found by the very same Rachel that's sounding the alarm here

https://rachelbythebay.com/w/2014/03/02/sync/

anitil1y ago

That is such an interesting bug!

hanche1y ago

Rachel has posted a follow-up:

https://rachelbythebay.com/w/2025/03/26/atop/

> user1 does something... and gets user2 to blow up. If you can make that do something useful, then you get user2 to run stuff on your behalf.

Cyphase1y ago

https://news.ycombinator.com/item?id=43485980

jofzar1y ago

This screams NDA/disclosure but things are so mega super fucked that they feel obligated to pre warn as early as possible.

I wonder how long/old the problem is in atop?

plorkyeran1y ago

bigstrat20031y ago

8 more replies

mjevans1y ago

That last line for sure reads as '(author) can't tell you now, but can (plans to) tell you later'; NDA and/or CVE as most likely reasons.

refulgentis1y ago

Presumably one step removed? I assume vague-posting would be an NDA violation, though now I'm second-guessing that...

czk1y ago

Seems like the latest version might be as old as July 2024?

https://www.atoptool.nl/allnews.php

For anyone interested, here are the latest commits to the GitHub: https://github.com/Atoptool/atop/commits/master/

jofzar1y ago

I have this weird gut feeling that it's going to be one of those "this was introduced in 2010 commit and has been in every build since"

Edit: I have no knowledge of what this is FYI.

DominoTree1y ago

Rewrite it in Rust. /s

1 more reply

rybosome1y ago

Agreed. Severe CVE seems like the ticket here given the context.

imoreno1y ago

Why would there be an NDA on atop? It's under GPL.

lolinder1y ago

It might be covered under an NDA with some company that she's contracting with if she/they discovered the vulnerability in the course of their work.

2 more replies

spudlyo1y ago

[0]: https://www.bodhost.com/kb/how-to-monitor-system-resource-us...

rdtsc1y ago

It's Rachel. If she says to remove it, I'll remove it. I see people are suspicious, but I think I'll trust someone like her at least once to do this.

agnishom1y ago

I am out of the loop. Who is Rachel, and what are they famous for?

rdtsc1y ago

She is a known technology blogger https://rachelbythebay.com, active for more than a decade. Her posts often make it to front page.

I'd trust her enough to remove a non-essential component like atop basically.

1 more reply

TheDong1y ago

No one else seems to have run 'grep system(', so I will:

https://github.com/Atoptool/atop/blob/037a6d3e4ace6c7be6c5dc...

> system ("gunzip -c %s > %s", tmpname1, tmpname2")

tmpname2 is hardcoded as "/tmp/atopwrkXXXXXX", so that's fine. tmpname1 is '$irawname.gz'. '$irawname' is set by the '-r' flag.

So, presumably if you can get the rest of the code to play nice and get you there, you can escalate from having shell access to run atop, to having shell access. Oh, I guess that's nothing.

Anyway, still a really bad use of system + user-controlled input, don't do that.

lnxdork1y ago

Agree as a basic example. tmpname1 = "/tmp/file.txt; rm -rf /"; becomes gunzip -c /tmp/file.txt; rm -rf / > /tmp/atopwrkXXXXXX

Also tmpname2 could be symlinked to /etc/passwd before it is unlinked..

TheDong1y ago

> Also tmpname2 could be symlinked to /etc/passwd before it is unlinked..

Yeah, sure, but only if you run atop as root, otherwise it'll just get a "permission denied", and if you can run atop as root with whatever flags you like, you might as well just run 'rm' instead.

It's not a suid binary, so while it's bad code and a smell, I don't think the TOCTOU is a security issue in how it's commonly run (i.e. as an interactive CLI running as your user).

1 more reply

isotopp1y ago

Eh? Calling system() for a binary without a path? And why system() using execl() in the first place, when you could do something using execve() without a sh inbetween instead?

Even w/o an exploit this can be prettier and more secure.

TheDong1y ago

I assume the reason for the incorrect system call is that doing a shell redirect ('>') does actually look prettier though.

Doing the actual right code is definitely less pretty looking IMO: https://github.com/luvit/zlib/blob/8de57bce969eb9dafc1f1f5c2...

emmelaich1y ago

There's a bunch of interesting recent commits from someone without a public signing key.

    Removed excess checks before free()
    Fixed possible wrong result bit shifting on 64bit after left op type overflow
    Fixed possible wrong result bit shifting on 64bit after left operand type overflow
    Fixed possible access out-of-bounds items array better check index before using

Could be legit or flawed. Or even fixes for the possible flaw.

TheDong1y ago

1. Unsigned commits is the norm. It's weird to sign git commits. It's weird to upload your gpg key to github. gpg is a nightmare mess.

2. They aren't introducing the bug, those are all unreleased commits, so advice to "uninstall now" for something no distros are shipping would be silly.

3. The diff is trivial, you can read it and figure out if it looks like they're fixing a real exploitable thing. The answer is obviously no.

twobiers1y ago

> It's weird to upload your gpg key to github. gpg is a nightmare mess.

I agree on that, but note that you're also able to use your existing SSH key for signing commits. https://docs.github.com/en/authentication/managing-commit-si...

wejick1y ago

Seems they also are not coming PR. Sus

TheDong1y ago

https://github.com/Atoptool/atop/pull/327 and https://github.com/Atoptool/atop/pull/325 are the PRs with those commits.

Come on.

teekert1y ago

I recently had a course from the author of atop. Seemed like a straight up FOSS friendly guy, I’ll forward him this page.

Hello711y ago

I stopped using atop when I found it installs several hooks which automatically run code as root and deposit files around the filesystem, including a "power management" hook.

lolinder1y ago

Do you have any references that describe this behavior? That sounds like exactly the kind of thing that could conceal a backdoor of the sort this seems to be warning about.

Hello711y ago

https://github.com/Atoptool/atop/blob/77e658ea04f4901adf44c7...

installed by default in most distributions, e.g. https://packages.debian.org/bookworm/amd64/atop/filelist

bitbasher1y ago

Pure speculation; but it sounds to me like she was doing some sysadmin triage and possibly stumbled onto a backdoor/exfiltration through atop.

She likely can't disclose anything right now.

nodesocket1y ago

Except, she kinda did disclose already. Seems a bit strange to circumvent standard embargo practices, only to publicly hint of an exploit but not give any details.

whazor1y ago

keyle1y ago

Is atop included in any distributions?

Is there even a tool to search what is pre-installed in each major distribution(s)?

JamesLeonis1y ago

I can confirm my FreeBSD, Debian, and NixOS boxes don't have it installed by default. It's also not installed on my TrueNAS box.

Intralexical1y ago

Check in your available container images:

  docker images -q | xargs -I{} -t docker run --rm {} sh -c 'type atop && echo "DANGER!!!"'

May produce false negatives, because container images tend to be stripped down compared to desktop and server releases. Probably won't produce false positives, so use as a minimum.

I'd be surprised if any large distros shipped it in a stock configuration.

arp2421y ago

Doesn't say what's installed by default, but Repology gives an overview of packages: https://repology.org/project/atop/versions

senectus11y ago

not a default on my Debian bookwork, Ubuntu 24.04.2 LTS, Fedora 41, Proxmox 8.3.4 or OPNsense 25.1.3

vanc_cefepime1y ago

ps. If I said anything wrong, please correct me. I'm a linux newb who jumped from Microsoft's world after getting fed up with their Win11 BS. I'm still learning quite a bit about linux daily.

__MatrixMan__1y ago

> I'm a linux newb who jumped from Microsoft's world after getting fed up

Welcome to the dark side my friend, it's better here.

> If I said anything wrong, please correct me

Nothing wrong, but if you ever want to see if something is present without actually running it, consider these commands:

    ps aux | grep atop # is there a running process named atop?

    which atop # is there a runnable command named atop on the PATH?

And since you've referenced some Debian-derived distros, maybe also

    apt list --installed | grep atop # has apt installed a package named atop?

If it does contain something troubling, running the command to see if it was present might expose you to whatever the trouble is.

keyle1y ago

No, that sounds about right.

LinuxBender1y ago

"Ubuntu, Debian, Red Hat Enterprise Linux, Fedora, Linux Mint, SUSE Linux Enterprise, CentOS, Manjaro, elementary OS, Gentoo, Oracle Linux, and Pop!_OS" ~--Google's AI.

I am not aware of any that install it by default.

Macha1y ago

Google's AI has just given you a plausible sounding but mostly wrong list of distros - it's not in the enterprise distros, elementary or pop os

1 more reply

ASalazarMX1y ago

Ubuntu 24.04 doesn't come with atop, but it's in the repos. The only package that depends on it is hollywood[0], which would be a damn shame to lose.

0. https://www.youtube.com/watch?v=rVMn3xk5mcY

Yes, it comes with that music.

imoreno1y ago

Luckily I use a much better *top, btop.

d3Xt3r1y ago

This. Not only that, I don't know of a single person (IRL or online) who used atop, like, ever. In fact, this is the first time I'm even hearing of atop.

IIRC, most folks went from top -> htop -> glances -> various btop variants (bashtop, bpytop, btop++ etc)

__turbobrew__1y ago

atop can record to a file and then be replayed in the future. Sometimes a node is so FUBARed that it won’t even emit metrics so atop can sometimes save your ass when it records metrics to disk.

1 more reply

radicality0y ago

SubiculumCode1y ago

Btop variants, glances, why should I move from htop?

2 more replies

geerlingguy1y ago

atop was a happy medium between btop/htop and a full tracing tool like perf.

I used it when debugging deeper PCIe, CPU, or networking bottlenecks.

crmrc1141y ago

geenat1y ago

Probably a backdoor.

XZ, Swoole... examples off the top of my head.

protocolture1y ago

> it's too easy for a dictatorship to force something

geenat1y ago

Mainland China, Russia, North Korea, all have proven track records of doing these things and having corporate espionage rat lines: https://www.youtube.com/watch?v=y27B-sKIUHA

3 more replies

tetromino_1y ago

Where did you see signs of control by Russia or China? The project's github repo states that the project currently has one maintainer, and that maintainer has a very Dutch name and a .nl website.

ThePowerOfFuet1y ago

Talking about the author of the suspicious commits. In another repo:

https://github.com/xroche/httrack/pull/210/commits/e00339643...

lionkor1y ago

Does a government need to openly act in a specific way for there to be a risk, or is this perceived risk due to a media bias?

I'm genuinely curious if there's a good answer

geenat1y ago

GitHub has a lot to lose if it was leaked that they were knowingly facilitating backdoors behind the scenes- many pay for the convenience and trust.

By the same standard, what are the repercussions for these random fly by night accounts? Just make a new account and try again on an existing project or fork / tweak / rebrand another project.

Steam, VSCode, PyPI, NPM... it would ruin those platforms overnight if they were putting in backdoors themselves.

1 more reply

heavyset_go1y ago

1 more reply

zertrin1y ago

Seems it's currently experiencing the HN hug of death (not responding for me), here's an archived version https://archive.is/MvNSk

LorenDB1y ago

For openSUSE users: `sudo zypper al atop` will prevent atop from being installed for any reason, as long as it's uninstalled before you add the lock.

spyc0y ago

If anyone wonders what atop looks like at runtime or what it would be useful for, there's a video dedicated to the tool at https://www.youtube.com/watch?v=27AtCR5ftyM .

jaffa21y ago

enigmatic? Anyone know why

subractOP1y ago

No clue personally, but the author is prolific enough here that I thought it merited posting.

ggm1y ago

I go with three paths out.

1. it consumes too much systems resources. So its net-negative impact on the system under observation

2. it's misleading and leads to false diagnoses of situations under review

3. she's under an NDA of some kind related to a CVE or some other high class risk which will come out in due course but she felt a burden to stop people being exposed to risk.

4. I can't count and there are 4, 5, 6 other reasons but these 3 are mine.

3 more replies

iJohnDoe1y ago

Very simple. From a state level, if they are trying to compromise a system, get persistent access, already have access, but need to escalate, then atop is a solution if it's already on the system.

Just like Notepad++ back in the day.

nextts1y ago

Is there a mechanism where this sort of advice can flow through security teams to everyone (assuming it is about security) without dropping the details. How are zero days dealt with?

TheDong1y ago

For non-public zero-days on packages in linux/BSD distros - https://oss-security.openwall.org/wiki/mailing-lists/distros

For public issues - https://oss-security.openwall.org/wiki/mailing-lists/oss-sec...

For vague-posting about unconfirmed CVEs and zero days - twitter.com and/or mastodon and/or your friend on signal

alsetmusic1y ago

I’m actually surprised I didn’t have it installed, what with all the packages I check out just through sheer curiosity. Thanks Rachel! I’ll avoid it in the future.

stavros1y ago

Alarmingly, I had it installed on my home server, for some odd reason. I don't remember ever using it.

ars1y ago

Same here. I installed, and I don't remember why, and I've never once used it.

ink_131y ago

For the purposes listed on the tin (as it were), it can be a useful forensic tool in the absence of other monitoring

vanc_cefepime1y ago

grayfaced1y ago

cesarb1y ago

> [...] and only ran briefly. Atop is a different long-running version used to create logs of the same data to understand trends.

slicktux1y ago

Ominous, I’ll heed the warning!

j / k navigate · click thread line to collapse