1

I ran a rkhunter scan (sudo rkhunter -c --enable all --disable none --rwo) and it showed me that redshift is accessing a deleted file.

I'd like to find out why it's doing so and why it would need access to anything related to audio.

The output is: Warning: The following processes are using deleted files: [...] Process: /usr/bin/redshift PID: id File: /memfd:pulseaudio. This file has been accessed before but I don't know if that was redshift too.

Edit: asked about it at the redshift repo now

mYnDstrEAm
  • 4,008
  • 13
  • 49
  • 108
  • 1
    Run redshift in `strace` and see what syscall is opening it, then run it again in `gdb` with a catchpoint set on that syscall, and post a backtrace of when it's about to open it. – Joseph Sible-Reinstate Monica Dec 17 '20 at 00:26
  • @JosephSible-ReinstateMonica When I run `pidof redshift` and `strace -p pid` I get `strace: test_ptrace_get_syscall_info: PTRACE_TRACEME: Operation not permitted`. How to get it working? I'm using apparmor in case that matters. – mYnDstrEAm Dec 17 '20 at 11:00
  • 1
    It's probably Yama that's the problem, not AppArmor. Do `echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope` to turn it off. But anyway, there's a good chance you'll miss the relevant syscall if you attach after it starts. You should instead start it within strace, which also works without needing to turn off Yama. – Joseph Sible-Reinstate Monica Dec 17 '20 at 15:11
  • Alright, but I don't know what Yama is so I don't want to just turn it off...especially if it's unlikely to log the relevant syscall. I get the above error when running `strace redshift` and when running `sudo strace -p pid`. – mYnDstrEAm Dec 17 '20 at 17:38
  • Literally the only thing that does is keep you from using `ptrace`. It's fine to turn off, and it will be back on after you reboot anyway. – Joseph Sible-Reinstate Monica Dec 17 '20 at 18:35

0 Answers0