You might want to stop running atop
153 comments
·March 25, 2025dgacmu
cesarb
> atop seems to run persistently as root, which may be the reason for preventing it from running/uninstalling.
Some distributions (like Ubuntu) enable that service by default, but some others (like Fedora) don't.
tptacek
How severe it would be would depend on how exploitable it was in likely configurations.
netham45
When we tried deploying it we had netatop crashing kernels with a use after free on a linked list, based on the stack traces and kernel dumps. Every box we trialed it on started going down multiple times a week.
czk
I'm not familiar with atop but the website mentions netatop is optional and what I've found suggests you have to manually install it. Do you know if any distributions/packages install this by default alongside the atop install?
__turbobrew__
I don’t think netatop is installed in Ubuntu packages either.
mappu
netatop is not in Debian, and the atop package doesn't include any .ko files.
AlexClickHouse
I vaguely remember an old bug in atop, leading to a very unusual consequence.
Atop will do an invalid memory write and crash with a segfault. But this writing is performed on a memory page mapped to a hardware timer. Despite not being able to write into that page, just touching it somehow changes how this hardware timer works. Then, the OS detects that this timer is inaccurate and switches to a different clock source (which you can see in /sys/devices/system/clocksource/clocksource0/current_clocksource). As a result, every call to clock_gettime becomes slower, and the system becomes slower as a whole until it restarts.
In short, a segfault in atop leads to the whole system's performance degradation. But this was found around maybe 7 years ago.
devoopsies
This was found by the very same Rachel that's sounding the alarm here
anitil
That is such an interesting bug!
hanche
Rachel has posted a follow-up:
https://rachelbythebay.com/w/2025/03/26/atop/
> user1 does something... and gets user2 to blow up. If you can make that do something useful, then you get user2 to run stuff on your behalf.
jofzar
This screams NDA/disclosure but things are so mega super fucked that they feel obligated to pre warn as early as possible.
I wonder how long/old the problem is in atop?
plorkyeran
Yeah, from a rando this would be just bad vagueposting but Rachel is absolutely someone who could know about a very good reason why we should uninstall atop but be unable to legally say why. I would heed her warning.
bigstrat2003
I would disagree and still say that this is bad vagueposting. It doesn't matter how reputable the source is: if you say "don't do X" but don't give a reason why, I'm not inclined to listen. Granted I don't use atop anyways, but I don't think a vague blog post - even one from a respected person - is sufficient justification to change what software one uses.
cortesoft
This seems completely backwards... if someone says to do something but doesn't give a reason, then the ONLY thing to base your decision on whether to listen is their reputation and your trust in them.
If someone I trust tells me to trust them, I will.
LadyCailin
That seems.. whatever the opposite of pragmatic is, but not in a good way, as in “principled”. There are very good reasons one would be required to be vague in a situation like this, but still know about a very serious issue.
It’s like seeing a road sign that says “danger ahead” and ignoring it because it wasn’t very specific. It’s just.. not a sensible move.
mandmandam
> It doesn't matter how reputable the source is:
It does though.
"Don't go down 6th street now" means very different things depending on whether it comes from your buddy, or the bomb squad.
> if you say "don't do X" but don't give a reason why, I'm not inclined to listen.
I hear ya, but, there are sometimes valid reasons people can't say things; and this may well be one of those times. You have every right to do as you like, but it's not necessarily smart now that you've been warned by a respected professional.
sulam
This attitude will eventually burn you.
kaonwarb
Bayes would like to have a word.
zveyaeyv3sfye
That's not how reputation works.
devjam
"Don't put your hand in the fire."
halayli
[flagged]
mjevans
That last line for sure reads as '(author) can't tell you now, but can (plans to) tell you later'; NDA and/or CVE as most likely reasons.
refulgentis
Presumably one step removed? I assume vague-posting would be an NDA violation, though now I'm second-guessing that...
czk
Seems like the latest version might be as old as July 2024?
https://www.atoptool.nl/allnews.php
For anyone interested, here are the latest commits to the GitHub: https://github.com/Atoptool/atop/commits/master/
jofzar
I have this weird gut feeling that it's going to be one of those "this was introduced in 2010 commit and has been in every build since"
Edit: I have no knowledge of what this is FYI.
DominoTree
Skimming through the code (particularly from past issues and PRs) highlights a number of things that look sketchy to me at first glance (in a coding practices way, not in a malicious way) - my gut feeling is that someone smarter than me going through much of this with a fine-toothed-comb would likely find something exploitable.
Rewrite it in Rust. /s
benterix
> my gut feeling is that someone smarter than me going through much of this with a fine-toothed-comb
Seems that's already started: https://github.com/Atoptool/atop/issues/330
rybosome
Agreed. Severe CVE seems like the ticket here given the context.
imoreno
Why would there be an NDA on atop? It's under GPL.
lolinder
It might be covered under an NDA with some company that she's contracting with if she/they discovered the vulnerability in the course of their work.
devmor
It could also be any number of other things too, like it's severe enough that the author feels its responsible to wait for mitigation efforts before disclosing anything about the issue that could lead to it being exploited.
YetAnotherNick
"screams NDA" is not the same as "might be covered under an NDA". And in any case, very likely the said company has already taken mitigative action like removing atop already.
spudlyo
At a previous gig, atop was running fleet-wide (> 1k servers) as sort of a resource monitoring tool of last resort, in a similar way as is described in this article[0]. I left a few years ago, but if memory serves, this thing was baked into base-image Puppet configs, and proved itself handy in past investigations of hard-to-find problems. If this turns to be real threat, I wouldn't be surprised if the blast radius for this is substantial.
[0]: https://www.bodhost.com/kb/how-to-monitor-system-resource-us...
TheDong
No one else seems to have run 'grep system(', so I will:
https://github.com/Atoptool/atop/blob/037a6d3e4ace6c7be6c5dc...
> system ("gunzip -c %s > %s", tmpname1, tmpname2")
tmpname2 is hardcoded as "/tmp/atopwrkXXXXXX", so that's fine. tmpname1 is '$irawname.gz'. '$irawname' is set by the '-r' flag.
So, presumably if you can get the rest of the code to play nice and get you there, you can escalate from having shell access to run atop, to having shell access. Oh, I guess that's nothing.
Anyway, still a really bad use of system + user-controlled input, don't do that.
lnxdork
Agree as a basic example. tmpname1 = "/tmp/file.txt; rm -rf /"; becomes gunzip -c /tmp/file.txt; rm -rf / > /tmp/atopwrkXXXXXX
Also tmpname2 could be symlinked to /etc/passwd before it is unlinked..
TheDong
> Also tmpname2 could be symlinked to /etc/passwd before it is unlinked..
Yeah, sure, but only if you run atop as root, otherwise it'll just get a "permission denied", and if you can run atop as root with whatever flags you like, you might as well just run 'rm' instead.
It's not a suid binary, so while it's bad code and a smell, I don't think the TOCTOU is a security issue in how it's commonly run (i.e. as an interactive CLI running as your user).
pledess
The TOCTOU is relevant (without suid) if someone can quickly make the right prediction of the tmpname2 value that's generated by the PRNG used by mkstemp, and create a symlink with that value before gunzip is executed. After calling mkstemp, the code should use the returned file descriptor, and thereby eliminate all TOCTOU risk. However, on (perhaps?) most devices that would realistically use atop, the PRNG works well enough that that prediction would fail.
isotopp
Eh? Calling system() for a binary without a path? And why system() using execl() in the first place, when you could do something using execve() without a sh inbetween instead?
Even w/o an exploit this can be prettier and more secure.
TheDong
We're not disagreeing. Even if there's no 'sploit there, people have spaces in their directory or file names, and it's kinda nice for your tool to work with those, so obviously you should be using an execve variant to pass arguments properly.
I assume the reason for the incorrect system call is that doing a shell redirect ('>') does actually look prettier though.
Doing the actual right code is definitely less pretty looking IMO: https://github.com/luvit/zlib/blob/8de57bce969eb9dafc1f1f5c2...
rdtsc
It's Rachel. If she says to remove it, I'll remove it. I see people are suspicious, but I think I'll trust someone like her at least once to do this.
agnishom
I am out of the loop. Who is Rachel, and what are they famous for?
rdtsc
She is a known technology blogger https://rachelbythebay.com, active for more than a decade. Her posts often make it to front page.
I'd trust her enough to remove a non-essential component like atop basically.
Niten
Why should one trust her? What's her full name and the reason for deferring to her expertise?
And yes I'm aware her posts have made it to the top of HN many times in the past. That I've seen, they've all been unhelpful vague-posts like this one.
Maybe she's actually a real expert I should be listening to! But layer upon layer of vague "if you know, you know" do not make that case.
emmelaich
There's a bunch of interesting recent commits from someone without a public signing key.
Removed excess checks before free()
Fixed possible wrong result bit shifting on 64bit after left op type overflow
Fixed possible wrong result bit shifting on 64bit after left operand type overflow
Fixed possible access out-of-bounds items array better check index before using
TheDong
1. Unsigned commits is the norm. It's weird to sign git commits. It's weird to upload your gpg key to github. gpg is a nightmare mess.
2. They aren't introducing the bug, those are all unreleased commits, so advice to "uninstall now" for something no distros are shipping would be silly.
3. The diff is trivial, you can read it and figure out if it looks like they're fixing a real exploitable thing. The answer is obviously no.
twobiers
> It's weird to upload your gpg key to github. gpg is a nightmare mess.
I agree on that, but note that you're also able to use your existing SSH key for signing commits. https://docs.github.com/en/authentication/managing-commit-si...
wejick
Seems they also are not coming PR. Sus
TheDong
https://github.com/Atoptool/atop/pull/327 and https://github.com/Atoptool/atop/pull/325 are the PRs with those commits.
Come on.
teekert
I recently had a course from the author of atop. Seemed like a straight up FOSS friendly guy, I’ll forward him this page.
Hello71
I stopped using atop when I found it installs several hooks which automatically run code as root and deposit files around the filesystem, including a "power management" hook.
lolinder
Do you have any references that describe this behavior? That sounds like exactly the kind of thing that could conceal a backdoor of the sort this seems to be warning about.
Hello71
https://github.com/Atoptool/atop/blob/77e658ea04f4901adf44c7...
installed by default in most distributions, e.g. https://packages.debian.org/bookworm/amd64/atop/filelist
bitbasher
Pure speculation; but it sounds to me like she was doing some sysadmin triage and possibly stumbled onto a backdoor/exfiltration through atop.
She likely can't disclose anything right now.
nodesocket
Except, she kinda did disclose already. Seems a bit strange to circumvent standard embargo practices, only to publicly hint of an exploit but not give any details.
whazor
Maybe because it is a non-essential tool with many alternatives available? It could also be because there are already illicit parties using atop to hack companies? Still, publishing a CVE with the specific exploit and a recommendation to fully delete atop would be better. Even if there is no patch available.
keyle
Is atop included in any distributions?
Is there even a tool to search what is pre-installed in each major distribution(s)?
JamesLeonis
I can confirm my FreeBSD, Debian, and NixOS boxes don't have it installed by default. It's also not installed on my TrueNAS box.
Intralexical
Check in your available container images:
docker images -q | xargs -I{} -t docker run --rm {} sh -c 'type atop && echo "DANGER!!!"'
I'd be surprised if any large distros shipped it in a stock configuration.
arp242
Doesn't say what's installed by default, but Repology gives an overview of packages: https://repology.org/project/atop/versions
senectus1
not a default on my Debian bookwork, Ubuntu 24.04.2 LTS, Fedora 41, Proxmox 8.3.4 or OPNsense 25.1.3
vanc_cefepime
I typed 'atop' in my Linux Mint 22.1 laptop/desktop, says it's not found but can be installed. So I think Linux Mint is in the clear, I tried my Ubuntu 24.04 server and same thing there as well as my proxmox home lab instance. I checked that Repology link and I did see Ubuntu, but I guess that is for Ubuntu desktop but not sever edition?
ps. If I said anything wrong, please correct me. I'm a linux newb who jumped from Microsoft's world after getting fed up with their Win11 BS. I'm still learning quite a bit about linux daily.
__MatrixMan__
> I'm a linux newb who jumped from Microsoft's world after getting fed up
Welcome to the dark side my friend, it's better here.
> If I said anything wrong, please correct me
Nothing wrong, but if you ever want to see if something is present without actually running it, consider these commands:
ps aux | grep atop # is there a running process named atop?
which atop # is there a runnable command named atop on the PATH?
apt list --installed | grep atop # has apt installed a package named atop?
keyle
No, that sounds about right.
LinuxBender
"Ubuntu, Debian, Red Hat Enterprise Linux, Fedora, Linux Mint, SUSE Linux Enterprise, CentOS, Manjaro, elementary OS, Gentoo, Oracle Linux, and Pop!_OS" ~--Google's AI.
I am not aware of any that install it by default.
Macha
Google's AI has just given you a plausible sounding but mostly wrong list of distros - it's not in the enterprise distros, elementary or pop os
LinuxBender
Missing from their output is an upvote and downvote button. Or a debug function that forces it to divulge where it obtained the data.
Wait, now that I think about it why are there Fact Checkers for humans and not for AI?
ASalazarMX
Ubuntu 24.04 doesn't come with atop, but it's in the repos. The only package that depends on it is hollywood[0], which would be a damn shame to lose.
0. https://www.youtube.com/watch?v=rVMn3xk5mcY
Yes, it comes with that music.
There's a lot of speculation about why, with the answer almost certainly security / exploitable (or backdoor), and I'll just throw an extra little tidbit in:
atop seems to run persistently as root, which may be the reason for preventing it from running/uninstalling.
the netatop part of atop installs a persistent kernel module, netatop.ko, as part of its installation. The module hooks netfilter to be able to monitor all traffic.
If there's an exploitable flaw in the kernel module, this would be a max-severity CVE.
netatop _also_ runs a persistent daemon, netatopd, which I believe from inspecting the source runs as root.
The article's language about uninstalling it kinda sorta makes you think one of these three parts is in some way exploitable or backdoored -- any which way it's a privileged process, and one that's monitoring network traffic.
(I'm not sure if netatop is installed by default on systems when you install atop, per czk's comment below)