an ominous I-am-under-NDA-coded warning to immediately uninstall atop has been posted by a reputable tech blogger. https://rachelbythebay.com/w/2025/03/25/atop/
to be clear “atop” is a Linux system administration tool and if you don’t know what that means or if you could possibly have it installed, you don’t.
it seems to be getting hug of deathed, so here’s a screenshot, though it really doesn’t say much more than what I said.
Summary of the HN discussion so far
and https://news.ycombinator.com/item?id=43478866, https://github.com/Atoptool/atop/blame/037a6d3e4ace6c7be6c5dcf0c286c013e3c884cc/rawlog.c#L554-L556, 14 years ago, which I would not less pass in a code review today.
This ends up being a call to execl() to a binary without a path, and a sh with interpolation inbetween. It should be a call to execve() with a clean env, and a path to a binary, sans sh.
If this is run as root in a suid binary, it would be not good.
@isotopp @0xabad1dea It might run as root, but I don't see an suid binary (at least not in the Debian packages).
And it isnt installed by default in any distribution I know. Debian also doesn't even build the netatop kernel module.
Then that code part is only ugly, and not radioactive.
@isotopp @0xabad1dea I agree.
I stopped looking at other people's code years ago. It's like looking at office IT in doctor's office and hospitals. Better look away or feel even worse than you're already feeling.