What is /dev/shm/sem.haveged_sem?

I just revived my laptop (yey) after a few months of being down. I then ran a zypper update then did my usual security checks when rkhunter returned this result:

[10:56:09]   Checking /dev for suspicious file types         [ Warning ]
[10:56:09] Warning: Suspicious file types found in /dev:
[10:56:09]          /dev/shm/sem.haveged_sem: data

Not much to see in the logs for that, but doing ls -al /dev/shm | grep -i sem returned this:

-rw-r--r--  1 root root   32 May 24 10:40 sem.haveged_sem

I’m concerned because rkhunter flagged it as suspicious. What is that thing anyway?

What about

file /dev/shm/sem.haveged_sem

and when it is text then cat it?

As the message reads, it is suspicious because only device files (block and character) are expected to be within /dev.

BTW, I have the same:

henk@boven:~> l /dev/shm
total 4
drwxrwxrwt  2 root root   60 May 24 08:55 ./
drwxr-xr-x 20 root root 4260 May 24 08:47 ../
-rw-r--r--  1 root root   32 May 24 08:47 sem.haveged_sem


henk@boven:/dev/shm> file sem.haveged_sem 
sem.haveged_sem: data

as your program already said.

henk@boven:/dev/shm> od sem.haveged_sem 
0000000 000001 000000 000000 000000 000200 000000 000000 000000
0000020 000000 000000 000000 000000 000000 000000 000000 000000

Interesting ?!?

Something about "shared memory? Shared memory - Wikipedia

1 Like

This is named semaphore that haveged creates to synchronize activity between different components. The fact that it appears in /dev/shm is more or less implementation detail. /dev/shm is simply memory-based filesystem that has long history of being used to store various run-time data before /run took its place.

That is the question to rkhunter developers.



Thank you for your inputs. Sounds like it’s a false positive then.