Question Regarding hidden folder being marked as a rootkit in /tmp when using appimage

gnosthi · March 13, 2024, 4:03am

I have recently set up security auditing on my local workstation. This auditing has picked up on a hidden file that is being created in the /tmp directory and is owned by root:root even though the Obsidian app is being run under a normal user account using the Appimage installer.

The directory in the /tmp directory is only present when Obsidian is running and has the name format of .mount_obsidi<random_string>

See example below:

> ls -la /tmp
...
drwxr-xr-x  5 root    root        0 Dec 25 19:19 .mount_ObsidikcDNzJ
...

ls -la /tmp/.mount_ObsidikcDNzJ                                                                                                                                                             ✔  base  
total 208372
-rwxr-xr-x 1 root root      2349 Dec 25 19:19 AppRun
-rw-r--r-- 1 root root    136579 Dec 25 19:19 chrome_100_percent.pak
-rw-r--r-- 1 root root    197691 Dec 25 19:19 chrome_200_percent.pak
-rwxr-xr-x 1 root root   1246464 Dec 25 19:19 chrome_crashpad_handler
-rwxr-xr-x 1 root root     53840 Dec 25 19:19 chrome-sandbox
lrwxrwxrwx 1 root root        49 Dec 25 19:19 .DirIcon -> usr/share/icons/hicolor/512x512/apps/obsidian.png
-rw-r--r-- 1 root root  10544880 Dec 25 19:19 icudtl.dat
-rwxr-xr-x 1 root root    251064 Dec 25 19:19 libEGL.so
-rwxr-xr-x 1 root root   2877488 Dec 25 19:19 libffmpeg.so
-rwxr-xr-x 1 root root   6437608 Dec 25 19:19 libGLESv2.so
-rwxr-xr-x 1 root root   4565640 Dec 25 19:19 libvk_swiftshader.so
-rwxr-xr-x 1 root root   6396248 Dec 25 19:19 libvulkan.so.1
-rw-r--r-- 1 root root      1096 Dec 25 19:19 LICENSE.electron.txt
-rw-r--r-- 1 root root   8247912 Dec 25 19:19 LICENSES.chromium.html
drwxr-xr-x 2 root root         0 Dec 25 19:19 locales
-rwxr-xr-x 1 root root 166365776 Dec 25 19:19 obsidian
-rw-rw-r-- 1 root root       225 Dec 25 19:19 obsidian.desktop
lrwxrwxrwx 1 root root        49 Dec 25 19:19 obsidian.png -> usr/share/icons/hicolor/512x512/apps/obsidian.png
drwxr-xr-x 3 root root         0 Dec 25 19:19 resources
-rw-r--r-- 1 root root   5214565 Dec 25 19:19 resources.pak
-rw-r--r-- 1 root root    259202 Dec 25 19:19 snapshot_blob.bin
drwxrwxr-x 4 root root         0 Dec 25 19:19 usr
-rw-r--r-- 1 root root    578034 Dec 25 19:19 v8_context_snapshot.bin
-rw-r--r-- 1 root root       107 Dec 25 19:19 vk_swiftshader_icd.json

It appears that these files are essentially the extracted contents of the appimage and possibly represent the files needed for Obsidian to run.

Is this the case? If so, why would the files be owned by the root user and root group?

I’ve tested this with a fresh vault with no plugins installed and the result is the same.

I’ve done a pretty extensive search and haven’t found any reference to this behavior, so just making sure that I’m not ignoring something that could potentially indicate a compromise or risk of compromise.

Thank you in advance.

gnosthi · March 29, 2024, 3:06pm

Bumping thread.
This directory is definitely created by Appimage but I’m curious why they’re owned by the root user.

vanadium · March 30, 2024, 11:01am

A user has no business there, so why should these files not be owned by root? This is a security measure, not a security breach.

system · June 28, 2024, 11:01am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.