You might want to stop running atop

Original Article ↗ Hacker News Discussion ↗

Reason for the warning

  • The original blog post simply says to stop running and uninstall atop, without giving technical details.
  • Many commenters infer this implies a serious security issue (e.g., exploitable bug or backdoor), not just high resource usage or misleading output.
  • The explicit “uninstall” language is seen as pointing to a high‑impact risk rather than a mere quality gripe.

Debate over vague disclosure and trust

  • One camp says they will immediately remove atop based on the author’s reputation and the low cost of dropping a non‑essential tool.
  • Another camp criticizes this as “vagueposting,” arguing that changing software in production without a stated reason is bad practice.
  • There’s discussion of situations where someone may know specifics but be constrained by NDAs or ongoing incident response, and whether “trust me” is ever sufficient.

Potential security concerns in atop

  • atop can run persistently as root on some distros; optional netatop adds a root daemon plus a kernel module that hooks netfilter and has reportedly caused kernel crashes.
  • The package installs root‑run hooks and scripts (e.g., power‑management hooks), which some see as a natural place to hide a backdoor.
  • Code review in the thread highlights:
    • Use of system("gunzip -c %s > %s", ...) with user‑controlled input and /tmp tempfiles, raising command‑injection and TOCTOU concerns (though it’s not SUID).
    • General “sketchy” C practices that might hide exploitable bugs.
  • An older bug, previously found in atop, could crash the program and degrade system performance via obscure hardware‑timer interactions, reinforcing perceptions of fragility.
  • A later follow‑up post (linked in the thread) indicates a user‑to‑user privilege‑escalation pattern: one user can cause another user’s atop to “blow up” in a way that could be abused.

Distribution impact and operational use

  • Multiple users confirm atop is usually not installed by default on major distros, but is widely available in repositories.
  • Some organizations deploy it fleet‑wide as a last‑resort forensic and historical resource monitor, so a critical issue could have large blast radius.
  • Several people describe rapidly removing it via config management and package locks.

Alternatives and geopolitics

  • Many note they already use top, htop, btop, or glances; atop’s unique value is historical logging and replay.
  • There is side debate over maintainers’ geography (e.g., China/Russia vs. Western countries), government pressure, and whether that meaningfully changes trust assumptions for open‑source tools.