News: 1743003069

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Credible nerd says stop using atop, doesn't say why, everyone panics

(2025/03/26)


Veteran sysadmin and tech blogger Rachel Kroll posted a cryptic warning yesterday about a popular Linux system monitoring tool. Maybe it's better to be safe than sorry.

The post is titled: [1]"You might want to stop running atop." No details, no context – just a few paragraphs that have set off alarm bells in corners of the Linux world.

Better known online as [2]rachelbythebay , Kroll has a good reputation in the tech industry. She's wrangled servers for Facebook and Lyft, and has been a speaker at events from [3]USEnix to [4]Strange Loop . She's also collected some of her writing in books, which [5]used to be on Amazon, but which you can now get, [6]free of DRM , from the [7]Gumroad store .

[8]

Unsurprisingly, this post has caused some excitement on techie forums such as [9]Lobsters and [10]Hacker News . We feel that the best summary is [11]this one from Duncan Bayne:

Just another content-free report of… oh wait it's rachelbythebay…

/me runs off to check his machines for atop

[12]Atop is a system monitoring tool for Linux and FreeBSD, and most distros include it in their repositories. It's been around for years and the last release, [13]version 2.11.0 , was out in June last year. Even Red Hat [14]has recommended it in the past.

Atop is in the family of the well-known [15]top command . "TOP" stands for "table of processes" – at least colloquially – and it's a sort of task manager for the Unix shell. It shows you a live, constantly updating list of the most active processes running on your computer, which you can sort by various criteria, such as CPU or memory usage. Pretty much all Unix-like OSes include the top command, and there are a bunch of similar ones, including the popular [16]htop by [17]Hisham Muhammad , co-creator of Reg FOSS desk [18]favorite GoboLinux , and [19]btop++ , which we [20]recently used to demonstrate the tiny resource usage of Pi-hole.

[21]ReactOS emits release 0.4.15 – its first since 2021

[22]EU OS drafts a locked-down Linux blueprint for Eurocrats

[23]Fedora 42 beta has so many spins, it'll make your head whirl

[24]GNOME 48 lands with performance boosts, new fonts, better accessibility

Atop is slightly different, and we suspect that is critical here. While most top-style programs are live tools that show resource usage right now, atop also has a component that can run in the background, logging performance information to a file. This is useful for troublesome machines where you can't see what was happening just before they became unresponsive. After a reboot, you can replay atop's activity record and see what the box was doing before things went wrong.

It's possible that an exploit or vulnerability has been found in the atop program somewhere. Since there hasn't been a new version in nine months, it's probably been there for a while, maybe years, but has only just been found. It may also be that Kroll is unable to share details due to contractual obligations. Thus, this vaguely worded warning is all that she's able to say.

[25]

The Register has attempted to contact both Kroll as well as atop author Gerlof Langeveld. He definitely knows his stuff. We attended his seriously in-depth [26]talk on Linux monitoring at the Open Source Summit in Bilbao a couple of years ago. We even understood some of it.

If either of them gets back to us, we will update this story. But in the meantime, as atop is purely a monitoring tool, it really shouldn't break anything if you just uninstall it for safety's sake. We think that there might be a new version announced any day now, which will be included in all fashionable Linux distributions and other open source Unix-like OSes, very soon. You can always reinstall it once it's been updated. ®

Get our [27]Tech Resources



[1] https://rachelbythebay.com/w/2025/03/25/atop/

[2] https://rachelbythebay.com/

[3] https://www.usenix.org/conference/srecon16/speaker-or-organizer/rachel-kroll-facebook

[4] https://www.thestrangeloop.com/2018/some-things-may-never-get-fixed.html

[5] https://www.amazon.co.uk/stores/author/B0087CLXYA/about

[6] https://rachelbythebay.com/w/2025/02/20/books/

[7] https://gumroad.com/?query=rachel+kroll

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z-QysSystQJQeoDBKBCp0AAAAtQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[9] https://lobste.rs/s/jaxxly/you_might_want_stop_running_atop

[10] https://news.ycombinator.com/item?id=43477057

[11] https://lobste.rs/s/jaxxly/you_might_want_stop_running_atop#c_p9sx3d

[12] https://atoptool.nl/

[13] https://github.com/Atoptool/atop/releases/tag/v2.11.0

[14] https://www.redhat.com/en/blog/analyzing-linux-server-performance-atop

[15] https://man7.org/linux/man-pages/man1/top.1.html

[16] https://htop.dev/

[17] https://hisham.hm/

[18] https://www.theregister.com/2021/12/03/nixos_linux_os_design/

[19] https://github.com/aristocratos/btop

[20] https://www.theregister.com/2025/03/08/pi_hole_6_flyby/

[21] https://www.theregister.com/2025/03/25/reactos_drops_release_0415/

[22] https://www.theregister.com/2025/03/25/eu_os_free_govt_desktop/

[23] https://www.theregister.com/2025/03/24/fedora_42_beta/

[24] https://www.theregister.com/2025/03/24/gnome_48/

[25] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-QysSystQJQeoDBKBCp0AAAAtQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[26] https://osseu2023.sched.com/event/1OGip/tutorial-linux-memory-management-and-containers-gerlof-langeveld-at-computing

[27] https://whitepapers.theregister.com/



"You might want to stop running atop."

Anonymous Coward

cf.

"You won't believe what these Hollywood starts look like now"

"save $$$ with this one weird hack"

Brewster's Angle Grinder

"It may also be that Kroll is unable to share details due to contractual obligations."

Forget contractual obligations, it's irresponsible to share info until a fix has been released (and had time to bed in) - unless it is being actively exploited. And even if it's being actively exploited, you wouldn't want to point at the hole lest other bad guys create an exploit against it.

So the assessment is, right now, it's reasonable to assume there is an actively exploited hole with no fix available.

Anonymous Coward

She could have given something vaguely in the region of a reason.

"at least ensure unprivileged users can't run it" vs "unless the machine has no networking capability" vs "have disk quota active"

Not an exploit. Not even a pointer to where to inspect the code. Just an indication of the class of issue.

<slashdot> my US geograpy is lousy...lol
<knghtbrd> so's mine and I live here