[dgacmu]

There's a lot of speculation about why, with the answer almost certainly security / exploitable (or backdoor), and I'll just throw an extra little tidbit in:

atop seems to run persistently as root, which may be the reason for preventing it from running/uninstalling.

the netatop part of atop installs a persistent kernel module, netatop.ko, as part of its installation. The module hooks netfilter to be able to monitor all traffic.

If there's an exploitable flaw in the kernel module, this would be a max-severity CVE.

netatop _also_ runs a persistent daemon, netatopd, which I believe from inspecting the source runs as root.

The article's language about uninstalling it kinda sorta makes you think one of these three parts is in some way exploitable or backdoored -- any which way it's a privileged process, and one that's monitoring network traffic.

(I'm not sure if netatop is installed by default on systems when you install atop, per czk's comment below)

[cesarb]

> atop seems to run persistently as root, which may be the reason for preventing it from running/uninstalling.

Some distributions (like Ubuntu) enable that service by default, but some others (like Fedora) don't.

[tptacek]

How severe it would be would depend on how exploitable it was in likely configurations.

[netham45]

When we tried deploying it we had netatop crashing kernels with a use after free on a linked list, based on the stack traces and kernel dumps. Every box we trialed it on started going down multiple times a week.

[czk]

I'm not familiar with atop but the website mentions netatop is optional and what I've found suggests you have to manually install it. Do you know if any distributions/packages install this by default alongside the atop install?

[mappu]

netatop is not in Debian, and the atop package doesn't include any .ko files.

[__turbobrew__]

I don’t think netatop is installed in Ubuntu packages either.

[dgacmu]

This is a good question - I'm not sure. The rpmspec doesn't seem to install it, so perhaps it's not quite that bad. The atop program _itself_ runs persistently, though, so, uh, still bad. :)