Subject: | |
From: | |
Reply To: | |
Date: | Thu, 14 Dec 2006 15:53:17 +0000 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Thu, 14 Dec 2006, Robert E. Blair wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We had some system problems and groped around a bit to figure out what
> was broken. In the process we stumbled over a curiosity which maybe
> someone knows the answer to. The "rpm --dump -q ..." command can dump
> all the file properties for a given package. Among the properties is
> something documented as an md5sum. This does not appear to be the same
> md5sum that the md5sum command gives - except in the case of text files.
> Here is an example:
>
> $ rpm --dump -q bash | grep ^/bin/bash\
> /bin/bash 741384 1155510881 d9fc37e72601d7f756dee6c7f2f70dcd 0100755
> root root 0 0 0 X
> $ md5sum /bin/bash
> 234de4be15eeba794e5cb4f0996e6156 /bin/bash
> $ rpm --verify bash
> $
>
> At first I thought I had been hacked but it is consistent across several
> systems and even the md5sum for (take this example /bin/bash) the files
> appears to vary from system to system. Is there an acl issue here? If
> this is it how do you tell md5sum to ignore the extra file data? I know
> that rpm is consistent in that a change in the file will lead to a "5"
> in the verify. Anyone have a clue as to why this would be or how to
> construct an equivalent sum?
Yup this is most likely caused by prelink altering parts of the headers so
breaking the expected checksums.
You can ask prelink to output what the md5sum (or sha1sum) would be if it
hadn't made any changes:
/usr/sbin/prelink --verify --md5 /bin/bash
or prelink --verify --sha /bin/bash etc. Of course you have to trust your
prelink executable is giving the right answers...
btw I thind that using rpmquery --qf is *much* easier than using --dump to
extract the bits of info I'm interested in. e.g. we do something like:
rpmquery --qf '[P=%{FILENAMES} MD5=%{FILEMD5S} FL=%{FILEFLAGS} M=%{FILEMODES:octal} SL=\"%{FILELINKTOS}\"\n]'
which results in output like (for /bin/bash):
P=/bin/bash MD5=6c46871ea3d6790d2b2eb09db035c3be FL=0 M=100755 SL=""
which I find somewhat easier to parse. The output from prelink above
needs to match this.
Note that rpmquery -V does those checks automatially for you so --verify
is fine if you trust the rpm database to be safe/secure.
We used to disable prelink to avoid the issue -- we have our own
tripwire-like scripts which check checksums at least for setuid/setgid
programs. Those scripts fail iff the apps have been prelinked. I'm
toying with just using the rpm database or relying on prelink --verify
output in future... (I still havn't decided).
-- Jon
|
|
|