Does the on-disk image of an executable ever change?
Michael ODonnell
michael.odonnell at comcast.net
Wed Nov 4 16:56:36 EST 2009
I'm running an rpm --verify --all pass on those machines right now and
it's showing quite a few indications of unexpected differences based
on the info recorded in the RPM database. Ben is right; that's a very
nice feature of RPM. When I captured the output in a file and then said
things like this:
grep -e '^..5' /tmp/rpmVerifyLog
...I was unpleasantly surprised to see results like this:
.
.
.
SM5....T c /etc/sysconfig/iptables-config
S.5....T c /etc/yum.repos.d/adobe-linux-i386.repo
S.5....T /sbin/parted
S.5....T /sbin/partprobe
S.5....T /usr/bin/mcopidl
S.5....T /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/perllocal.pod
S.5....T /usr/sbin/avcstat
S.5....T /usr/sbin/getenforce
S.5....T /usr/sbin/getsebool
S.5....T /usr/sbin/matchpathcon
S.5....T /usr/sbin/selinuxenabled
S.5....T /usr/sbin/setenforce
S.5....T /usr/sbin/togglesebool
S.5....T c /etc/yum.repos.d/rpmforge.repo
S.5....T c /usr/share/config/kdm/kdmrc
S.5....T /usr/bin/gsf-office-thumbnailer
S.5....T /usr/bin/animate
S.5....T /usr/bin/compare
S.5....T /usr/bin/composite
S.5....T /usr/bin/conjure
S.5....T /usr/bin/convert
S.5....T /usr/bin/display
S.5....T /usr/bin/identify
S.5....T /usr/bin/import
S.5....T /usr/bin/mogrify
S.5....T /usr/bin/montage
S.5....T /usr/share/hwdata/videoaliases/nv.xinf
S.5..U.T c /etc/ntp/ntpservers
.
.
.
...so that system seems to have suffered disk corruption or compromise;
I'm assuming the former given the large number of affected files but I
guess I can't rule out the latter.
FYI, the man page provides this interpretation:
The format of the output is a string of 8 characters, a possible
attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name. Each of the 8
characters denotes the result of a comparison of attribute(s) of the
file to the value of those attribute(s) recorded in the database.
A single "." (period) means the test passed, while a single "?"
(question mark) indicates the test could not be performed (e.g. file
permissions prevent reading). Otherwise, the (mnemonically emBoldened)
character denotes failure of the corresponding --verify test:
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
More information about the gnhlug-discuss
mailing list