Does the on-disk image of an executable ever change?

Wed Nov 4 22:58:54 EST 2009

"Michael ODonnell" <michael.odonnell at comcast.net> writes:
>
> I'm running an rpm --verify --all pass on those machines right now and
> it's showing quite a few indications of unexpected differences based
> on the info recorded in the RPM database.  Ben is right; that's a very
> nice feature of RPM.  When I captured the output in a file and then said
> things like this:
> 
>    grep -e '^..5' /tmp/rpmVerifyLog
> 
> ...I was unpleasantly surprised to see results like this:
[...]
>    SM5....T c /etc/sysconfig/iptables-config
>    S.5....T c /etc/yum.repos.d/adobe-linux-i386.repo
>    S.5....T   /sbin/parted
[...]
>    S.5..U.T c /etc/ntp/ntpservers
[...]
> ...so that system seems to have suffered disk corruption or compromise;
> I'm assuming the former given the large number of affected files but I
> guess I can't rule out the latter.
> 
> FYI, the man page provides this interpretation:
[...]
>      S file Size differs
>      M Mode differs (includes permissions and file type)
>      5 MD5 sum differs
[...]
>      T mTime differs

You didn't crash, drop power, or otherwise cause a sudden reboot in
the middle of (or /immediately/ following) a system upgrade, did you?
If you did, then there is perhaps some chance (dependant on the
type(s) of filesystems, I guess) that some filesystem-data just didn't
get flushed-out properly, and either your files are truncated or
contain the data they had prior to the upgrade. I'm not really *that*
intimately familiar with all of the details of how RPM supersedes
files during upgrade (does it overwrite them in-place, or does it
rename() over them?), but I do remember that it does do some things
that I'd call `funny' (if I was being polite...).

Have you done straight (non-hashed) content-comparison of any of these
files? Are they actually gratuitously different in content, or are
they just truncated on one system? MD5sums are effectively dependant
on file-size....

What prompted this investigation in the first place? You wrote
"behaving strangely"..., but can you give some elucidation as to what
that means?

-- 
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."