wtf ... Something strips installed binaries???
Daniel P. Berrange
berrange at redhat.com
Tue Sep 2 13:16:45 UTC 2008
On Tue, Sep 02, 2008 at 11:07:45AM -0200, Thomas M Steenholdt wrote:
> Bill Crawford wrote:
> >Thomas M Steenholdt wrote:
> >>I wasn't even aware that prelinking actually changed the files. Isn't
> >>this kind of dangerous from a system-integrity point-of-view. How can we
> >>ever validate binaries if they are modified on purpose?
> >
> >With "prelink --verify" ?
> >
>
> I can't see how that would actually verify that the binary has not been
> modified by a rootkit or whatever?
It is explained in the manpage for prelink
-y --verify
Verifies a prelinked binary or library. This
option can be used only on a single binary or
library. It first applies an --undo operation on
the file, then prelinks just that file again and
compares this with the original file. If both are
identical, it prints the file after --undo opera-
tion on standard output and exits with zero sta-
tus. Otherwise it exits with error status. Thus
if --verify operation returns zero exit status
and its standard output is equal to the content
of the binary or library before prelinking, you
can be sure that nobody modified the binaries or
libraries after prelinking. Similarly with mes-
sage digests and checksums (unless you trigger
the improbable case of modified file and original
file having the same digest or checksum).
> rpm -V should be able to detect this,
> on the other hand, but how it works in conjunction with prelinking I
> don't know...
IIRC, rpm -V is prelink aware, and calls out to prelink --verify rather than
doing a blind checksum compare.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the fedora-devel-list
mailing list