rootkit?
Ralf Corsepius
rc040203 at freenet.de
Mon Dec 12 03:51:25 UTC 2005
On Sun, 2005-12-11 at 17:33 +0000, James Wilkinson wrote:
> Michael A. Peters wrote:
> > Sun use to (still does?) allow you to enter an md5sum and it would tell
> > you exactly what file it matched, along with what patch level.
>
> Ralf Corsepius replied:
> > rpm based systems have "rpm {-V|--verify}", which provide a comparable
> > feature.
>
> Unfortunately, this is pretty useless if you can't trust the RPM
> database.
True, nevertheless, it still gives valuable hints when trying to find
out whether you have been comprised.
Also, as compromising the RPM-db requires root access, compromising the
RPM-db is still one level more unlikely to happen than finding mal-ware
in a user's home or tmp.
> And on a compromised machine, you can't trust the RPM database.
Sure, but at some point, paranoia has got to end and you'll have to
trust something.
> And, unfortunately, prelinking means that you can't even compare them to
> a "known good" machine.
Yep.
Wrt. this, prelinking can be considered a security risk, as well as some
of RH's packaging conventions (e.g. allowing unowned file and using
"alternatives").
So I agree, rpm -V is of very limited use, but it is way from being
useless.
Ralf
More information about the fedora-list
mailing list