Re: rootkit?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2005-12-11 at 17:33 +0000, James Wilkinson wrote:
> Michael A. Peters wrote:
> > Sun use to (still does?) allow you to enter an md5sum and it would tell
> > you exactly what file it matched, along with what patch level.
> 
> Ralf Corsepius replied:
> > rpm based systems have "rpm {-V|--verify}", which provide a comparable
> > feature.
> 
> Unfortunately, this is pretty useless if you can't trust the RPM
> database.
True, nevertheless, it still gives valuable hints when trying to find
out whether you have been comprised.

Also, as compromising the RPM-db requires root access, compromising the
RPM-db is still one level more unlikely to happen than finding mal-ware
in a user's home or tmp.

> And on a compromised machine, you can't trust the RPM database.
Sure, but at some point, paranoia has got to end and you'll have to
trust something.

> And, unfortunately, prelinking means that you can't even compare them to
> a "known good" machine.
Yep. 

Wrt. this, prelinking can be considered a security risk, as well as some
of RH's packaging conventions (e.g. allowing unowned file and using
"alternatives").

So I agree, rpm -V is of very limited use, but it is way from being
useless.

Ralf



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux