Re: mysterious files on a fedora system but not from rpm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 18Nov2007 10:20, Dave Burns <tburns@xxxxxxxxxx> wrote:
| > Practically all .py modules will get turned into .pyc files and
| > won't match the manifests.
| 
| So any *.py file may generate a <same name>.pyc file?

Yes, if the interpreter has rights to write to that portion of the
filesystem.

| So if I am trying to be security conscious (anal) and track stuff so I
| can say, "Yeah that belongs there" or "Hey this might be part of a
| rootkit", this makes a big gray area, right?

You can make the same argument about squid caches etc.
Your point is valid though.

| Is there a way I can
| verify that a particular .pyc comes from a .py that *is* on the
| manifest?

I'm not sure. You could write a python script using its "compile()"
function maybe; I don't know how big a step it is from that to a .pyc
file.

| Any way I can request that all .pyc's be constructed *now*
| so I can scan them with tripwire?

One crude approach: remove all the .pyc files. Run a small shell script to
source each python file (using import "modulename" - a lot of modules have
"run a demo/self-test if I am the main program" hooks). Chown root all the
new .pyc files if they're not already so. Run tripwire.

| Some  way to deal with this other
| than, "Well, it has the same filename as something that belongs
| there"?

These are questions I cannot answer. [...snip...]

| > There are also a few dynamicly created configuration and
| > database files floating around Fedora.
| 
| Those would presumably not be executable and seem easier to cope with,

Remember that "data" files, like .pyc files, are in effect "interpreted"
by the tools that use them, because they make decisions based on their
content. For certain data files, a misdfecision can be as subversive as
a trojan .pyc file. Eg a bogus password file with a trojan in the
"shell" column for root (or any other user, such as yourself).
And so forth.

| though I suppose there is still an issue of when can you be sure they
| are all in place? And I suppose that can't be answered in general, but
| must be answered on a case by case basis.

Yeah, I think so. This is why sandboxes are desirable for things you
don't trust. On a UNIX box, special purpose users consitute a kind of
simple sandbox.

Cheers,
-- 
Cameron Simpson <cs@xxxxxxxxxx> DoD#743
http://www.cskk.ezoshosting.com/cs/

Microsoft is not the ANSWER.
  Microsoft is the QUESTION,
    and the ANSWER is NO!       - Roland.Giersig@xxxxxxxxxxxxxx
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux