wtf ... Something strips installed binaries???

Thomas M Steenholdt tmus at tmus.dk
Tue Sep 2 13:37:26 UTC 2008


Daniel P. Berrange wrote:
> On Tue, Sep 02, 2008 at 11:07:45AM -0200, Thomas M Steenholdt wrote:
>> Bill Crawford wrote:
>>> Thomas M Steenholdt wrote:
>>>> I wasn't even aware that prelinking actually changed the files. Isn't 
>>>> this kind of dangerous from a system-integrity point-of-view. How can we 
>>>> ever validate binaries if they are modified on purpose?
>>> With "prelink --verify" ?
>>>
>> I can't see how that would actually verify that the binary has not been 
>> modified by a rootkit or whatever?
> 
> It is explained in the manpage for prelink
> 
>        -y --verify
>               Verifies a prelinked  binary  or  library.   This
>               option  can  be  used  only on a single binary or
>               library. It first applies an --undo operation  on
>               the  file, then prelinks just that file again and
>               compares this with the original file. If both are
>               identical, it prints the file after --undo opera-
>               tion on standard output and exits with zero  sta-
>               tus.  Otherwise it exits with error status.  Thus
>               if --verify operation returns  zero  exit  status
>               and  its  standard output is equal to the content
>               of the binary or library before  prelinking,  you
>               can  be sure that nobody modified the binaries or
>               libraries after prelinking.  Similarly with  mes-
>               sage  digests  and  checksums (unless you trigger
>               the improbable case of modified file and original
>               file having the same digest or checksum).
> 
>>                                  rpm -V should be able to detect this, 
>> on the other hand, but how it works in conjunction with prelinking I 
>> don't know...
> 
> IIRC, rpm -V is prelink aware, and calls out to prelink --verify rather than
> doing a blind checksum compare.
> 
> Daniel

Does rpm -V use this trick to return sane results?

/Thomas




More information about the fedora-devel-list mailing list