I joined the [EMAIL PROTECTED] and started a discussion as I was looking forward to using RPM for integrity checking ala tripwire after the fact - that is, for checking files on systems that did not have tripwire or others installed, and relying instead on the RPM database. So far I haven't seen a Linux trojan that is "smart" enough to tamper with the RPM db, but who knows... Apologies to non-RPM distro users. ----- Forwarded message from Jeff Johnson <[EMAIL PROTECTED]> ----- On Thu, Aug 23, 2001 at 07:50:43PM +0800, Miguel A.L. Paraz wrote: > Follow-up question. Does the RPM database store the MD5 of the entire > package? Is there a query tag that contains this? > The md5 sum of the header+payload is in the package signature, and is copied to the header tag RPMTAG_SIGMD5 when the package is installed. Note that this is not the same as the md5 sum of the package file itself, only the header+payload, which can be extracted with dd using the (untested) script below. > I'd like to know if the RPM database was maliciously changed. Right now > one can use 'rpm -V' to check if files were modified by a trojan or something > similar, but who knows, future trojans might update the RPM database. I'm > thinking of getting the MD5 signature for copying and storing elsewhere for > comparison later. > New in rpm-4.0.3 is a sha1 digest of the original header, stored in the package signature, and copied to the tag RPMTAG_SHA1HEADER when the package is installed. This digest is verified on --verify pathways for every header retrieved, can be disabled with --nodigest if desired. The sha1 will be used as a basis for DSA signatures for the header that can/will be verified for every header retrieved from the database. There are still other forms of malicious damage, either by appending to the original header and/or by altering the database in other ways. 73 de Jeff =========================================================================== #!/bin/sh pkg=$1 leadsize=96 o=`expr $leadsize + 8` set `od -j $o -N 8 -t u1 $pkg` il=`expr 256 \* \( 256 \* \( 256 \* $2 + $3 \) + $4 \) + $5` dl=`expr 256 \* \( 256 \* \( 256 \* $6 + $7 \) + $8 \) + $9` sigsize=`expr 8 + 16 \* $il + $dl` o=`expr $o + $sigsize + \( 8 - \( $sigsize \% 8 \) \% 8 \) + 8` dd if=$pkg ibs=1 skip=$o -- Jeff Johnson ARS N3NPQ [EMAIL PROTECTED] ([EMAIL PROTECTED]) Chapel Hill, NC _______________________________________________ Rpm-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/rpm-list ----- End forwarded message ----- _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
