This one time, at band camp, Andy Eager said:
>If a virus did copy something over ls, it would be caught as follows:
>
> rpm -qif `which ls` would return the package name fileutils
> rpm --verify fileutils would show that ls had been modified.
No, that's not what I said. You can change the name of a process once
it has begun, so I can have a binary on disk that is called 'foobar',
but once it is running, a ps shows it up as 'ls'. In this case, you'd
do your verify, and as the real ls hasn't been overwritten, no virus
would be detected.
To get around this problem tho, you could run something like debian's
cruft to find binaries that the package database doesn't know about; I'm
sure there are ways around this, too -- such as putting spurious entries
into the database.
--
jamesw
<Jaq> what's wrong with the default? :)
<jdub> It is poopie.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
