Re: Package verification
On Wed, Oct 08, 2003 at 12:24:37AM +1000, Kim Lester wrote:
> There is no way to verify/correct the MODE, USER, GROUP, TYPE
> of any files installed in a pkg.
That appears to be the case, partly because permissions may be changed
from those files which are contained withing the .deb file via the
postinst scripts.
If you wanted to handle this yourself you could add a hook to apt,
in the same way that 'apt-listchanges' does - so that new installations
of packages would get their information logged somewhere.
However if you're using this for a real enterprise system presumably
you'd want all your sums/inode info/etc stored onto CD-ROM or of
machine?
> One of the solutions I have implemented is a file containing:
> type(eg Dir, Sym, File), path, mode, uid, gid, symlink destination
> and in my case md5sum and file size (deb would use the sep md5sum file)
> [correct size is useful for humans :-)]
Congratulations, you just reinvented tripwire.
If this file can be updated, securely, at package install post your
patch and we'll take it from there.
> This permits my command pkginfo -v to verify that a pkg is
> installed correctly and can even fix certain errors (eg mode/uid/gid)
> if requested.
Tripwire's database, (and tiger's or any of the other systems which
use a database like this), can also be used in such a way.
I'd love to see dpkg be capable of doing this, but I really don't
see that this is a huge stumbling block in the adoptation of Debian
in the enterprise as your rant appears to suggest.
I'd argue that the lack of Oracle support is more significant than
the ability to natively verify package installs.
--
Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/
Reply to: