Re: securely validating installed files

To: Matt Taggart <taggart@debian.org>
Cc: debian-dpkg@lists.debian.org
Subject: Re: securely validating installed files
From: Brendan O'Dea <bod@debian.org>
Date: Sat, 4 Feb 2006 16:19:57 +1100
Message-id: <[🔎] 20060204051957.GA12846@londo.c47.org>
In-reply-to: <[🔎] 20060201224343.156D11AA562@cyrix.home.bogus>
References: <[🔎] 20060201224343.156D11AA562@cyrix.home.bogus>

On Wed, Feb 01, 2006 at 02:43:43PM -0800, Matt Taggart wrote:
>A) Is there a way to determine the validity of an installed deb?
>B) Is there a way to determine if a file you have on your system came from a 
>valid deb?
>
>(I suspect the ability to do A requires the ability to do B, right?)
>
>Most debs have md5sum files these days, and the debsums tool can compare the 
>installed files against /var/lib/dpkg/info/foo.md5sum. But it isn't intended 
>to be used as an integrity checker, since those files are subject to 
>manipulation.
>
>Is there a way to link the apt-secure checked deb to the md5sum file it 
>contains in order to prove that files are OK? Like maybe a signed document 
>listing the md5sums of all the md5sum files? Any other ideas?

debsums has the ability to validate on-disk files from the md5sum stored
in (or calculated from the contents) of a .deb .

There is also an option (--md5sums) to pass a list of deb checksums and
another (--root) the specify the root directory.

The idea being that you could boot the system from known safe media (say
a rescue disk/cd/usb key) which contained the archive key, gpg, debsums
etc.  You could then:

  * Verify the integrity of /mnt/var/lib/apt/lists/*_Releases with the
    archive key,

  * verify /mnt/var/lib/apt/lists/*_Packages from the checksums in Releases,
  * extract a list of checksums for /var/cache/apt/archives/*.deb from
    Packages,

  * use debsums to verify the on-disk files from the debs (using
    --deb-path=/mnt/var/cache/apt/archives --md5sums=LIST --root=/mnt
    --generate=all).

I never really got past adding the -m/-r options.

Using debsums in this way as a security tool (as opposed to a basic
integrity checker) has limitations.

The principal one being that verification is limited only to packages
which appear to be installed according to /var/lib/dpkg/status, i.e. it
covers your case "A" only:  you miss the case where a package has been
removed from the system and replacement files installed outside of dpkg.

Case "B" would require an index of paths with validated checksums,
rather a tricky task if you're attempting to check an unstable system
some time after the last upgrade:  where do you find the relevant
Releases/Packages/debs?

--bod

Reply to:

References:
- securely validating installed files
  - From: Matt Taggart <taggart@debian.org>

Prev by Date: [debian-dpkg-cvs] COMMAND DISCARD 11389957234630
Next by Date: dpkg --root not working?
Previous by thread: securely validating installed files
Next by thread: Re: securely validating installed files
Index(es):
- Date
- Thread