integrity checks and inodes

To: debian-security@lists.debian.org
Subject: integrity checks and inodes
From: Pascal Weller <lists@pascalweller.net>
Date: Fri, 21 Jan 2011 18:13:07 +0100
Message-id: <[🔎] 20110121171307.GA1003@pascalweller.net>
Mail-followup-to: debian-security@lists.debian.org

Hi All

The various tools for integrity checks (aide, integrit, tripwire, etc) 
do check timestamp, uid/gui, permissions, checksum, inode etc. of the 
files on an system, compare them to the last know-good state and warn 
about changes.

I'm wondering why I should care about inodes when I have checksums.

Does anyone know an attack vector to modify a file and keep the checksum 
the same? (besides collisions/bugs in the checksum code). 
Would the inode change in such a case and couldn't this be avoided by an 
attacker as well?

Background is that I move vserver from host to host with rsync and don't 
like to get a report that all the inodes have changed.


cheers pascal

Reply to:

Follow-Ups:
- Re: integrity checks and inodes
  - From: Jérémie Marguerie <jeremie@marguerie.org>
- Re: integrity checks and inodes
  - From: Hannes von Haugwitz <hannes@vonhaugwitz.com>

Prev by Date: Re: List of SUID/SGID packages and programs in Debian
Next by Date: Re: integrity checks and inodes
Previous by thread: Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
Next by thread: Re: integrity checks and inodes
Index(es):
- Date
- Thread