Re: integrity checks and inodes

To: debian-security@lists.debian.org
Subject: Re: integrity checks and inodes
From: Jérémie Marguerie <jeremie@marguerie.org>
Date: Fri, 21 Jan 2011 18:57:31 +0100
Message-id: <[🔎] AANLkTi=G1ZQFjguqnz_ic5GuFTUbehNyorFHMbZ0s7zv@mail.gmail.com>
In-reply-to: <[🔎] 20110121171307.GA1003@pascalweller.net>
References: <[🔎] 20110121171307.GA1003@pascalweller.net>

On Fri, Jan 21, 2011 at 6:13 PM, Pascal Weller <lists@pascalweller.net> wrote:
> Hi All
>
> The various tools for integrity checks (aide, integrit, tripwire, etc)
> do check timestamp, uid/gui, permissions, checksum, inode etc. of the
> files on an system, compare them to the last know-good state and warn
> about changes.
>
> I'm wondering why I should care about inodes when I have checksums.
>
> Does anyone know an attack vector to modify a file and keep the checksum
> the same? (besides collisions/bugs in the checksum code).
> Would the inode change in such a case and couldn't this be avoided by an
> attacker as well?
>
> Background is that I move vserver from host to host with rsync and don't
> like to get a report that all the inodes have changed.

Hello Pascal,

The change of the inode number might not be an attack but it could
outline some strange actions on the file.

For example, if you copy a file, delete it and finally restore it with
the copy you made before, the inode number will change. People may
want to be warned of such things.

-- 
Jérémie MARGUERIE
Student in l'EPITA (Engineering school of computer science)

Reply to:

References:
- integrity checks and inodes
  - From: Pascal Weller <lists@pascalweller.net>

Prev by Date: integrity checks and inodes
Next by Date: debian squeeze 64 bits netinst
Previous by thread: integrity checks and inodes
Next by thread: Re: integrity checks and inodes
Index(es):
- Date
- Thread