Re: Debsums fun
On 2008-10-27 08:24 +0100, David Baron wrote:
> The newest debsums from Sid can do a daily check for md5 disagreement. Useful
> for security?
Not really. An attacker that can modify system files can and will also
update the md5sums under /var/lib/dpkg/info. Besides, scanning each and
every installed file takes _really_ long, so it is not recommended to
run this daily.
> This check flags a load of missing files which are either obsolete -- maybe I
> once had 'em but they are long gone -- or ... I never had 'em.
> Two prime examples:
> The former, Sun Java 1.5 stuff. Has been superseded by 1.6 and this was always
> be Sun's installation rather than anything from Debian. The latter
> /usr/loca/Adobe . . . acrobat stuff. I never had a local version. Most entries
> seem to be internationalization stuff.
Do you have localepurge installed? It will delete many l10n files that
debsums will report then.
> There is a (now empty) /etc/debsums-ignore. If this can be set to exclude
> directories, I can easily suppress the check on these files.
That's not how it works, unfortunately. These files will still be
checked, only the final output is filtered. Have a look at debsums'
cron script to convince yourself if you don't trust me.
> Question is where
> the program gets the info to look for them in the first place?
>From the *.md5sums files under /var/lib/dpkg/info.