Here is a list of files that I have not (knowingly) modified that do not pass rpm verification immediately after I installed centos 5.3. I am not really sure what this means - are the packagers sending out sloppy rpms, or is something going around modifying stuff? Other than the texmf stuff, the list seems to consist entirely of config files. Does yum or rpm or something do some instant reconfiguring when a package gets installed? Maybe rpms have a post-install script that mods the config?
....L... c /etc/pam.d/system-auth S.5....T c /etc/xml/catalog S.5....T c /usr/share/sgml/docbook/xmlcatalog S.5....T c /etc/sysconfig/system-config-securitylevel .......T c /etc/modprobe.d/blacklist-firewire ..5....T c /usr/lib/security/classpath.security S.5....T c /usr/share/config/kdm/kdmrc S.5....T c /etc/printcap SM5....T c /etc/sysconfig/iptables-config #(mode is -rw-r--r-- 1 root root, seem okay) S.5....T c /var/log/mail/statistics .......T c /etc/audit/auditd.conf .M...... /var/lib/texmf/ls-R S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/builtin35.map S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/download35.map [snip ... lots more texmf stuff...] S.5....T /usr/share/texmf-var/web2c/pdfetex.fmt S.5....T /usr/share/texmf-var/web2c/pdftex.fmt S.5....T /usr/share/texmf-var/web2c/tex.fmt
How would I get a 'clean' copy of some of these files to do a diff? Figure out what rpm they're from (rpm -qf <filename>), then what repo the rpm came from, then go download a copy of the rpm by hand, extract the file. Maybe figure out if there is a post-install script and whether it does something.
Googling, I see lots of hits suggesting that 'yum info <packagename>' will show what repo it came from. Testing this on a couple of the packages above, I get 'Repo : installed'. Does that mean that the rpm came from the install CD?
Am I missing something, is there an easier way>?
mahalo, Dave
On Tue, Sep 8, 2009 at 5:30 PM, Davetdbtdb+centos@gmail.com wrote:
Here is a list of files that I have not (knowingly) modified that do not pass rpm verification immediately after I installed centos 5.3. I am not really sure what this means - are the packagers sending out sloppy rpms, or is something going around modifying stuff? Other than the texmf stuff, the list seems to consist entirely of config files. Does yum or rpm or something do some instant reconfiguring when a package gets installed? Maybe rpms have a post-install script that mods the config?
As you point out a file with a ' c ' is a configuration file. Processes, daemons, etc can update these files as needed. The printcap file gets updated by cups. The /var/log/mail/statistics file gets updated by mail...
If you want to know exactly what the file was at first, you could do a
rpm -qf 'fill in file name here' this will tell you hat RPM owned that file.
rpm -qf /etc/printcap setup-2.5.58-7.el5
I think texmf gets updated by a cron job
....L... c /etc/pam.d/system-auth S.5....T c /etc/xml/catalog S.5....T c /usr/share/sgml/docbook/xmlcatalog S.5....T c /etc/sysconfig/system-config-securitylevel .......T c /etc/modprobe.d/blacklist-firewire ..5....T c /usr/lib/security/classpath.security S.5....T c /usr/share/config/kdm/kdmrc S.5....T c /etc/printcap SM5....T c /etc/sysconfig/iptables-config #(mode is -rw-r--r-- 1 root root, seem okay) S.5....T c /var/log/mail/statistics .......T c /etc/audit/auditd.conf .M...... /var/lib/texmf/ls-R S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/builtin35.map S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/download35.map [snip ... lots more texmf stuff...] S.5....T /usr/share/texmf-var/web2c/pdfetex.fmt S.5....T /usr/share/texmf-var/web2c/pdftex.fmt S.5....T /usr/share/texmf-var/web2c/tex.fmt
How would I get a 'clean' copy of some of these files to do a diff? Figure out what rpm they're from (rpm -qf <filename>), then what repo the rpm came from, then go download a copy of the rpm by hand, extract the file. Maybe figure out if there is a post-install script and whether it does something.
Googling, I see lots of hits suggesting that 'yum info <packagename>' will show what repo it came from. Testing this on a couple of the packages above, I get 'Repo : installed'. Does that mean that the rpm came from the install CD?
Am I missing something, is there an easier way>?
mahalo, Dave _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, Sep 8, 2009 at 2:02 PM, Stephen John Smoogensmooge@gmail.com wrote:
rpm -qf 'fill in file name here' this will tell you hat RPM owned that file.
Then how do I find the rpm? I need to figure out which repo it came from, then download it from the repo, then unpack it and do a diff.
'yum info <packagename>' seems to just say 'Repo : installed'. How do I get yum to tell me what repo it came from? Or should I just google for the rpm name and download it from any old place? Dave
On 09/08/2009 08:15 PM, Dave wrote:
On Tue, Sep 8, 2009 at 2:02 PM, Stephen John Smoogensmooge@gmail.com wrote:
rpm -qf 'fill in file name here' this will tell you hat RPM owned that file.
Then how do I find the rpm? I need to figure out which repo it came from, then download it from the repo, then unpack it and do a diff.
'yum info <packagename>' seems to just say 'Repo : installed'. How do I get yum to tell me what repo it came from? Or should I just google for the rpm name and download it from any old place?
yum list <packagename>
That will tell you all the places that package can come from.
You will have to grep for the specific package number or look at the list.
Once a package in ON YOUR MACHINE, it is also in the installed repo ... but you can also install packages by hand from NO repos.
If you use the command:
rpm -qi <packagename>
That will tell you if it is a CentOS package ... and you can see if it signed by a CentOS key.
On Tue, Sep 8, 2009 at 5:25 PM, Johnny Hughesjohnny@centos.org wrote:
On 09/08/2009 08:15 PM, Dave wrote:
How do I get yum to tell me what repo it came from? Or should I just google for the rpm name and download it from any old place?
yum list <packagename>
That will tell you all the places that package can come from.
yum list denyhosts Loaded plugins: dellsysidplugin2, fastestmirror, priorities, security 2 packages excluded due to repository priority protections Installed Packages denyhosts.noarch 2.6-5.el5 installed
Which is the repo, he asks innocently. Or will that work only for uninstalled packages?
You will have to grep for the specific package number or look at the list. Once a package in ON YOUR MACHINE, it is also in the installed repo ...
Or only in the installed?
but you can also install packages by hand from NO repos.
If you use the command:
rpm -qi <packagename>
That will tell you if it is a CentOS package ... and you can see if it signed by a CentOS key.
rpm -qi denyhosts Name : denyhosts Relocations: (not relocatable) Version : 2.6 Vendor: Fedora Project Release : 5.el5 Build Date: Tue 19 Jun 2007 02:31:00 PM HST Install Date: Wed 10 Jun 2009 07:41:18 AM HST Build Host: xenbuilder2.fedora.redhat.com Group : Applications/System Source RPM: denyhosts-2.6-5.el5.src.rpm Size : 337435 License: GPL Signature : DSA/SHA1, Tue 19 Jun 2007 06:51:35 PM HST, Key ID 119cc036217521f6 Packager : Fedora Project http://bugzilla.redhat.com/bugzilla URL : http://denyhosts.sourceforge.net/ Summary : A script to help thwart ssh server attacks Description : DenyHosts is a Python script that analyzes the sshd server log messages to determine which hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host and, upon discovering a repeated attack host, updates the /etc/hosts.deny file to prevent future break-in attempts from that host. Email reports can be sent to a system admin.
Hmmm.... still not seeing a repo. No doubt I could find some version of an rpm at http://denyhosts.sourceforge.net/, but can I be sure it is identical to the one on the centos repos?
On Wed, Sep 9, 2009 at 3:19 AM, Robert Hellerheller@deepsoft.com wrote:
rpm -qi <package name>
man rpm RTFM
See above, no repo info found in rpm -qi output.
Thanks, Dave
On Wed, 2009-09-09 at 12:50 -1000, Dave wrote:
On Tue, Sep 8, 2009 at 5:25 PM, Johnny Hughesjohnny@centos.org wrote:
On 09/08/2009 08:15 PM, Dave wrote:
How do I get yum to tell me what repo it came from? Or should I just google for the rpm name and download it from any old place?
yum list <packagename>
That will tell you all the places that package can come from.
yum list denyhosts Loaded plugins: dellsysidplugin2, fastestmirror, priorities, security 2 packages excluded due to repository priority protections Installed Packages denyhosts.noarch 2.6-5.el5 installed
Which is the repo, he asks innocently. Or will that work only for uninstalled packages?
You will have to grep for the specific package number or look at the list. Once a package in ON YOUR MACHINE, it is also in the installed repo ...
Or only in the installed?
but you can also install packages by hand from NO repos.
If you use the command:
rpm -qi <packagename>
That will tell you if it is a CentOS package ... and you can see if it signed by a CentOS key.
rpm -qi denyhosts Name : denyhosts Relocations: (not relocatable) Version : 2.6 Vendor: Fedora Project Release : 5.el5 Build Date: Tue 19 Jun 2007 02:31:00 PM HST Install Date: Wed 10 Jun 2009 07:41:18 AM HST Build Host: xenbuilder2.fedora.redhat.com Group : Applications/System Source RPM: denyhosts-2.6-5.el5.src.rpm Size : 337435 License: GPL Signature : DSA/SHA1, Tue 19 Jun 2007 06:51:35 PM HST, Key ID 119cc036217521f6 Packager : Fedora Project http://bugzilla.redhat.com/bugzilla URL : http://denyhosts.sourceforge.net/ Summary : A script to help thwart ssh server attacks Description : DenyHosts is a Python script that analyzes the sshd server log messages to determine which hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host and, upon discovering a repeated attack host, updates the /etc/hosts.deny file to prevent future break-in attempts from that host. Email reports can be sent to a system admin.
Hmmm.... still not seeing a repo. No doubt I could find some version of an rpm at http://denyhosts.sourceforge.net/, but can I be sure it is identical to the one on the centos repos?
On Wed, Sep 9, 2009 at 3:19 AM, Robert Hellerheller@deepsoft.com wrote:
rpm -qi <package name>
man rpm RTFM
See above, no repo info found in rpm -qi output.
---- no repo but
Vendor: Fedora Project
Craig
At Wed, 09 Sep 2009 16:15:57 -0700 CentOS mailing list centos@centos.org wrote:
On Wed, 2009-09-09 at 12:50 -1000, Dave wrote:
On Tue, Sep 8, 2009 at 5:25 PM, Johnny Hughesjohnny@centos.org wrote:
On 09/08/2009 08:15 PM, Dave wrote:
How do I get yum to tell me what repo it came from? Or should I just google for the rpm name and download it from any old place?
yum list <packagename>
That will tell you all the places that package can come from.
yum list denyhosts Loaded plugins: dellsysidplugin2, fastestmirror, priorities, security 2 packages excluded due to repository priority protections Installed Packages denyhosts.noarch 2.6-5.el5 installed
Which is the repo, he asks innocently. Or will that work only for uninstalled packages?
You will have to grep for the specific package number or look at the list. Once a package in ON YOUR MACHINE, it is also in the installed repo ...
Or only in the installed?
but you can also install packages by hand from NO repos.
If you use the command:
rpm -qi <packagename>
That will tell you if it is a CentOS package ... and you can see if it signed by a CentOS key.
rpm -qi denyhosts Name : denyhosts Relocations: (not relocatable) Version : 2.6 Vendor: Fedora Project Release : 5.el5 Build Date: Tue 19 Jun 2007 02:31:00 PM HST Install Date: Wed 10 Jun 2009 07:41:18 AM HST Build Host: xenbuilder2.fedora.redhat.com Group : Applications/System Source RPM: denyhosts-2.6-5.el5.src.rpm Size : 337435 License: GPL Signature : DSA/SHA1, Tue 19 Jun 2007 06:51:35 PM HST, Key ID 119cc036217521f6 Packager : Fedora Project http://bugzilla.redhat.com/bugzilla URL : http://denyhosts.sourceforge.net/ Summary : A script to help thwart ssh server attacks Description : DenyHosts is a Python script that analyzes the sshd server log messages to determine which hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host and, upon discovering a repeated attack host, updates the /etc/hosts.deny file to prevent future break-in attempts from that host. Email reports can be sent to a system admin.
Hmmm.... still not seeing a repo. No doubt I could find some version of an rpm at http://denyhosts.sourceforge.net/, but can I be sure it is identical to the one on the centos repos?
On Wed, Sep 9, 2009 at 3:19 AM, Robert Hellerheller@deepsoft.com wrote:
rpm -qi <package name>
man rpm RTFM
See above, no repo info found in rpm -qi output.
no repo but
Vendor: Fedora Project
If (Vendor == Fedora Project) then repo is epel if (Vendor == Centos) then repo is Centos if (Vendor == Dag Apt Repository) repo is rpmforge
At least this seems to be the case for a small random sampling I did on my system (I 'cheated' -- I have a pile of RPMs sitting in their proper places under /var/cache/yum/...).
Craig
On Wed, Sep 9, 2009 at 2:02 PM, Robert Hellerheller@deepsoft.com wrote:
(I 'cheated' -- I have a pile of RPMs sitting in their proper places under /var/cache/yum/...).
I think this is the clue I needed. I also have such a pile, and although it is not complete (wouldn't even need to know repo then, I'd have all the rpms already), it should be sufficient to reverse-engineer a map from vendors to repos. I'd forgotten that directory was organized by source repo.
Side problem - I just have too many repos, I am probably asking for trouble. At least I am running the priorities addon, which may save me most of the time.
mahalo, Dave
ls /var/cache/yum addons rpmfusion-free-updates adobe-linux-i386 rpmfusion-free-updates-testing base rpmfusion-nonfree-updates epel rpmfusion-nonfree-updates-testing extras timedhosts.txt rpmforge updates
At Wed, 9 Sep 2009 15:01:59 -1000 CentOS mailing list centos@centos.org wrote:
On Wed, Sep 9, 2009 at 2:02 PM, Robert Hellerheller@deepsoft.com wrote:
(I 'cheated' -- I have a pile of RPMs sitting in their proper places under /var/cache/yum/...).
I think this is the clue I needed. I also have such a pile, and although it is not complete (wouldn't even need to know repo then, I'd have all the rpms already), it should be sufficient to reverse-engineer a map from vendors to repos. I'd forgotten that directory was organized by source repo.
Generally, there is a mapping from Vendor to repo and mostly this mapping is not too hard to deduce.
Side problem - I just have too many repos, I am probably asking for trouble. At least I am running the priorities addon, which may save me most of the time.
mahalo, Dave
ls /var/cache/yum addons rpmfusion-free-updates adobe-linux-i386 rpmfusion-free-updates-testing base rpmfusion-nonfree-updates epel rpmfusion-nonfree-updates-testing extras timedhosts.txt rpmforge updates _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wed, Sep 9, 2009 at 4:50 PM, Davetdbtdb+centos@gmail.com wrote:
On Tue, Sep 8, 2009 at 5:25 PM, Johnny Hughesjohnny@centos.org wrote:
rpm -qi denyhosts Name : denyhosts Relocations: (not relocatable) Version : 2.6 Vendor: Fedora Project Release : 5.el5 Build Date: Tue 19 Jun 2007 02:31:00 PM HST Install Date: Wed 10 Jun 2009 07:41:18 AM HST Build Host: xenbuilder2.fedora.redhat.com Group : Applications/System Source RPM: denyhosts-2.6-5.el5.src.rpm Size : 337435 License: GPL Signature : DSA/SHA1, Tue 19 Jun 2007 06:51:35 PM HST, Key ID 119cc036217521f6 Packager : Fedora Project http://bugzilla.redhat.com/bugzilla URL : http://denyhosts.sourceforge.net/ Summary : A script to help thwart ssh server attacks Description : DenyHosts is a Python script that analyzes the sshd server log messages to determine which hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host and, upon discovering a repeated attack host, updates the /etc/hosts.deny file to prevent future break-in attempts from that host. Email reports can be sent to a system admin.
Hmmm.... still not seeing a repo. No doubt I could find some version of an rpm at http://denyhosts.sourceforge.net/, but can I be sure it is identical to the one on the centos repos?
Well its not from CentOS so I doubt it would be.in their repos. The package says its a Fedora package and from the GPG signature it is an EPEL package. The denyhosts-2.6-5.el5.src.rpm would be where the source code for the package is.
The Key ID is what will distinguish which package is from what repository
119cc036217521f6 is EPEL rpm -q gpg-pubkey --provides
gpg(Fedora EPEL epel@fedoraproject.org) = 4:119cc036217521f6-45e8a532 gpg(217521f6) = 4:119cc036217521f6-45e8a532
At Tue, 8 Sep 2009 15:15:33 -1000 CentOS mailing list centos@centos.org wrote:
On Tue, Sep 8, 2009 at 2:02 PM, Stephen John Smoogensmooge@gmail.com wrote:
rpm -qf 'fill in file name here' this will tell you hat RPM owned that file.
Then how do I find the rpm? I need to figure out which repo it came from, then download it from the repo, then unpack it and do a diff.
'yum info <packagename>' seems to just say 'Repo : installed'. How do I get yum to tell me what repo it came from? Or should I just google for the rpm name and download it from any old place? Dave
rpm -qi <package name>
man rpm RTFM
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Craig White -
Dave -
Johnny Hughes -
Linux Advocate -
Robert Heller -
Stephen John Smoogen