George Hubka

Ever get the feeling that a file on the system is not the one you think it is? Wonder if a hacker has replaced a legit file with a evil version? It is possible to verify packages against their origional installation using the rpm tool.

You can simply follow the rpm -V command with all or part of a package label. As with every other RPM command that accepts package labels, you’ll need to carefully specify each part of the label you include. Keep in mind that package names are case-sensitive.

root@m [/]# rpm -V coreutils
.M….G. /bin/su
root@m [/]#

using these results you can see that in the case of su, the Mode and Group differ from the origional install.

Here is a list of all the possibilities

S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs

If you add -a to rpm -V, you can easily verify every installed package on your system.

If you add -f to -V and the file name, and you can verify the package that contains the file.

To check the package that has the ls program try

root@m[/]# rpm -Vf /bin/ls
.M….G. /bin/su
root@m[/]#

again, we find that there are differences in that packages files, and the results are displayed.

Of course, all of this is moot if rpm has been corrupted, but it is a good place to start.