Verifying Installed Packages with debsums

There are times when you will question the behavior of a binary or package installed on the system. It may not perform correctly, or may not even start at all. Problems with corrupt packages from unstable network connections or power outages do happen. In addition, malicious users may attempt to replace powerful commands with their own versions to cause further harm. It becomes useful to check the files on the file system against the information stored in the package.

The debsums program is a utility for Ubuntu and other Debian-based systems that checks the MD5 sums of every installed package against the md5sum files found in the /var/ lib/dpkg/info directory.

Install this program with the following command:

$ sudo aptitude install debsums

Table 2-7 shows some of the most useful options for running debsums. See the man page for debsums to reveal all detailed information.

Table 2-7: Some Common debsums Options

debsum command

What It Does

debsums

-a

Checks all files (including configuration files which are, by default, left out).

debsums

-e

Checks config files for packages only.

debsums

-c

Lists only changed files to stdout.

debsums

-1

Lists files that don't have md5sum info.

debsums

-s

Lists only errors; otherwise be silent.

debsums

<package names>

Lists the packages you want debsums to analyze.

NOTE For many operations, you won't need to run this utility as root (using sudoj. Some files may not have read access by regular users, so the use of sudo will be required if you get a message like this: debsums: can' t open at file /etc/at.deny (Permission denied).

If you run debsums with no options, it will check every file on the system that it knows about. The output can be redirected to a file if needed for later. The file name debsums prints out will be accompanied by an OK status on the right side of the output if the md5sum checks out for the file. Other messages may be printed out, such as mdSsums missing for a certain file, or the word REPLACED if the md5sum does not match. You will need to be wary of false positives. If you want to use this tool as a baseline for assessments at a later date, you will want to get everything set up the way you want and re-generate md5sums for stuff that is missing or incorrect. That way you know you have the latest info.

This command will check every file on the system against the stock md5sum files. You can see there are some missing and replaced files. You would want to verify the system does not already have problems with these files before you re-generate md5sums for everything:

$ debsums

/usr/bin/acpi OK

/usr/share/man/manl/acpi. 1 .gz OK

/usr/share/doc/acpi/README OK

/usr/share/doc/acpi / AUTHORS OK

/usr/share/app-install/icons/pybliographic.png OK

debsums: no md5sums for bsdutils debsums: no md5sums for bzip2 debsums: no md5sums for cdrecord

/usr/share/locale-langpack/en_AU/LC_MESSAGES/adduser.mo REPLACED

/usr/share/locale-langpack/en_AU/LC_MESSAGES/alsa-utils .mo OK

If you want to save this info to a file, and to save stdout and stderr messages, redirect both stdout and stderr streams into a file. We also background the command with a final ampersand so we can continue working at the shell:

To check the configuration files distributed with each package for changes, run debsums with the -a option:

/usr/bin/acpi OK

/usr/share/man/manl/acpi.1.gz OK

To only check configuration files, and ignore everything else, use the -e option. This is a good way to tell if you have inadvertently edited a config file you didn't want to. You can see some of the X configuration files have been changed.

/etc/Xll/Xresources/xll-common /etc/Xll/Xsession /etc/Xll/rgb.txt /etc/init.d/xll-common

/etc/Xll/Xsession .d/50xll-common_determine-startup /etc/Xll/Xsession.d/30xll-common_xresources /etc/Xll/Xsession.d/20xll-common_process-args /etc/Xll/Xsession.options

As debsums spits out a lot of information, you may want to see only changed files. Issuing debsums with the -c options will do that:

$ debsums -c

debsums:

no

md5sums

for

at

debsums:

no

md5sums

for

base-files

debsums:

no

md5sums

for

FAILED

With the preceding command, you will see messages being printed for files that have no md5sum info. You can check for files that have no md5sum info by running debsums with the -1 option:

base-files be binutils binutiIs-static

If you want debsums to show only errors, use the -s option to tell debsums to be silent except for errors:

$ debsums -s debsums debsums debsums debsums no md5sums for at no md5sums for base-files no md5sums for be no md5sums for binutils

To check a specific package, give debsums a package name as an argument:

$ debsums coreutils

/bin/cat OK

/bin/chgrp OK

/bin/chmod OK

This will check only the files listed in that package's md5sum file in the /var/lib/ dpkg/info directory, so if the package does not come with an md5sum file, you will get an error:

$ debsums rsync debsums: no md5sums for rsync

To generate the missing md5sums data for rsync, use a combination of dpkg, the md5sum utility, and a little shell scripting. First, use dpkg -L to ask for a list of all the files dpkg knows about, in the rsync package. The list dpkg returns will have other lines of data in it besides just the file names, so we pipe that output to grep and filter out everything that does not start with a slash. On the second line, we have the shell test whether the line of output from dpkg is a directory or a file (directories start with a slash also). If it is a file, md5sum is run on the line of output, which at this point should just be a file name. Lastly, all output at the third line is saved into a text file with the same naming convention as the md5sum files in the /var/lib/dpkg/info directory.

$ for file in 'dpkg -L rsync | grep A/*? do test -f "$file" && mdSsum "$file"; done > /tmp/rsync .md5sums

What you gain from this command is an md5sum database you can burn to CD-ROM and use to check your system. If the md5sums are on CD-ROM, they cannot be deleted accidentally, or be subject to file system problems of a hard disk. If you want to check your md5sums at a later time, you can use the md5sum command with the -c option and feed it the file name of the md5sum data:

$ md5sum -c /tmp/rsync .md5sums

/usr/bin/rsync: OK

/usr/share/doc/rsync/examples/rsyncd.conf: OK /usr/share/doc/rsync/README.gz: OK /usr/share/doc/rsync/TODO.gz: OK

To use the rsync.md5sum file with debsums, we need to make one modification that will cause problems for md5sum, but is necessary for use with debsums, and that is removing the leading slash in the file name. We can do this in a text editor, or with a little more shell scripting:

$ cat /tmp/rsync.md5sums

302916114c29191cd9c8cb51d67ee60a /usr/bin/rsync

To remove the leading slash in front of /usr/bin/rsync, you could use a text editor or just use the Stream Editor (sed) to do this:

$ sed -e ' s# /# #g' /tmp/rsync.md5sums > /tmp/rsync.debsums $ cat /tmp/rsync.debsums

302916114c29191cd9c8cb51d67ee60a usr/bin/rsync

With the leading slash removed, you can now copy rsync . debsums into the /var/lib/dpkg/info directory and debsums will be able to use it:

$ sudo mv /tmp/rsync.debsums /var/lib/dpkg/info/rsync.mdSsums $ debsums rsync

/usr/bin/rsync OK

/usr/share/doc/rsync/examples/rsyncd.conf OK

/usr/share/doc/rsync/README.gz OK

Continue reading here: Building deb Packages

Was this article helpful?

+3 0