Using RPM to Verify Installed Packages

head 1.1; branch 1.1.1; access ; symbols MAXIMUM_RPM_1_0:1.1.1.1 VENDOR:1.1.1; locks ; strict; comment @# @; 1.1 date 2001.08.28.12.07.10; author rse; state Exp; branches 1.1.1.1; next ; 1.1.1.1 date 2001.08.28.12.07.10; author rse; state Exp; branches ; next ; desc @@ 1.1 log @Initial revision @ text @ Using RPM to Verify Installed Packages rpm -V <command>rpm -V</command> Command Syntax rpm -V or (--verify, or -y) options Package Selection Options Page pkg1 … pkgN Verify named package(s) -p <file> Verify against package file <file> -f <file> Verify package owning <file> -a Verify all installed packages -g <group> Verify packages belonging to group <group> Verify-specific Options Page --noscripts Do not execute verification script --nodeps Do not verify dependencies --nofiles Do not verify file attributes General Options Page -v Display additional information -vv Display debugging information --root <path> Set alternate root to <path> --rcfile <rcfile> Set alternate rpmrc file to <rcfile> --dbpath <path> Use <path> to find the RPM database

<command>rpm -V</command> — What Does it Do? rpm -V what it does From time to time, it's necessary to make sure that everything on your system is "OK". Are you sure the packages you've installed are still configured properly? Have there been any changes made that you don't know about? Did you mistakenly start a recursive delete in /usr and now have to assess the damage? RPM can help. It can alert you to changes made to any of the files installed by RPM. Also, if a package requires capabilities provided by another package, it can make sure the other package is installed, too. The command rpm -V (The options -y and --verify are equivalent) verifies an installed package. Before we see how this is done, let's take a step back and look at the big picture. Every time a package is installed, upgraded, or erased, the changes are logged in RPM's database. It's necessary for RPM to keep track of this information; otherwise it wouldn't be able to perform these operations correctly. You can think of the RPM database (and the disk space it consumes) as being the "price of admission" for the easy package management that RPM provides. Actually, the price is fairly low. For a completely RPM-based Linux distribution, it would be unusual to have a database over 5MB in size. The RPM database reflects the configuration of the system on which it resides. When RPM accesses the database to see how files should be manipulated during an install, upgrade, or erase, it is using the database as a mirror of the system's configuration. However, we can also use the system configuration as a mirror of the RPM database. What does this "backward" view give us? What purpose would be served? The purpose would be to see if the system configuration accurately reflects the contents of the RPM database. If the system configuration doesn't match the database, then we can reach one of two conclusions: The RPM database has become corrupt. The system configuration is unchanged. The RPM database is intact. The system configuration has changed. While it would be foolish to state that an RPM database has never become corrupt, it is a sufficiently rare occurrence that the second conclusion is much more likely. So RPM gives us a powerful verification tool, essentially for free. What Does it Verify? rpm -V what it verifies It would be handy if RPM did nothing more than verify that every file installed by a package actually exists on your system. In reality, RPM does much more. It makes sure that if a package depends on other packages to provide certain capabilities, the necessary packages are, in fact, installed. If the package builder created one, RPM will also run a special verification script that can verify aspects of the package's installation that RPM cannot. Finally, every file installed by RPM is examined. No less than nine different attributes of each file can be checked. Here is the list of attributes: Owner Group Mode MD5 Checksum Size Major Number Minor Number Symbolic Link String Modification Time Let's take a look at each of these attributes and why they are good things to check: File Ownership rpm -V attributes verified rpm -V attributes verified file ownership Most operating systems today keep track of each file's creator. This is done primarily for resource accounting. Linux and UNIX also use file ownership to help determine access rights to the file. In addition, some files, when executed by a user, can temporarily change the user's ID, normally to a more privileged ID. Therefore, any change of file ownership may have far reaching effects on data security and system availability. File Group rpm -V attributes verified file group In a similar manner to file ownership, a "group" specification is attached to each file. Primarily used for determining access rights, a file's group specification can also become a user's group ID, should that user execute the file's contents. Therefore, any changes in a file's group specification are important, and should be monitored. File Mode rpm -V attributes verified file mode Encompassing the file's "permissions", the mode is a set of bits that specifies permitted access for the file's owner, group members, and everyone else. Even more important are two additional bits that determine whether a user's group or user ID should be changed if they execute the program contained in the file. Since these little bombshells can let any user become root for the duration of the program, it pays to be extra careful with a file's permissions. MD5 Checksum rpm -V attributes verified MD5 checksum The MD5 checksum of a file is simply a 128-bit number that is mathematically derived from the contents of the file. The MD5 algorithm was designed by Ron Rivest, the "R" in the popular RSA public-key encryption algorithm. The "MD" in "MD5" stands for Message Digest, which is a pretty accurate description of what it does. Unlike literary digests, an MD5 checksum conveys no information about the contents of the original file. However, it possesses one unique trait: Any change to the file, no matter how small, results in a change to the MD5 checksum. From a strictly theoretical standpoint, this is not entirely true. Using the lingo of cryptologists, it is believed to be "computationally infeasible" to find two messages that produce the same MD5 checksum. RPM creates MD5 checksums of all files it manipulates, and stores them in its database. For all intents and purposes, if one of these files is changed, the MD5 checksum will change, and RPM will detect it. File Size rpm -V attributes verified file size As if the use of MD5 isn't enough, RPM also keeps track of file sizes. A difference of even one byte more or less will not go unnoticed. Major Number rpm -V attributes verified major number Device character and block files possess a major number. The major number is used to communicate information to the device driver associated with the special file. For instance, under Linux the special files for SCSI disk drives should have a major number of 8, while the major number for an IDE disk drive's special file would be 3. As you can imagine, any change to a file's major number can have disastrous effects, and is tracked by RPM. Minor Number rpm -V attributes verified minor number A file's minor number is similar in concept to the major number, but conveys different information to the device driver. In the case of disk drives, this information can consist of a unit identifier. Should the minor number change, RPM will detect it. Symbolic Link rpm -V attributes verified symbolic link If the file in question is really a symbolic link, the text string containing the name of the linked-to file is checked. Modification Time rpm -V attributes verified modification time Most operating systems keep track of the date and time that a file was last modified. RPM uses this to its advantage by keeping modification times in its database. When Verification Fails — <command>rpm -V</command> Output rpm -V output of When verifying a package, RPM produces output only if there is a verification failure. When a file fails verification, the format of the output is a bit cryptic, but it packs all the information you need into one line per file. Here is the format: SM5DLUGT c <file> Where: S is the file size. M is the file's mode. 5 is the MD5 checksum of the file. D is the file's major and minor numbers. L is the file's symbolic link contents. U is owner of the file. G is the file's group. T is the modification time of the file. c appears only if the file is a configuration file. config files This is handy for quickly identifying config files, as they are very likely to change, and therefore, very unlikely to verify successfully. <file> is the file that failed verification. The complete path is listed to make it easy to find. It's unlikely that every file attribute will fail to verify, so each of the eight attribute flags will only appear if there is a problem. Otherwise, a "." will be printed in that flag's place. Let's look at an example or two: .M5....T /usr/X11R6/lib/X11/fonts/misc/fonts.dir In this case, the mode, MD5 checksum, and modification time for the specified file have failed to verify. The file is not a config file (Note the absence of a "c" between the attribute list and the filename). S.5....T c /etc/passwd Here, the size, checksum, and modification time of the system password file have all changed. The "c" indicates that this is a config file. missing /var/spool/at/spool This last example illustrates what RPM does when a file, that should be there, is missing entirely. Other Verification Failure Messages When rpm -V finds other problems, the output is a bit easier to understand: # rpm -V blather Unsatisfied dependencies for blather-7.9-1: bother >= 3.1 # It's pretty easy to see that the blather package requires at least version 3.1 of the bother package. The output from a package's verification script is a bit harder to categorize, as the script's contents, as well as its messages, are entirely up to the package builder. Selecting What to Verify, and How rpm -V options There are several ways to verify packages installed on your system. If you've taken a look at RPM's query command, you'll find that many of them are similar. Let's start with the simplest method of specifying packages — the package label. The Package Label — Verify an Installed Package Against the RPM Database package label You can simply follow the rpm -V command with all or part of a package label. As with every other RPM command that accepts package labels, you'll need to carefully specify each part of the label you include. Keep in mind that package names are case-sensitive, so rpm -V PackageName and rpm -V packagename are not the same. Let's verify the initscripts package: # rpm -V initscripts # While it looks like RPM didn't do anything, the following steps were performed: For every file in the package, RPM checked the nine file attributes that were discussed above. If the package was built with dependencies, the RPM database was searched to ensure the packages that satisfy those dependencies were installed. If the package was built with a verification script, that script was executed. In our example, each of these steps was performed without error — the package verified successfully. Remember, with rpm -V you'll only see output if a package fails to verify. <command>-a</command> — Verify All Installed Packages Against the RPM Database -a option If you add -a to rpm -V, you can easily verify every installed package on your system. It might take a while, but when it's done, you'll know exactly what's been changed on your system: # rpm -Va .M5....T /usr/X11R6/lib/X11/fonts/misc/fonts.dir missing /var/spool/at/.lockfile missing /var/spool/at/spool S.5....T /usr/lib/rhs/glint/icon.pyc ..5....T c /etc/inittab ..5..... /usr/bin/loadkeys # Don't be too surprised if rpm -Va turns up a surprising number of files that failed verification. RPM's verification process is very strict! In many cases, the changes flagged don't indicate problems — they are only an indication of your system's configuration being different than what the builders of the installed packages had on their system. Also, some attributes change during normal system operation. However, it would be wise to check into each verification failure, just to make sure. <command>-f <replaceable><file></replaceable></command> — Verify the Package Owning <command><replaceable><file></replaceable></command> Against the RPM Database -f option Imagine this: you're hard at work when a program you've used a million times before suddenly stops working. What do you do? Well, before using RPM, you probably tried to find other files associated with that program and see if they had changed recently. Now you can let RPM do at least part of that sleuthing for you. Simply direct RPM to verify the package owning the ailing program: % rpm -Vf /sbin/cardmgr S.5....T c /etc/sysconfig/pcmcia % Hmmmm. Looks like a config file was recently changed. This isn't to say that using RPM to verify a package will always get you out of trouble, but it's such a quick step it should be one of the first things you try. Here's an example of rpm -Vf not working out as well: % rpm -Vf /etc/blunder file /etc/blunder is not owned by any package % (Note that the issue surrounding RPM and symbolic links mentioned in also applies to rpm -Vf. Watch those symlinks!) <command>-p <replaceable><file></replaceable></command> — Verify Against a Specific Package File -p option Unlike the previous options to rpm -V, each of which verified one or more packages against RPM's database, the -p option performs the same verification, but against a package file. Why on earth would you want to do this when the RPM database is sitting there just waiting to be used? Well, what if you didn't have an RPM database? While it isn't a common occurrence, power failures, hardware problems, and inadvertent deletions (along with non-existent backups) can leave your system "sans database". Then your system hiccups — what do you do now? This is where a CD full of package files can be worth its weight in gold. Simply mount the CD and verify to your heart's content: # rpm -Vp /mnt/cdrom/RedHat/RPMS/i386/adduser-1.1-1.i386.rpm # Whatever else might be wrong with this system, at least we can add new users. But what if you have many packages to verify? It would be a very slow process doing it one package at a time. That's where the next option comes in handy… <command>-g <replaceable><group></replaceable></command> — Verify Packages Belonging To <command><replaceable><group></replaceable></command> -g option When a package is built, the package builder must classify the package, grouping it with other packages that perform similar functions. RPM gives you the ability to verify installed packages based on their groups. For example, there is a group known as Shells. This group consists of packages that contain, strangely enough, shells. Let's verify the proper installation of every shell-related package on the system: # rpm -Vg Shells missing /etc/bashrc # One thing to keep in mind is that group specifications are case-sensitive. Issuing the command rpm -Vg shells wouldn't verify many packages: # rpm -Vg shells group shells does not contain any packages # <command>--nodeps</command>: Do Not Check Dependencies During Verification --nodeps option When the --nodeps option is added to a verify command, RPM will bypass its dependency verification processing. In this example, we've added the -vv option to so we can watch RPM at work: # rpm -Vvv rpm D: opening database in //var/lib/rpm/ D: verifying record number 2341208 D: dependencies: looking for libz.so.1 D: dependencies: looking for libdb.so.2 D: dependencies: looking for libc.so.5 # As we can see, there are three different capabilities that the rpm package requires: libz.so.1 libdb.so.2 libc.so.5 If we add the --nodeps option, the dependency verification of the three capabilities is no longer performed: # rpm -Vvv --nodeps rpm D: opening database in //var/lib/rpm/ D: verifying record number 2341208 # The line D: verifying record number 2341208 indicates that RPM's normal file-based verification proceeded normally. <command>--noscripts</command>: Do Not Execute Verification Script --noscripts option Adding the --noscripts option to a verify command prevents execution of the verification scripts of each package being verified. In the following example, the package verification script is executed: # rpm -Vvv bother D: opening database in //var/lib/rpm/ D: verifying record number 616728 D: verify script found - running from file /var/tmp/rpm-321.vscript + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin + export PATH + echo This is the bother 3.5 verification script This is the bother 3.5 verification script # While the actual script is not very interesting, it did execute when the package was being verified. In the next example, we'll use the --noscripts option to prevent its execution: # rpm -Vvv --noscripts bother D: opening database in //var/lib/rpm/ D: verifying record number 616728 # As expected, the output is identical to the prior example — minus the lines dealing with the verification script, of course. <command>--nofiles</command>: Do Not Verify File Attributes --nofiles option The --nofiles option disables RPM's file-related verification processing. When this option is used, only the verification script and dependency verification processing are performed. In this example, the package has a file-related verification problem: # rpm -Vvv bash D: opening database in //var/lib/rpm/ D: verifying record number 279448 D: dependencies: looking for libc.so.5 D: dependencies: looking for libtermcap.so.2 missing /etc/bashrc # When the --nofiles option is added, the missing file doesn't cause a message any more: # rpm -Vvv --nofiles bash D: opening database in //var/lib/rpm/ D: verifying record number 279448 D: dependencies: looking for libc.so.5 D: dependencies: looking for libtermcap.so.2 # This is not to say that the missing file problem is solved, just that no file verification was performed. <command>-v</command> — Display Additional Information -v option Although RPM won't report an error with the command syntax if you include the -v option, you won't see much in the way of additional output: # rpm -Vv bash # Even if there are verification errors, adding -v won't change the output: # rpm -Vv apmd S.5....T /etc/rc.d/init.d/apm S.5....T /usr/X11R6/bin/xapm # The only time that the -v option will produce output is when the package being verified has a verification script. Any normal output from the script won't be displayed by RPM, when run without -v: Failure messages will always be displayed. # rpm -V bother # But when -v is added, the script's non-error-related output is displayed: # rpm -Vv bother This is the bother 3.5 verification script # If you're looking for more insight into RPM's inner workings, you'll have to try the next option: <command>-vv</command> — Display Debugging Information -vv option Sometimes it's necessary to have even more information than we can get with -v. By adding another v, that's just what we'll get: # rpm -Vvv rpm D: opening database in //var/lib/rpm/ D: verifying record number 2341208 D: dependencies: looking for libz.so.1 D: dependencies: looking for libdb.so.2 D: dependencies: looking for libc.so.5 # The lines starting with D: have been added by using -vv. We can see where the RPM database is located and what record number contains information on the rpm-2.3-1 package. Following that is the list of dependencies that the rpm package requires. In the vast majority of cases, it will not be necessary to use -vv. It is normally used by software engineers working on RPM itself, and the output can change without notice. However, it's a handy way to gain insights into RPM. <command>--dbpath <replaceable><path></replaceable></command>: Use <command><replaceable><path></replaceable></command> To Find RPM Database --dbpath option In order for RPM to do its handiwork, it needs access to an RPM database. Normally, this database exists in the directory specified by the rpmrc file entry, dbpath. By default, dbpath is set to /var/lib/rpm. Although the dbpath entry can be modified in the appropriate rpmrc file, the --dbpath option is probably a better choice when the database path needs to be changed temporarily. An example of a time the --dbpath option would come in handy is when it's necessary to examine an RPM database copied from another system. Granted, it's not a common occurrence, but it's difficult to handle any other way. <command>--root <replaceable><path></replaceable></command>: Set Alternate Root to <command><replaceable><path></replaceable></command> --root option Adding --root <path> to a verify command forces RPM to assume that the directory specified by <path> is actually the "root" directory. In addition, RPM expects its database to reside in the directory specified by the dbpath rpmrc file entry, relative to <path>. For more information on rpmrc file entries, see . Normally this option is only used during an initial system install, or when a system has been booted off a "rescue disk", and some packages need to be re-installed in order to restore normal operation. <command>--rcfile <replaceable><rcfile></replaceable></command>: Set Alternate <filename>rpmrc</filename> file to <command><replaceable><rcfile></replaceable></command> --rcfile option The --rcfile option is used to specify a file containing default settings for RPM. Normally, this option is not needed. By default, RPM uses /etc/rpmrc and a file named .rpmrc, located in your login directory. This option would be used if there was a need to switch between several sets of RPM options. Software developer and package builders will be the people using --rcfile. For more information on rpmrc files, see . We've Lied to You… rpm -V verification, control of Not really; we just omitted a few details until you've had a chance to see rpm -V in action. Here are the details: RPM Controls What Gets Verified Depending on the type of file being verified, RPM will not verify every possible attribute. Here is a table showing the attributes checked for each of the different file types: Verification Versus File Types File Type File Size Mode MD5 Checksum Major Number Minor Number Symlink String Owner Group Modification Time Directory File - X - - - - X X - Symbolic Links - X - - - X X X - FIFO - X - - - - X X - Devices - X - X X - X X - Regular Files X X X - - - X X X

The Package Builder Can Also Control What Gets Verified When a package builder creates a new package, they can control what attributes are to be verified on a file-by-file basis. The reasons for excluding specific attributes from verification can be quite involved, but here's an example just to give you the flavor: When a person logs into a system, there are device files associated with that user's terminal session. In order for the terminal device (called tty) to function properly, the owner and group of the device must change to that of the person logging in. Therefore, if RPM were to verify the package that created the tty device files, any ttys that were in use at the time would fail to verify. However, by using the %verify See for details on %verify directive, a package builder can save you from trivial verification failures. @ 1.1.1.1 log @Import book 'Maximum RPM' by Ed Bailey, version 1.0 @ text @@