RE: [cobalt-security] RPM Question

["Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>]

> After following some security discussions I added some rpm verify commands
> to a script I run nightly that does some security checks (runs
> chkrootkit0.40, files without owners, files with setuid.

Fancy sharing the script?

> I get the following appearing:
>
> rpm -V net-tools
> .M......   /usr/share/locale/de/LC_MESSAGES/net-tools.mo
> .M......   /usr/share/locale/fr/LC_MESSAGES/net-tools.mo
>
> This is telling me there is a problem with Mode (includes permissions and
> file type) of these two files (I think)

<snip>

> Should I just do a chmod 644 on these two files or should I change the
> package contents somehow? I haven't tampered with these files -
> this is how
> they came in as far as I can see.
>
> chmod 644 net-ttols.mo will make the 'rpm -V' happy.....
>
It looks to me as though these files are to do with the localisation we did,
Will De Haan was the expert for that.  I don't think it will cause a problem
what you are proposing, especially as looking at the directory structure
they are for French and German so probably not a concern for you in the US.

I have just rebuilt a Qube that was one of many that got hacked, after
seeing a post from someone saying they rebuilt theirs patched it fully and
it was hacked in 24hrs I was a bit concerned then I noticed the experimental
Samba rpm.

Odd that the one noticeable symptom of a hacked Qube in this instance was
that Samba goes down and doesn't come back up I decided to install the rpm
and then wait a few days to see if it gets hacked/falls over etc.  So far 3
days and no hack.

Advice I would put that experimental rpm on it may save you some grief.

Regards

Gavin

ps I have just noticed 3 new patches from Sun for the Qube on Bluelink, only
one on the web page.  I have installed the DNS and WGET with no issues but
not the kernel - not quite brave enough for that today as I am nearly 600
miles from the Qube <smile>