FC12: Hidden files in /usr/bin/*
Przemek Klosowski
przemek.klosowski at nist.gov
Fri Jan 22 23:09:01 UTC 2010
On 01/22/2010 05:30 PM, Matt Domsch wrote:
> On Fri, Jan 22, 2010 at 03:06:24PM -0500, Peter Jones wrote:
>> Well, the standard IIRC does want them to be separate, though again it's
>> important to realize that this check isn't meant to protect against an
>> attack, but rather to check against erroneous corruption of the binary. It
>> seems unlikely that such corruption would change the checksum to match the
>> errors ;)
>>
>>> The separate /lib directory tree seems the way to go, to me. That way
>>> the checksum files could be named the same as what they check, no magic
>>> needed.
>
> teach fipscheck to ask rpmlib ? rpm -V. We already have this method.
>
Fipscheck is more sophisticated---it checks its own integrity before
checking the binary. It's a cruel world out there.
More information about the devel
mailing list