Re: mysterious files on a fedora system but not from rpm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18Nov2007 10:20, Dave Burns <tburns@xxxxxxxxxx> wrote:
| > Practically all .py modules will get turned into .pyc files and
| > won't match the manifests.
| 
| So any *.py file may generate a <same name>.pyc file?

Yes, if the interpreter has rights to write to that portion of the
filesystem.

| So if I am trying to be security conscious (anal) and track stuff so I
| can say, "Yeah that belongs there" or "Hey this might be part of a
| rootkit", this makes a big gray area, right?

You can make the same argument about squid caches etc.
Your point is valid though.

| Is there a way I can
| verify that a particular .pyc comes from a .py that *is* on the
| manifest?

I'm not sure. You could write a python script using its "compile()"
function maybe; I don't know how big a step it is from that to a .pyc
file.

| Any way I can request that all .pyc's be constructed *now*
| so I can scan them with tripwire?

One crude approach: remove all the .pyc files. Run a small shell script to
source each python file (using import "modulename" - a lot of modules have
"run a demo/self-test if I am the main program" hooks). Chown root all the
new .pyc files if they're not already so. Run tripwire.

| Some  way to deal with this other
| than, "Well, it has the same filename as something that belongs
| there"?

These are questions I cannot answer. [...snip...]

| > There are also a few dynamicly created configuration and
| > database files floating around Fedora.
| 
| Those would presumably not be executable and seem easier to cope with,

Remember that "data" files, like .pyc files, are in effect "interpreted"
by the tools that use them, because they make decisions based on their
content. For certain data files, a misdfecision can be as subversive as
a trojan .pyc file. Eg a bogus password file with a trojan in the
"shell" column for root (or any other user, such as yourself).
And so forth.

| though I suppose there is still an issue of when can you be sure they
| are all in place? And I suppose that can't be answered in general, but
| must be answered on a case by case basis.

Yeah, I think so. This is why sandboxes are desirable for things you
don't trust. On a UNIX box, special purpose users consitute a kind of
simple sandbox.

Cheers,
-- 
Cameron Simpson <cs@xxxxxxxxxx> DoD#743
http://www.cskk.ezoshosting.com/cs/

Microsoft is not the ANSWER.
  Microsoft is the QUESTION,
    and the ANSWER is NO!       - Roland.Giersig@xxxxxxxxxxxxxx

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux