With rpm -qV openssh-server
I will get a list of files that have changed compared to default.
~$ rpm -qV openssh-server
S.?....T. c /etc/ssh/sshd_config
~$
Can dpkg
on Ubuntu do the same?
As in dpkg/1.17.2, it implements --verify
option, according to this debian bug report.
Note this is a relatively new change to dpkg. Date: Thu, 05 Dec 2013 04:56:31 +0100
line in the dpkg v1.17.2 package shows this.
Here is a brief description of --verify
action quoted from the man page of dpkg.
-V, --verify [package-name...] Verifies the integrity of package-name or all packages if omit‐ ted, by comparing information from the installed paths with the database metadata. The output format is selectable with the --verify-format option, which by default uses the rpm format, but that might change in the future, and as such programs parsing this command output should be explicit about the format they expect.
So you may just use similar syntax as in yum
to perform verifications, and get results in rpm format.
For example:
dpkg --verify openssh-server
or just use dpkg --verify
to verify every single packge installed on you system.
P.S.
Running, say dpkg --verify bash
, on my machine gave me something like this. (I'm running dpkg/1.17.5)
??5?????? c /etc/bash.bashrc
??5?????? c /etc/skel/.bashrc
It seems that .deb packages only contain md5sums metadata for verification.
I don't thinks so, in Ubuntu md5 checksums are only stored for certain files. For any given package the list of files that have checksums can be found in
/var/lib/dpkg/info/<package>.md5sums
e.g
/var/lib/dpkg/info/openssh-server.md5sums
These generally don't contain a complete list of the files that have been installed by a package e.g. openssh-server.md5sums
bb5096cf79a43b479a179c770eae86d8 usr/lib/openssh/sftp-server
42da5b1c2de18ec8ef4f20079a601f28 usr/sbin/sshd
8c5592e0d522fa0f8f55f3c104479ef5 usr/share/lintian/overrides/openssh-server
cfcb67f58bcd1edcaa5a770863e49304 usr/share/man/man5/sshd_config.5.gz
71a51cbb514da3044b277e05a3ceaf0b usr/share/man/man8/sshd.8.gz
222d4da61fcb3c65b4e6e83944752f20 usr/share/man/man8/sftp-server.8.gz
You can use the debsums command (sudo apt-get install debsums) to check the files that have md5 signatures
debsums openssh-server
/usr/lib/openssh/sftp-server OK
/usr/sbin/sshd OK
/usr/share/lintian/overrides/openssh-server OK
/usr/share/man/man5/sshd_config.5.gz OK
/usr/share/man/man8/sshd.8.gz OK
/usr/share/man/man8/sftp-server.8.gz OK
There is tool debsums you can check out.
# apt-cache search debsums
debsums - tool for verification of installed package files against MD5 checksums
I use this command to check all the packages:
dpkg -l | awk {'print $2'} | xargs | debsums | grep -v 'OK'
You should need to install debsumbs, gawk and findutils packages.
Normally I have a list of files that I want to verify.
So here's a simple bash function that does more or less what you want:
dpkg-verify() {
exitcode=0
for file in $*; do
pkg=`dpkg -S "$file" | cut -d: -f 1`
hashfile="/var/lib/dpkg/info/$pkg.md5sums"
if [ -s "$hashfile" ]; then
rfile=`echo "$file" | cut -d/ -f 2-`
phash=`grep -E "$rfile\$" "$hashfile" | cut -d\ -f 1`
hash=`md5sum "$file" | cut -d\ -f 1`
if [ "$hash" = "$phash" ]; then
echo "$file: ok"
else
echo "$file: CHANGED"
exitcode=1
fi
else
echo "$file: UNKNOWN"
exitcode=1
fi
done
return $exitcode
}
Use like this:
dpkg-verify /bin/ls /usr/bin/ld
Output on my environment:
/bin/ls: ok
/usr/bin/ld: UNKNOWN
Of course, it should be fairly simple to write a similar alias/script to check the files from a specific package.