[OT] Yum and other internet cr@p

Bill Fink yellowdog-general@lists.terrasoftsolutions.com
Fri Jun 18 08:23:01 2004 

As a followup, if disk corruption is suspected with a package, you
can check the integrity of an RPM package by:

	First, find out what package a file belongs to, for example:

	gwiz% rpm -qf /usr/bin/yum
	yum-1.0-1d

	Then, to check the integrity of the yum RPM package:

	gwiz% rpm --verify yum
	S.5....T c /etc/yum.conf
	....L...   /var/cache/yum

Checking the rpm man page lets you know that the file size ('S'),
MD5 sum ('5'), and modification time ('T') for the /etc/yum.conf
file differ from what's in the RPM database, but this is to be
expected since the 'c' character lets you know this is a configuration
file that is normally modified by the user.  The 'L' indication on
/var/cache/yum specifies a "readLink(2) path mis-match", and is
because on my system I moved the /var/cache/yum directory to a
different partition and made /var/cache/yum be a symbolic link
to the new location.

Note that there can be legitimate reasons for package inconsistencies,
as sometimes the package installation itself will modify certain files.
One way to check this is to also run the "rpm --verify" command on
another known good system.

To fix the problem, after first correcting any underlying problems
such as bad blocks on a disk, just download the RPM package from
one of the YellowDog mirrors, and reinstall it with rpm using
the "--force" option.

The "rpm --verify" option can also be useful if you suspect you may
have been hacked and your system compromised.  Just download the RPM
package from one of the YellowDog mirrors, and run the "rpm --verify"
command against the package file with the "-p" option, such as:

	gwiz% rpm --verify -p yum-1.0-1d.noarch.rpm
	S.5....T c /etc/yum.conf
	....L...   /var/cache/yum

Hackers like to install trojan versions of certain commonly used
commands such as ls (part of fileutils package) and ps (part of
procps package), so the fileutils and procps packages are examples
of packages you might want to verify if you suspect being hacked
(there are certainly other programs/packages that a hacker might
try to compromise).  It's a simple alternative to a more comprehensive
scheme such as running tripwire.

						-Bill



On Fri, 18 Jun 2004, I wrote:

> Hi Norberto,
> 
> On Thu Jun 17 2004, Norberto Quintanar wrote:
> 
> > Then I repaired the rpm database using:
> > 
> > rpm -vv --rebuilddb
> > 
> > -vv gives you a visaul to the rebuild
> > 
> > after all that I removed yum again rebuilt it 
> > 
> > and voila:
> > 
> > Traceback (most recent call last):
> >   File "/usr/bin/yum", line 36, in ?
> >     if not os.path.exists('/proc/' + oldpid):
> >   File "/usr/lib/python2.2/posixpath.py", line 171, in exists
> >     st = os.stat(path)
> > TypeError: stat() argument 1 must be (encoded string without NULL
> > bytes), not str
> > 
> > No dice.
> 
> Does your /var/run/yum.pid happen to contain any weird characters?
> Try removing it.  And make sure /proc is still mounted.  Also tail
> /var/log/messages to make sure you aren't having any hardware problems.
> 
> 						-Bill