Comments on: Restorecon Equivalent for Unix Permissions

By: Jeff Schroeder

Jeff Schroeder — Wed, 14 Nov 2007 05:45:19 +0000

Russell, here is a finished version for you:
http://www.digitalprognosis.com/opensource/scripts/restoreperms

I thought about setting this up to work with normal (read non-rpm managed) files and decided against it. Just create a quick hacky spec of everything in /usr/local/bin/* and then you can use this. If not, maybe it will help you out someday? Thanks for the idea though, it was all yours.

It now shows which files have changed and the permissions they are currently vs the ones they should be. If you have an rpm distro installed, check it out.

By: etbe

etbe — Tue, 13 Nov 2007 21:56:36 +0000

Vaclav: It sounds like BSD is doing some good things in this regard, so all we need to do is to update dpkg to allow the same.

Name: An IDS is not a tool for recovering from sys-admin mistakes, and Tripwire etc are not integrated with the packaging system (the primary authoritative source of data about such things).

http://blog.steve.org.uk/articles/2007/11/13/i-love-this-hive-employee

Gurkan: your comment is similar to Steve Kemp’s suggestion in his blog. Still not part of the system.

By: Gurkan

Gurkan — Tue, 13 Nov 2007 20:13:46 +0000

file permissions? like this?
http://www.linuks.mine.nu/perms/perms

By: Name (required)

Name (required) — Tue, 13 Nov 2007 13:55:55 +0000

Isnt this what ids like aide, tripwire, samhain, etc, etc are for?

By: Vaclav Ovsik

Vaclav Ovsik — Tue, 13 Nov 2007 11:48:14 +0000

etbe: I think you are not right. BSD systems have binary packages. For example: ftp://ftp.cz.freebsd.org/pub/FreeBSD/ports/i386/
If you look inside some package, you will see some topmost files and +MTREE_DIRS in between. Mtree is build into *BSD packaging system I think. And maybe Debian can add something similar aside debsums for this into dpkg. Something like mtree file can be generated in package building phase I think.

By: etbe

etbe — Tue, 13 Nov 2007 10:13:56 +0000

Andrew: I’ve updated the post, debsums doesn’t address this problem at all. In a quick test running chmod on a file was not detected by it.

Jeff: Great work! Now all we need is to have it consult another data source for files that aren’t owned by RPM packages and we’ll have a Unix permissions equivalent to restorecon.

Vaclav: That seems to be more like Tripwire than what I’m interested in. It starts with copying the permissions from an installed system rather than using installation binaries to get the permissions - which makes sense as BSD doesn’t have binary packages.

By: Vaclav Ovsik

Vaclav Ovsik — Tue, 13 Nov 2007 09:31:39 +0000

Grrr freebsd-mtree from freebsd5-buildutils is nonfunctional.

By: Vaclav Ovsik

Vaclav Ovsik — Tue, 13 Nov 2007 09:20:32 +0000

There is an interesting command mtree on *BSD systems.
I’m Debianist, but I know this from some FreeBSD running at my company.

Googled:
http://www.freebsd.org/cgi/man.cgi?query=mtree&sektion=8
http://blogs.techrepublic.com.com/security/?p=283

mtree is packaged in freebsd5-buildutils and its called freebsd-mtree.

Maybe, there is something more appropriate…

By: Jeff Schroeder

Jeff Schroeder — Tue, 13 Nov 2007 08:50:58 +0000

Well you’ll need to package everything under /usr/local/bin/* into rpm format. There isn’t another way with rpm to the best of my knowledge.

This quick hack was knocked up in about 20 minutes (to perfect it):
http://pastebin.com/f3c64c387

If my webhost wasn’t down right now, I’d simply upload it to my website.

So download that script, save it as restoreperms and do this to run “restorecon”:
restoreperms -p $packagename -f

Russel, let me know if you like it. I’ll add more features in the morning after some sleep

By: Andrew Pollock

Andrew Pollock — Tue, 13 Nov 2007 06:41:50 +0000

debsums does something similar to rpm -V, provided the package provides md5sums.