lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 1 Oct 2011 21:06:12 +0200
From:	Willy Tarreau <w@....eu>
To:	Andy <akwatts@...il.com>
Cc:	schwab@...ux-m68k.org, Greg KH <greg@...ah.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: kernel.org status: hints on how to check your machine for intrusion

On Sat, Oct 01, 2011 at 01:40:44PM -0500, Andy wrote:
> On Sat, Oct 01, 2011 at 07:54:56PM +0200, Willy Tarreau wrote:
> >   $ git config tar.umask 022
> 
> Andreas/Willy:
> 
> It was indeed umask which was skewing the results. Thanks.
> 
> Now, I'll wait for Willy's hashes since I can't drill down on
> Linus' 2.6 tree beyond 2.6.x.

OK I'm attaching two files, one computed with the initial 002 perms and
a second one with the new 022 perms. I don't precisely know when the perms
changed, hence the two files. I noticed that 2.6.25 was still 002, and that
2.6.32 was 022. In between I don't know. Note that I'm missing some tags
(at least 2.6.35.12 and a few 2.6.33.x and 2.6.34.x).

The file is formated to be easily used with "md5sum -c" that dirty way
(once hashes are split/joined at the location where the umask changed) :

  cd /path/to/mirror/2.6
  cp linux-*.tar.gz /tmp
  cd /tmp
  gunzip linux-*.tar.gz
  md5sum -c expected-hashes.md5

It would be nice if someone with an access to a mirror could check the
perms of *every* tarball so that we can establish the definitive list
of signatures. I'm pretty sure the umask history is not linear. For
instance, I'm pretty sure I did not change the umask in my config when
releasing 2.6.27.x kernels and it seems like Greg did not do this either
so we have 2.6.27 022 and 2.6.27.x 002. Something like this might do it
(untested) :

  for i in linux-*.tar.gz; do
    set -- $(tar tvf $i|head -1)
    [ "$1" == "drwxrwxr-x" ] && echo "$i 002" || echo "$i 022"
  done

Hoping this helps a bit.

Willy


View attachment "expected-hashes-002.md5" of type "text/plain" (11519 bytes)

View attachment "expected-hashes-022.md5" of type "text/plain" (12565 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ