| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 1 Oct 2011 12:24:38 -0700 From: Greg KH <greg@...ah.com> To: Willy Tarreau <w@....eu> Cc: Andy <akwatts@...il.com>, schwab@...ux-m68k.org, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: kernel.org status: hints on how to check your machine for intrusion On Sat, Oct 01, 2011 at 09:06:12PM +0200, Willy Tarreau wrote: > On Sat, Oct 01, 2011 at 01:40:44PM -0500, Andy wrote: > > On Sat, Oct 01, 2011 at 07:54:56PM +0200, Willy Tarreau wrote: > > > $ git config tar.umask 022 > > > > Andreas/Willy: > > > > It was indeed umask which was skewing the results. Thanks. > > > > Now, I'll wait for Willy's hashes since I can't drill down on > > Linus' 2.6 tree beyond 2.6.x. > > OK I'm attaching two files, one computed with the initial 002 perms and > a second one with the new 022 perms. I don't precisely know when the perms > changed, hence the two files. I noticed that 2.6.25 was still 002, and that > 2.6.32 was 022. In between I don't know. Note that I'm missing some tags > (at least 2.6.35.12 and a few 2.6.33.x and 2.6.34.x). > > The file is formated to be easily used with "md5sum -c" that dirty way > (once hashes are split/joined at the location where the umask changed) : > > cd /path/to/mirror/2.6 > cp linux-*.tar.gz /tmp > cd /tmp > gunzip linux-*.tar.gz > md5sum -c expected-hashes.md5 > > It would be nice if someone with an access to a mirror could check the > perms of *every* tarball so that we can establish the definitive list > of signatures. I'm pretty sure the umask history is not linear. For > instance, I'm pretty sure I did not change the umask in my config when > releasing 2.6.27.x kernels and it seems like Greg did not do this either > so we have 2.6.27 022 and 2.6.27.x 002. Something like this might do it > (untested) : > > for i in linux-*.tar.gz; do > set -- $(tar tvf $i|head -1) > [ "$1" == "drwxrwxr-x" ] && echo "$i 002" || echo "$i 022" > done > > Hoping this helps a bit. Very nice, thanks so much for providing an independant verification of the tarballs, it is much appreciated. And yes, the umask problem did trip us up when we did the initial verification as well, fun to see that you all figured out and solved the problem faster than I did :) thanks again, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists