Writer and Free Thinker at Large
Navigate * LSA Book * Quotes/Reviews * Buy The Book * Chapter Links * WFTL Home
Other Info * Tips & Tricks * Knoppix CD Help * Linux Links * WFTL Chats * Join WFTL-LUG
Moving to Linux: Kiss the Blue Screen of Death Goodbye!
Buy the book from:

Download an excerpt from the book. Click here

RPM verifies. What do those letters mean?

A good way to make sure that your RPM packages haven't been tampered with is to do a verify. You do this by using the command "rpm -V package_name".   I've discussed this in a Linux Journal Sysadmin's Corner article. 

     http://www.linuxjournal.com/article.php?sid=5345
When the command returns, you will see a number of columns. There are nine columns and they have nothing to do with User/Group/Other.  Here's a little "legend" to remember (note that there is one for each of the nine positions). 
     SM5DLUGT c file_name

For example, here is what I get when I do an "rpm -V setup". 

     $ rpm -V setup
     S.5....T c /etc/bashrc
     S.5....T c /etc/printcap
     S.5....T c /etc/profile
     ..?..... c /etc/securetty
     .M...... c /etc/shadow

I'm going to start from the far right because it is particularly important to note.  If you see a lower-case "c" sitting there, this is telling you that the file is a configuration file.  In all likelihood, it has been changed since the package was installed.  The "c" lets you quickly determine if it is likely that this file would have changed.  In all those cases, it seems likely that something would have been changed (with the possible exception of /etc/securetty but this is my personal system and I muck about with things).

Anyhow, let's go back over to the left and start again.  The "S" stands for the file's size.  If the size has been modified, an "S" will appear in the first position.  The "M" is the file's permissions, or mode (as in chmod). The "5" refers to the MD5 checksum for the file.  If the file's size has been modified (see attribute 1 on the left), then, this one will definitely be on!  "D" is the file's major and minor numbers so you are only going to see this with device files.  Here's a sample of one of my device files. 

     .M...UG.   /dev/hde1

The next position, the "L" represents a file's symbolic link contents (not the file itself).  The next one is "O", or the owner of the file.  Note that my /dev/hde1 has been changed, from root, in my case, to my own user ID.  It just happens to be where my digital camera's compact flash card gets mounted. Next in line is, you guessed it, "G" for group.  And finally, "T" represents time, specifically the modification time on the file.  Have a look at what happens to my pam package when I modify a line in /etc/security/access.conf and re-run "rpm -V". 

     # rpm -V pam
     S.5....T c /etc/security/access.conf

The file's size, md5sum, and modification time have all been changed (which makes sense).  The original time stamp on the file was Oct 24, 2001 at 16:11 for this file.  Let's change the modification time back to that date by using the "touch" command. 

     touch -m -t 200110241611 /etc/security/access.conf

When we run "rpm -V" again, it gets interesting. 

     # rpm -V pam
     S.5..... c /etc/security/access.conf

Notice that the "T" is gone.  Cool?  Cool.

We now return you to our regularly scheduled Linux work.