Part 1: Monitoring Package File Integrity

Note that Part 2 is available - automating this check with systemd timers.

Pacman -Qkk check script

Pacman has been a common element of my posts. Here’s a new one.

On [2015-04-03 Fri], I got some warnings during a system upgrade. See directory ownership differing on the Arch BBS for something similar. Here’s a few of them:

cat /var/log/pacman.log | grep 'warning: directory'

Pacman has a method of verifying the integrity of packages files.

pacman -Qkk
# results omitted for brevity

I looked around for how to fix this issue. On user suggested to reinstall the offending packages identified with pacman -Qkk. Once reinstalled, the correct permissions should be given.

I tried this with colord and it seemed to do the trick. But with p7zip, after reinstalling,

warning: directory permissions differ on /usr/share/doc/p7zip/MANUAL/
filesystem: 704  package: 755
warning: directory permissions differ on /usr/share/doc/p7zip/MANUAL/commands/
filesystem: 704  package: 755
warning: directory permissions differ on /usr/share/doc/p7zip/MANUAL/switches/
filesystem: 704  package: 755

And after all it wasn’t fixed with colord. I hesitate to run amok changing these things if the fix is more complex than that, unless I’m certain such a change is necessary.

So with some further digging I came across a thread to settle this. Sounds like Pacman may report these differences due to actions performed by makepkg, which may change package contents (e.g. modified times, permissions) with respect to what pacman expects. I’m not sure where the pacman expectations are defined, though.

Anyway, an excellent monitoring method is proposed there: diff pacman -Qkk to see if it’s changing, that can identify problems rather than worrying about the individual reports from pacman -Qkk, as many are benign.

How might this look

#!/bin/bash
PDIR="/home/$USER/.pacqkk/"
PFILE="qkk"

if [ ! -d "$PDIR" ] 
then
  mkdir $PDIR
fi

if [ -f "${PDIR}${PFILE}_a" ]
then
  b_exists=true
  mv "${PDIR}${PFILE}_a" "${PDIR}${PFILE}_b" 
fi

pacman -Qkk > "${PDIR}${PFILE}_a"

if [ b_exists ]
then
  diff --suppress-common-lines --side-by-side\
    "${PDIR}${PFILE}_a" "${PDIR}${PFILE}_b" |\
  mail -s "$HOST qkk diff" $EMAIL
fi

That will work for now. If you have some improvements, let me know!

I’ll also run through how to configure ssmtp now, so that we can run the above script on timer.

Install and Configure ssmtp

Ssmtp is s very minimal email delivery program. Minimal is why I’m using it.

It is very easy to install and configure.

Install:

sudo pacman -S ssmtp

Assuming you use gmail, go to the google app passwords page and generate a new app password.

With that in hand, edit the configutation file as shown below, replacing your details where necessary. See the Archwiki for more guidance.

cat /etc/ssmtp/ssmtp.conf
#
# /etc/ssmtp.conf -- a config file for sSMTP sendmail.
#

# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=jothamapaloo@gmail.com

# The place where the mail goes. The actual machine name is required
# no MX records are consulted. Commonly mailhosts are named mail.domain.com
# The example will fit if you are in domain.com and you mailhub is so named.
mailhub=smtp.gmail.com:587

# Where will the mail seem to come from?
rewriteDomain=gmail.com

# The full hostname
hostname=ArchLenFlex

# Use SSL/TTS
UseTLS=Yes
UseSTARTTLS=Yes

# Username and password
AuthUser=jothamapaloo
AuthPass=mygmailapppassword

# Let from headers override default domain
FromLineOverride=Yes

I suggest following the guide to secure the security configuration wiki section. The commands are below:

# as root
# add the group
groupadd ssmtp
# set ssmtp as owner of the ssmtp config and binary
chown :ssmtp /etc/ssmtp/ssmtp.conf
chown :ssmtp /usr/bin/ssmtp
# only allow root and group to read it
chmod 640 /etc/ssmtp/ssmtp.conf
# allow anyone to run the bin
chmod g+s /usr/bin/ssmtp

And test it out.

echo "test body" | mail -s "test subject" user@domain.com

The message should be in your inbox in seconds. Please don’t use my email in your configs ;).

Next time I’ll show how to setup a systemd timer to run this automatically.

Go Top
comments powered by Disqus