[SOLVED] How do I force rpm -V to verify ALL files?

Issue

I want to be able to verify ALL files against the rpm database (all files originating from an rpm, that is).

Example: When I ask rpm to verify the package carrying /etc/hosts, I get:

# rpm -Vv setup-2.8.14-16.el6.noarch
.........  c /etc/aliases
S.5....T.  c /etc/bashrc
.........  c /etc/csh.cshrc
.........  c /etc/csh.login
.........  c /etc/environment
.........  c /etc/exports
.........  c /etc/filesystems
.........  c /etc/group
.........  c /etc/gshadow
.........  c /etc/host.conf
.........  c /etc/hosts
.........  c /etc/hosts.allow
(stuff deleted)

I want to see that e.g. /etc/hosts is changed. How do I do this?

Solution

An rpm spec file can explicitly say what aspects of a file should be verified by -V, and configuration files (shown by the c in the 2nd column of your output) are usually expected to be changed, and are not overridden on an update.

You can get the original file size and ownership fairly easily with rpm -qlv, so you can do an ls of the same files and then compare them. For example,

rpm=setup
rpm -ql $rpm | 
xargs ls -ld --time-style='+%b %d %Y' |
tr -s ' ' |
sort -k9 |
diff -u <(rpm -qlv $rpm |tr -s ' ' | sort -k9) -

can show changes (- prefix from rpm, + now) or not ( prefix).

---

Here's a script that takes a list of package names and uses --dump to get the checksum info (etc), which on my Fedora 22 seems to be a sha256sum rather than an md5sum, and compares it with the real file. Though rpm -V has an extra final field, "capabilities differ", this info isn't provided in the dump output.

#!/bin/bash
for pkg
do rpm -q --dump "$pkg" |
 while read path size mtime digest mode owner group isconfig isdoc rdev symlink
 do if [ "$path" = package ] # not installed
    then echo "$path $size $mtime $digest $mode"
         continue
    fi
    S=. M=. F=. D=. L=. U=. G=. T=.
    type=$(stat --format='%F' $path)
    if [ "$type" = "regular file" ]
    then if realsum=$(sha256sum <$path)
         then [ $digest != ${realsum/ -/} ] && F=5
         else F=?
         fi
    elif [ "$type" = "symbolic link" ]
    then reallink=$(readlink $path)
        [ "$symlink" != "$reallink" ] && L=L
    # elif [ "$type" = "directory" ] ...
    fi
    eval $(stat --format='s=%s u=%U g=%G t=%Y hexmode=%f' $path)
    realmode=$(printf "%07o" 0x$hexmode)
    realmode6=$(printf "%06o" 0x$hexmode)
    [ "$mode" != "$realmode" -a "$mode" != "$realmode6" ] && M=M
    [ "$size" != "$s" ] && S=S
    [ "$owner" != "$u" ] && U=U
    [ "$owner" != "$g" ] && G=G
    [ "$mtime" != "$t" ] && T=T
    flags="$S$M$F$D$L$U$G$T"
    [ "$flags" = "........" ] ||
    echo "$flags $path" # missing: P capabilities
 done
done

Answered By - meuh

Answer Checked By - Dawn Plyler (WPSolving Volunteer)