Arch Linux

mmarch

Member

Registered: 2019-06-12

Posts: 5

[SOLVED]pacman -Qkk explanation

Hello!

After weeks of reading reading reading and trying (almost no experience with Linux) I finally got a (almost) usable system... then I broke it for my first time before I even finished it.
I was looking (and trying) for a i3-gaps key combination and pressed shutdown while upgrading the system with

pacman -Syu

I already fixed the problem (the last try which fixed at least something of the problem was reinstalling the kernel and building initrmfs) but while looking for a solution I also came across the command

pacman -Qkk

I understand that it queries the pacman database of installed packages and checks it for altered files.

In this question on the Arch forum the poster got some tempered files in the /usr/ directory and the user Scimmia says that they get changed during installation.

My question is now how can I see with the output of

pacman -Qkk

what maybe broke my system and how do I know if the changes in the output are okay or not (e.g. malware)? Against which file state does the command check the size and modification date? Is it the original file at the Arch mirror?

For example if I use

LLC_ALL=C pacman -Qkk | sed '/0 altered file/d' > changedPackages

the content of the generated file looks like this:

backup file: bash: /etc/skel/.bash_profile (Modification time mismatch)
backup file: bash: /etc/skel/.bash_profile (Size mismatch)
cups: 872 total files, 2 altered files
backup file: cups-pdf: /etc/cups/cups-pdf.conf (Modification time mismatch)
backup file: cups-pdf: /etc/cups/cups-pdf.conf (Size mismatch)
backup file: filesystem: /etc/fstab (Modification time mismatch)
backup file: filesystem: /etc/fstab (Size mismatch)
backup file: filesystem: /etc/group (Modification time mismatch)
backup file: filesystem: /etc/group (Size mismatch)
backup file: filesystem: /etc/gshadow (Modification time mismatch)
backup file: filesystem: /etc/gshadow (Size mismatch)
backup file: filesystem: /etc/hosts (Modification time mismatch)
backup file: filesystem: /etc/hosts (Size mismatch)
backup file: filesystem: /etc/passwd (Modification time mismatch)
backup file: filesystem: /etc/passwd (Size mismatch)
backup file: filesystem: /etc/resolv.conf (Modification time mismatch)
backup file: filesystem: /etc/resolv.conf (Size mismatch)
backup file: filesystem: /etc/shadow (Modification time mismatch)
backup file: filesystem: /etc/shadow (Size mismatch)
backup file: filesystem: /etc/shells (Modification time mismatch)
backup file: filesystem: /etc/shells (Size mismatch)
gimp: 4847 total files, 5 altered files
backup file: glibc: /etc/locale.gen (Modification time mismatch)
backup file: glibc: /etc/locale.gen (Size mismatch)
backup file: grub: /etc/default/grub (Modification time mismatch)
gtk2: 819 total files, 1 altered file
backup file: i3-gaps: /etc/i3/config (Modification time mismatch)
backup file: i3-gaps: /etc/i3/config (Size mismatch)
linux: 6537 total files, 9 altered files
backup file: pacman-mirrorlist: /etc/pacman.d/mirrorlist (Modification time mismatch)
backup file: pacman-mirrorlist: /etc/pacman.d/mirrorlist (Size mismatch)
python2-gobject2: 111 total files, 7 altered files
backup file: sudo: /etc/sudoers (Modification time mismatch)
backup file: sudo: /etc/sudoers (Size mismatch)
backup file: texlive-core: /etc/texmf/web2c/fmtutil.cnf (Modification time mismatch)
backup file: texlive-core: /etc/texmf/web2c/fmtutil.cnf (Size mismatch)
vlc: 1055 total files, 1 altered file
backup file: xorg-xinit: /etc/X11/xinit/xinitrc (Modification time mismatch)
backup file: xorg-xinit: /etc/X11/xinit/xinitrc (Size mismatch)

Is that file output okay or did I break more of my system?

Best regards, steve

Last edited by mmarch (2019-06-15 15:12:14)

olive

Member

From: Belgium

Registered: 2008-06-22

Posts: 1,490

Re: [SOLVED]pacman -Qkk explanation

The output seems pretty clear to me. The database contains the size of each installed file. pacman -Qkk also compare the timestamp. A mismatch can point to a corruption. But there are good reasons the system might want to change a file, and that s not taken into consideration by the database. This is the case in particular for /etc/passwd. This file contains the information about login names (and possibly password) of the users of the system. The file included in the package (filesystem) is just a base. There is no obvious way in general to know if the modification is legit. What I do in case of doubt is to manually extract the suspect file from the package and to compare it with the file in the system. If you know what the file is about, you will quickly find. You may also try to reinstall the package containing the offending file (I think this is always safe, provided that you do not --force it).

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 21,657

Re: [SOLVED]pacman -Qkk explanation

That sed doesn't show you the files actually altered from the packages, you should look at the packages mentioned having altered files and whether you need reinstalls of the affected here. FWIW all the ones that are output as warnings are normal and expected to be configured (which is why they are back up files)

mmarch

Member

Registered: 2019-06-12

Posts: 5

Re: [SOLVED]pacman -Qkk explanation

Thank you very much for your replies!

So I looked at the packages and also reinstalled all altered packages which were not listed as backup. Reinstalling removed gimp and cups from the list but there are still some left:

warning: java-runtime-common: /usr/lib/jvm/default (Symlink path mismatch)
warning: java-runtime-common: /usr/lib/jvm/default (Modification time mismatch)
warning: java-runtime-common: /usr/lib/jvm/default-runtime (Symlink path mismatch)
warning: java-runtime-common: /usr/lib/jvm/default-runtime (Modification time mismatch)
java-runtime-common: 21 total files, 2 altered files

warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.alias (Modification time mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.alias (Size mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.alias.bin (Modification time mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.alias.bin (Size mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.builtin.bin (Modification time mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.dep (Modification time mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.dep (Size mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.dep.bin (Modification time mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.dep.bin (Size mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.devname (Modification time mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.softdep (Modification time mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.symbols (Modification time mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.symbols (Size mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.symbols.bin (Modification time mismatch)
warning: linux: /usr/lib/modules/5.1.8-arch1-1-ARCH/modules.symbols.bin (Size mismatch)
linux: 6537 total files, 9 altered files

warning: python2-gobject2: /usr/lib/python2.7/site-packages/pygtk.pyc (Modification time mismatch)
warning: python2-gobject2: /usr/lib/python2.7/site-packages/glib/__init__.pyc (Modification time mismatch)
warning: python2-gobject2: /usr/lib/python2.7/site-packages/glib/option.pyc (Modification time mismatch)
warning: python2-gobject2: /usr/lib/python2.7/site-packages/gobject/__init__.pyc (Modification time mismatch)
warning: python2-gobject2: /usr/lib/python2.7/site-packages/gobject/constants.pyc (Modification time mismatch)
warning: python2-gobject2: /usr/lib/python2.7/site-packages/gobject/propertyhelper.pyc (Modification time mismatch)
warning: python2-gobject2: /usr/lib/python2.7/site-packages/gtk-2.0/gio/__init__.pyc (Modification time mismatch)
python2-gobject2: 111 total files, 7 altered files

warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Modification time mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Size mismatch)
vlc: 1055 total files, 1 altered file

Do you think that I need to do something about it?

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 21,657

Re: [SOLVED]pacman -Qkk explanation

No all of these are normal, those are files that are generated based on information specific to your system and they will often differ from packaging defaults. (The java files depend on which java runtime you've configured, the kernel files are different if you use any out-of-tree modules, vlc's plugin cache is built/based on the opt-depends you've set up, these specific python files are runtime compiled on your system).

If you feel your question to be sufficiently answered, don't forget to mark as [SOLVED] by editing the title in your first post.

mmarch

Member

Registered: 2019-06-12

Posts: 5

Re: [SOLVED]pacman -Qkk explanation

Yes I think I understand it now. Thank you all for explaining it to me!