You are not logged in.

#1 2022-11-21 20:15:21

tekstryder
Member
Registered: 2013-02-14
Posts: 139

[SOLVED ] Pacman -Qkk Anomaly - False Positives?

I've no known functionality issues here but I'm seeing a few odd results with pacman -Qkk

Not sure if these are false positives? Database corruption? Curious if anyone has some insight here.

$ sudo pacman -Qkk 2>/dev/null | grep altered | grep -v "0 altered"
cups: 942 total files, 3 altered files
intel-ucode: 7 total files, 1 altered file
systemd: 2076 total files, 1 altered file
vlc: 1058 total files, 1 altered file
$ sudo paccheck --md5sum cups intel-ucode systemd vlc
cups: all files match mtree md5sums
intel-ucode: all files match mtree md5sums
systemd: all files match mtree md5sums
vlc: '/usr/lib/vlc/plugins/plugins.dat' md5sum mismatch (expected 0f3242072ec18e936d327794d57e0236)

I'm more interested in the pacman -Qkk results than the vlc oddity. though completely removing and reinstalling vlc still yeilds the same paccheck mismatch. Not too concerning, it's either wrong packaging or wrong verification.

Back to the issue at hand...

$ pacman -Ql intel-ucode 
intel-ucode /boot/
intel-ucode /boot/intel-ucode.img
intel-ucode /usr/
intel-ucode /usr/share/
intel-ucode /usr/share/licenses/
intel-ucode /usr/share/licenses/intel-ucode/
intel-ucode /usr/share/licenses/intel-ucode/LICENSE

There are only 2 actual files (yes, directories are 'files' as well) for intel-ucode, so using that as an example, let's purge and reinstall:

$ sudo pacman -Rns intel-ucode 
checking dependencies...

Package (1)  Old Version  Net Change

intel-ucode  20221108-1    -5.42 MiB

Total Removed Size:  5.42 MiB

:: Do you want to remove these packages? [Y/n] 
:: Processing package changes...
(1/1) removing intel-ucode
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
$ ls -la /boot/intel-ucode.img
ls: cannot access '/boot/intel-ucode.img': No such file or directory

$ ls -la  /usr/share/licenses/intel-ucode/LICENSE
ls: cannot access '/usr/share/licenses/intel-ucode/LICENSE': No such file or directory
$ sudo pacman -Syu intel-ucode 
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Package (1)        New Version  Net Change

extra/intel-ucode  20221108-1     5.42 MiB

Total Installed Size:  5.42 MiB

:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring     
(1/1) checking package integrity   
(1/1) loading package files        
(1/1) checking for file conflicts  
(1/1) checking available disk space
:: Processing package changes...
(1/1) installing intel-ucode       
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
$ ls -la /boot/intel-ucode.img
-rwxr-xr-x 1 root root 5678080 Nov  8 14:02 /boot/intel-ucode.img

$ ls -la  /usr/share/licenses/intel-ucode/LICENSE
-rw-r--r-- 1 root root 1677 Nov  8 14:02 /usr/share/licenses/intel-ucode/LICENSE

After verifying removal and re-installation of this simple package, pacman -Qkk still reports 1 altered file. Why??

$ sudo pacman -Qii | awk '/^MODIFIED/ {print $2}'
/etc/cups/printers.conf
/etc/cups/subscriptions.conf
/etc/crypttab
/etc/fstab
/etc/group
/etc/gshadow
/etc/hosts
/etc/passwd
/etc/resolv.conf
/etc/shadow
/etc/shells
/etc/gdm/custom.conf
/etc/locale.gen
/etc/iptables/iptables.rules
/etc/mdadm.conf
/etc/mkinitcpio.conf
/etc/pacman.conf
/etc/pacman.d/mirrorlist
/etc/pulse/daemon.conf
/etc/sudoers
/etc/systemd/journald.conf
/etc/systemd/sleep.conf

This looks perfect. I cannot think of any more, or fewer, system files I've modified aside from custom systemd timers and services.

I'm running out of ideas short of reviewing the pacman code and logic when determining an "altered file", but I'll likely take a look at that too.

Also, is there any way for pacman to list exactly what files it thinks are "altered"?

Last edited by tekstryder (2022-11-21 22:08:27)

Offline

#2 2022-11-21 20:20:40

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,616
Website

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

Don't ask us why; check for yourself.  And don't check the pacman source code ... just check it's output!  You are deliberately filtering out the relevant information by redirecting stderr.

pacman -Qkk cups intel-ucode systemd vlc

That will tell you what has been altered.

Then note that there are any number of legitimate ways a file gets modified from what's in the package.  A post-install script or pacman hook can make changes.  And if the file is placed onto a filesystem that doesn't support all permissions / features / etc, then it could show as modified (e.g., if you use a uefi system, there's a fair chance that /boot is a FAT filesystem).

I highly doubt there are any "false positives" in your list.  They are accurate positive detections - but that doesn't at all indicate a problem.

Last edited by Trilby (2022-11-21 20:30:46)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2022-11-21 20:42:34

tekstryder
Member
Registered: 2013-02-14
Posts: 139

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

Trilby wrote:

You are deliberately filtering out the relevant information by redirecting stderr.

Thanks, yes I got carried away filtering! Can't see the forest for the trees. Oops rookie mistake.


As for my sudo usage I disagree. The only command which does not require root is the only command where I did not use sudo.

pacman -Qkk will choke on some files it wants to verify when running in an unpriveleged user context. E.g:

warning: gvfs: /usr/share/polkit-1/rules.d/org.gtk.vfs.file-operations.rules (Permission denied)
warning: gnome-control-center: /usr/share/polkit-1/rules.d/gnome-control-center.rules (Permission denied)
$ pacman -Qkk cups intel-ucode systemd vlc
warning: cups: /etc/cups/classes.conf (Permissions mismatch)
warning: cups: /etc/cups/classes.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/classes.conf (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/cups-files.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/cups-files.conf (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/cups-files.conf.default (failed to calculate MD5 checksum)
warning: cups: /etc/cups/cups-files.conf.default (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/cupsd.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/cupsd.conf (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/cupsd.conf.default (failed to calculate MD5 checksum)
warning: cups: /etc/cups/cupsd.conf.default (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/printers.conf (Permissions mismatch)
backup file: cups: /etc/cups/printers.conf (Modification time mismatch)
backup file: cups: /etc/cups/printers.conf (Size mismatch)
warning: cups: /etc/cups/printers.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/printers.conf (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/snmp.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/snmp.conf (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/snmp.conf.default (failed to calculate MD5 checksum)
warning: cups: /etc/cups/snmp.conf.default (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/subscriptions.conf (Permissions mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Modification time mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Size mismatch)
warning: cups: /etc/cups/subscriptions.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/subscriptions.conf (failed to calculate SHA256 checksum)
warning: cups: /usr/bin/cupsd (failed to calculate MD5 checksum)
warning: cups: /usr/bin/cupsd (failed to calculate SHA256 checksum)
warning: cups: /var/cache/cups/rss (Permission denied)
warning: cups: /var/spool/cups/tmp (Permission denied)
cups: 942 total files, 12 altered files
warning: intel-ucode: /boot/intel-ucode.img (Permissions mismatch)
warning: intel-ucode: /boot/intel-ucode.img (Modification time mismatch)
intel-ucode: 7 total files, 1 altered file
backup file: systemd: /etc/systemd/journald.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/journald.conf (Size mismatch)
backup file: systemd: /etc/systemd/journald.conf (MD5 checksum mismatch)
backup file: systemd: /etc/systemd/journald.conf (SHA256 checksum mismatch)
backup file: systemd: /etc/systemd/sleep.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/sleep.conf (Size mismatch)
backup file: systemd: /etc/systemd/sleep.conf (MD5 checksum mismatch)
backup file: systemd: /etc/systemd/sleep.conf (SHA256 checksum mismatch)
warning: systemd: /usr/share/polkit-1/rules.d/systemd-networkd.rules (Permission denied)
warning: systemd: /var/log/journal (GID mismatch)
systemd: 2076 total files, 2 altered files
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Modification time mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Size mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (MD5 checksum mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (SHA256 checksum mismatch)
$ sudo pacman -Qkk cups intel-ucode systemd vlc
warning: cups: /etc/cups/classes.conf (Permissions mismatch)
warning: cups: /etc/cups/printers.conf (Permissions mismatch)
backup file: cups: /etc/cups/printers.conf (Modification time mismatch)
backup file: cups: /etc/cups/printers.conf (Size mismatch)
backup file: cups: /etc/cups/printers.conf (MD5 checksum mismatch)
backup file: cups: /etc/cups/printers.conf (SHA256 checksum mismatch)
warning: cups: /etc/cups/subscriptions.conf (Permissions mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Modification time mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Size mismatch)
backup file: cups: /etc/cups/subscriptions.conf (MD5 checksum mismatch)
backup file: cups: /etc/cups/subscriptions.conf (SHA256 checksum mismatch)
cups: 942 total files, 3 altered files
warning: intel-ucode: /boot/intel-ucode.img (Permissions mismatch)
warning: intel-ucode: /boot/intel-ucode.img (Modification time mismatch)
intel-ucode: 7 total files, 1 altered file
backup file: systemd: /etc/systemd/journald.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/journald.conf (Size mismatch)
backup file: systemd: /etc/systemd/journald.conf (MD5 checksum mismatch)
backup file: systemd: /etc/systemd/journald.conf (SHA256 checksum mismatch)
backup file: systemd: /etc/systemd/sleep.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/sleep.conf (Size mismatch)
backup file: systemd: /etc/systemd/sleep.conf (MD5 checksum mismatch)
backup file: systemd: /etc/systemd/sleep.conf (SHA256 checksum mismatch)
warning: systemd: /var/log/journal (GID mismatch)
systemd: 2076 total files, 1 altered file
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Modification time mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Size mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (MD5 checksum mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (SHA256 checksum mismatch)
vlc: 1058 total files, 1 altered file

Interesting results. Continuing with just the intel-ucode example that's explained by UEFI FAT. A big derp on my part!

I'll try to figure out the rest. Thanks for the quick response!

Last edited by tekstryder (2022-11-21 20:42:46)

Offline

#4 2022-11-21 20:50:39

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,616
Website

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

Sorry about the sudo note, I had already editted to remove that as you are correct that it is needed for full functionality of pacman -Qk.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2022-11-21 21:37:04

tekstryder
Member
Registered: 2013-02-14
Posts: 139

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

Trilby wrote:

Sorry about the sudo note, I had already editted to remove that as you are correct that it is needed for full functionality of pacman -Qk.

No worries. I think I've got this sorted out now and almost all the output makes sense in some way. I'll mark the thread as [SOLVED].

$ sudo pacman -Qkk cups
warning: cups: /etc/cups/classes.conf (Permissions mismatch)
warning: cups: /etc/cups/printers.conf (Permissions mismatch)
backup file: cups: /etc/cups/printers.conf (Modification time mismatch)
backup file: cups: /etc/cups/printers.conf (Size mismatch)
backup file: cups: /etc/cups/printers.conf (MD5 checksum mismatch)
backup file: cups: /etc/cups/printers.conf (SHA256 checksum mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Modification time mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Size mismatch)
backup file: cups: /etc/cups/subscriptions.conf (MD5 checksum mismatch)
backup file: cups: /etc/cups/subscriptions.conf (SHA256 checksum mismatch)
cups: 942 total files, 2 altered files
$ sudo paccheck --file-properties --quiet cups
cups: '/etc/cups/classes.conf' permission mismatch (expected 644)
cups: '/etc/cups/printers.conf' permission mismatch (expected 644)

I can change the permissions on these files to the expected 644 and pacman -Qkk will no longer complain.
However when the cups service restarts the permissions are reverted at runtime. The files also appear to be dynamically generated.


warning: systemd: /var/log/journal (GID mismatch)
systemd: 2076 total files, 1 altered file
$ sudo paccheck --file-properties --quiet systemd
systemd: '/var/log/journal' GID mismatch (expected 0/root)
$ stat /var/log/journal
  File: /var/log/journal
  Size: 4096      	Blocks: 16         IO Block: 4096   directory
Device: 259,2	Inode: 2622008     Links: 6
Access: (2755/drwxr-sr-x)  Uid: (    0/    root)   Gid: (  984/systemd-journal)
Access: 2022-11-21 16:07:20.705368205 -0500
Modify: 2022-01-15 17:35:14.439999972 -0500
Change: 2022-01-15 17:35:14.439999972 -0500
 Birth: 2021-02-17 20:42:47.405905440 -0500

This is the one remaining line item that I've not fully understood, but since journal ain't broke... don't fix.
I understand SGIDs, but highly unlikely that I modified that myself.


$ sudo pacman -Qkk vlc
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Modification time mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Size mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (MD5 checksum mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (SHA256 checksum mismatch)
vlc: 1058 total files, 1 altered file

This file appears to be created dynamically at install-time, so these warnings make perfect sense.

Last edited by tekstryder (2022-11-21 22:09:40)

Offline

#6 2022-11-25 17:32:49

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,143

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

From systemd's installation script:

setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx var/log/journal/ 2>/dev/null

CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#7 2024-04-30 18:17:57

tekstryder
Member
Registered: 2013-02-14
Posts: 139

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

cfr wrote:

From systemd's installation script:

setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx var/log/journal/ 2>/dev/null

I never did fully understand this. A necro of my own [SOLVED] thread here, but seems silly to start a new thread for the exact continuation of this same convo.

So, per the systemd installation script, it's setting permissions that conflict with what pacman expects. Why must they disagree? Who wins? Well, clearly systemd wins and pacman only complains. Hence I've never manually modified this just to appease pacman.

I resurrect this topic as I've noticed another new GID mismatch with shadow, I believe stemming from libvirt/qemu stack. I did not modify the file manually, and only due to noticing this conflict am I now even aware of its existence/purpose.

$ sudo pacman -Qkk shadow
warning: shadow: /usr/bin/groupmems (GID mismatch)
warning: shadow: /usr/bin/groupmems (Permissions mismatch)
shadow: 588 total files, 1 altered file
$ sudo paccheck --file-properties --quiet shadow
shadow: '/usr/bin/groupmems' permission mismatch (expected 750)
shadow: '/usr/bin/groupmems' GID mismatch (expected 0/root)
-rwxr-s--- 1 root groups 47240 Apr  1 06:19 /usr/bin/groupmems

Please tell me I'm being a dummy if the reasons here should be obvious haha!

Last edited by tekstryder (2024-04-30 18:18:57)

Offline

#8 2024-05-02 13:53:50

tekstryder
Member
Registered: 2013-02-14
Posts: 139

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

Okay, so this mismatch is systemd's doing as well:

$ sudo chown root:root /usr/bin/groupmems
$ sudo chmod 750 /usr/bin/groupmems
$ sudo groupdel groups
$ sudo pacman -Qkk shadow
shadow: 588 total files, 0 altered files
$ sudo pacman -Syu systemd
:: Synchronizing package databases...
 core is up to date
 extra is up to date
warning: systemd-255.5-4 is up to date -- reinstalling
:: Starting full system upgrade...
warning: mutter: local (46.1-2) is newer than extra (46.1-1)
warning: nautilus: local (46.1-99) is newer than extra (46.1-1)
resolving dependencies...
looking for conflicting packages...

Package (1)   Old Version  New Version  Net Change

core/systemd  255.5-4      255.5-4        0.00 MiB

Total Installed Size:  30.79 MiB
Net Upgrade Size:       0.00 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                                                                                                                                                               [################################################################################################################################] 100%
(1/1) checking package integrity                                                                                                                                                                             [################################################################################################################################] 100%
(1/1) loading package files                                                                                                                                                                                  [################################################################################################################################] 100%
(1/1) checking for file conflicts                                                                                                                                                                            [################################################################################################################################] 100%
(1/1) checking available disk space                                                                                                                                                                          [################################################################################################################################] 100%
:: Processing package changes...
(1/1) reinstalling systemd                                                                                                                                                                                   [################################################################################################################################] 100%
Creating group 'groups' with GID 974.
:: Running post-transaction hooks...
( 1/10) Creating system user accounts...
( 2/10) Updating journal message catalog...
( 3/10) Reloading system manager configuration...
( 4/10) Reloading user manager configuration...
( 5/10) Updating udev hardware database...
( 6/10) Applying kernel sysctl settings...
( 7/10) Creating temporary files...
( 8/10) Reloading device manager configuration...
( 9/10) Arming ConditionNeedsUpdate...
(10/10) Reloading system bus configuration...

$ sudo pacman -Qkk shadow
warning: shadow: /usr/bin/groupmems (GID mismatch)
warning: shadow: /usr/bin/groupmems (Permissions mismatch)
shadow: 588 total files, 1 altered file

$ grep groups /etc/group
groups:x:974:

This does not appear to be an Arch packaging issue either, as none of the install scripts trigger this group creation or permissions change on /usr/bin/groupmems.

So, shall I simply chalk this up as similar to other cases where pacman -Qkk detects modified files that it could never have anticipated (e.g. created/modified at runtime by applications post-install)?

The shadow package ships the file, then systemd goes and modifies its ownership/permissions later. Nothing pacman can really do here except complain about the change, right?

I've suppose I've answered my own question here, and will leave as SOLVED. Any other insights or corrections welcome.

[EDIT] Annoyingly, I cannot find reference to the creation of the groups group in the systemd source code. I'd love to know where this change comes from.

Last edited by tekstryder (2024-05-02 18:31:39)

Offline

#9 2024-05-02 18:31:28

tekstryder
Member
Registered: 2013-02-14
Posts: 139

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

Splitting my subsequent edits into a separate reply..

Okay, so shadow itself creates the groups group via /usr/lib/sysusers.d/shadow.conf

$ sudo systemd-sysusers --dry-run
Creating group 'groups' with GID 974.
Would write /etc/group…
Would write /etc/gshadow…

For the change of ownership on /usr/bin/groupmems...

The intended permissions are defined in:

/usr/lib/tmpfiles.d/shadow.conf:z /usr/bin/groupmems 2750 root groups - -
/usr/lib64/tmpfiles.d/shadow.conf:z /usr/bin/groupmems 2750 root groups - -

And, executing:

$ sudo systemd-tmpfiles --create

...is the last piece to create the disparity noted in:

$ sudo pacman -Qkk shadow
warning: shadow: /usr/bin/groupmems (GID mismatch)
warning: shadow: /usr/bin/groupmems (Permissions mismatch)
shadow: 588 total files, 1 altered file

Ultimately, this is just systemd doing the bidding of shadow, as defined.

EDIT: I clearly have too much time on my hands!

Last edited by tekstryder (2024-05-02 18:42:29)

Offline

Board footer

Powered by FluxBB