[SOLVED ] Pacman -Qkk Anomaly - False Positives?

tekstryder · 2022-11-21 20:15:21

I've no known functionality issues here but I'm seeing a few odd results with pacman -Qkk

Not sure if these are false positives? Database corruption? Curious if anyone has some insight here.

$ sudo pacman -Qkk 2>/dev/null | grep altered | grep -v "0 altered"
cups: 942 total files, 3 altered files
intel-ucode: 7 total files, 1 altered file
systemd: 2076 total files, 1 altered file
vlc: 1058 total files, 1 altered file

$ sudo paccheck --md5sum cups intel-ucode systemd vlc
cups: all files match mtree md5sums
intel-ucode: all files match mtree md5sums
systemd: all files match mtree md5sums
vlc: '/usr/lib/vlc/plugins/plugins.dat' md5sum mismatch (expected 0f3242072ec18e936d327794d57e0236)

I'm more interested in the pacman -Qkk results than the vlc oddity. though completely removing and reinstalling vlc still yeilds the same paccheck mismatch. Not too concerning, it's either wrong packaging or wrong verification.

Back to the issue at hand...

$ pacman -Ql intel-ucode 
intel-ucode /boot/
intel-ucode /boot/intel-ucode.img
intel-ucode /usr/
intel-ucode /usr/share/
intel-ucode /usr/share/licenses/
intel-ucode /usr/share/licenses/intel-ucode/
intel-ucode /usr/share/licenses/intel-ucode/LICENSE

There are only 2 actual files (yes, directories are 'files' as well) for intel-ucode, so using that as an example, let's purge and reinstall:

$ sudo pacman -Rns intel-ucode 
checking dependencies...

Package (1)  Old Version  Net Change

intel-ucode  20221108-1    -5.42 MiB

Total Removed Size:  5.42 MiB

:: Do you want to remove these packages? [Y/n] 
:: Processing package changes...
(1/1) removing intel-ucode
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...

$ ls -la /boot/intel-ucode.img
ls: cannot access '/boot/intel-ucode.img': No such file or directory

$ ls -la  /usr/share/licenses/intel-ucode/LICENSE
ls: cannot access '/usr/share/licenses/intel-ucode/LICENSE': No such file or directory

$ sudo pacman -Syu intel-ucode 
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Package (1)        New Version  Net Change

extra/intel-ucode  20221108-1     5.42 MiB

Total Installed Size:  5.42 MiB

:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring     
(1/1) checking package integrity   
(1/1) loading package files        
(1/1) checking for file conflicts  
(1/1) checking available disk space
:: Processing package changes...
(1/1) installing intel-ucode       
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...

$ ls -la /boot/intel-ucode.img
-rwxr-xr-x 1 root root 5678080 Nov  8 14:02 /boot/intel-ucode.img

$ ls -la  /usr/share/licenses/intel-ucode/LICENSE
-rw-r--r-- 1 root root 1677 Nov  8 14:02 /usr/share/licenses/intel-ucode/LICENSE

After verifying removal and re-installation of this simple package, pacman -Qkk still reports 1 altered file. Why??

$ sudo pacman -Qii | awk '/^MODIFIED/ {print $2}'
/etc/cups/printers.conf
/etc/cups/subscriptions.conf
/etc/crypttab
/etc/fstab
/etc/group
/etc/gshadow
/etc/hosts
/etc/passwd
/etc/resolv.conf
/etc/shadow
/etc/shells
/etc/gdm/custom.conf
/etc/locale.gen
/etc/iptables/iptables.rules
/etc/mdadm.conf
/etc/mkinitcpio.conf
/etc/pacman.conf
/etc/pacman.d/mirrorlist
/etc/pulse/daemon.conf
/etc/sudoers
/etc/systemd/journald.conf
/etc/systemd/sleep.conf

This looks perfect. I cannot think of any more, or fewer, system files I've modified aside from custom systemd timers and services.

I'm running out of ideas short of reviewing the pacman code and logic when determining an "altered file", but I'll likely take a look at that too.

Also, is there any way for pacman to list exactly what files it thinks are "altered"?

Last edited by tekstryder (2022-11-21 22:08:27)

Trilby · 2022-11-21 20:20:40

Don't ask us why; check for yourself. And don't check the pacman source code ... just check it's output! You are deliberately filtering out the relevant information by redirecting stderr.

pacman -Qkk cups intel-ucode systemd vlc

That will tell you what has been altered.

Then note that there are any number of legitimate ways a file gets modified from what's in the package. A post-install script or pacman hook can make changes. And if the file is placed onto a filesystem that doesn't support all permissions / features / etc, then it could show as modified (e.g., if you use a uefi system, there's a fair chance that /boot is a FAT filesystem).

I highly doubt there are any "false positives" in your list. They are accurate positive detections - but that doesn't at all indicate a problem.

Last edited by Trilby (2022-11-21 20:30:46)

tekstryder · 2022-11-21 20:42:34

Trilby wrote:

You are deliberately filtering out the relevant information by redirecting stderr.

Thanks, yes I got carried away filtering! Can't see the forest for the trees. Oops rookie mistake.

As for my sudo usage I disagree. The only command which does not require root is the only command where I did not use sudo.

pacman -Qkk will choke on some files it wants to verify when running in an unpriveleged user context. E.g:

warning: gvfs: /usr/share/polkit-1/rules.d/org.gtk.vfs.file-operations.rules (Permission denied)
warning: gnome-control-center: /usr/share/polkit-1/rules.d/gnome-control-center.rules (Permission denied)

$ pacman -Qkk cups intel-ucode systemd vlc
warning: cups: /etc/cups/classes.conf (Permissions mismatch)
warning: cups: /etc/cups/classes.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/classes.conf (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/cups-files.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/cups-files.conf (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/cups-files.conf.default (failed to calculate MD5 checksum)
warning: cups: /etc/cups/cups-files.conf.default (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/cupsd.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/cupsd.conf (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/cupsd.conf.default (failed to calculate MD5 checksum)
warning: cups: /etc/cups/cupsd.conf.default (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/printers.conf (Permissions mismatch)
backup file: cups: /etc/cups/printers.conf (Modification time mismatch)
backup file: cups: /etc/cups/printers.conf (Size mismatch)
warning: cups: /etc/cups/printers.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/printers.conf (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/snmp.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/snmp.conf (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/snmp.conf.default (failed to calculate MD5 checksum)
warning: cups: /etc/cups/snmp.conf.default (failed to calculate SHA256 checksum)
warning: cups: /etc/cups/subscriptions.conf (Permissions mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Modification time mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Size mismatch)
warning: cups: /etc/cups/subscriptions.conf (failed to calculate MD5 checksum)
warning: cups: /etc/cups/subscriptions.conf (failed to calculate SHA256 checksum)
warning: cups: /usr/bin/cupsd (failed to calculate MD5 checksum)
warning: cups: /usr/bin/cupsd (failed to calculate SHA256 checksum)
warning: cups: /var/cache/cups/rss (Permission denied)
warning: cups: /var/spool/cups/tmp (Permission denied)
cups: 942 total files, 12 altered files
warning: intel-ucode: /boot/intel-ucode.img (Permissions mismatch)
warning: intel-ucode: /boot/intel-ucode.img (Modification time mismatch)
intel-ucode: 7 total files, 1 altered file
backup file: systemd: /etc/systemd/journald.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/journald.conf (Size mismatch)
backup file: systemd: /etc/systemd/journald.conf (MD5 checksum mismatch)
backup file: systemd: /etc/systemd/journald.conf (SHA256 checksum mismatch)
backup file: systemd: /etc/systemd/sleep.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/sleep.conf (Size mismatch)
backup file: systemd: /etc/systemd/sleep.conf (MD5 checksum mismatch)
backup file: systemd: /etc/systemd/sleep.conf (SHA256 checksum mismatch)
warning: systemd: /usr/share/polkit-1/rules.d/systemd-networkd.rules (Permission denied)
warning: systemd: /var/log/journal (GID mismatch)
systemd: 2076 total files, 2 altered files
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Modification time mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Size mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (MD5 checksum mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (SHA256 checksum mismatch)

$ sudo pacman -Qkk cups intel-ucode systemd vlc
warning: cups: /etc/cups/classes.conf (Permissions mismatch)
warning: cups: /etc/cups/printers.conf (Permissions mismatch)
backup file: cups: /etc/cups/printers.conf (Modification time mismatch)
backup file: cups: /etc/cups/printers.conf (Size mismatch)
backup file: cups: /etc/cups/printers.conf (MD5 checksum mismatch)
backup file: cups: /etc/cups/printers.conf (SHA256 checksum mismatch)
warning: cups: /etc/cups/subscriptions.conf (Permissions mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Modification time mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Size mismatch)
backup file: cups: /etc/cups/subscriptions.conf (MD5 checksum mismatch)
backup file: cups: /etc/cups/subscriptions.conf (SHA256 checksum mismatch)
cups: 942 total files, 3 altered files
warning: intel-ucode: /boot/intel-ucode.img (Permissions mismatch)
warning: intel-ucode: /boot/intel-ucode.img (Modification time mismatch)
intel-ucode: 7 total files, 1 altered file
backup file: systemd: /etc/systemd/journald.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/journald.conf (Size mismatch)
backup file: systemd: /etc/systemd/journald.conf (MD5 checksum mismatch)
backup file: systemd: /etc/systemd/journald.conf (SHA256 checksum mismatch)
backup file: systemd: /etc/systemd/sleep.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/sleep.conf (Size mismatch)
backup file: systemd: /etc/systemd/sleep.conf (MD5 checksum mismatch)
backup file: systemd: /etc/systemd/sleep.conf (SHA256 checksum mismatch)
warning: systemd: /var/log/journal (GID mismatch)
systemd: 2076 total files, 1 altered file
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Modification time mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Size mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (MD5 checksum mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (SHA256 checksum mismatch)
vlc: 1058 total files, 1 altered file

Interesting results. Continuing with just the intel-ucode example that's explained by UEFI FAT. A big derp on my part!

I'll try to figure out the rest. Thanks for the quick response!

Last edited by tekstryder (2022-11-21 20:42:46)

Trilby · 2022-11-21 20:50:39

Sorry about the sudo note, I had already editted to remove that as you are correct that it is needed for full functionality of pacman -Qk.

tekstryder · 2022-11-21 21:37:04

Trilby wrote:

Sorry about the sudo note, I had already editted to remove that as you are correct that it is needed for full functionality of pacman -Qk.

No worries. I think I've got this sorted out now and almost all the output makes sense in some way. I'll mark the thread as [SOLVED].

$ sudo pacman -Qkk cups
warning: cups: /etc/cups/classes.conf (Permissions mismatch)
warning: cups: /etc/cups/printers.conf (Permissions mismatch)
backup file: cups: /etc/cups/printers.conf (Modification time mismatch)
backup file: cups: /etc/cups/printers.conf (Size mismatch)
backup file: cups: /etc/cups/printers.conf (MD5 checksum mismatch)
backup file: cups: /etc/cups/printers.conf (SHA256 checksum mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Modification time mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Size mismatch)
backup file: cups: /etc/cups/subscriptions.conf (MD5 checksum mismatch)
backup file: cups: /etc/cups/subscriptions.conf (SHA256 checksum mismatch)
cups: 942 total files, 2 altered files

$ sudo paccheck --file-properties --quiet cups
cups: '/etc/cups/classes.conf' permission mismatch (expected 644)
cups: '/etc/cups/printers.conf' permission mismatch (expected 644)

I can change the permissions on these files to the expected 644 and pacman -Qkk will no longer complain.
However when the cups service restarts the permissions are reverted at runtime. The files also appear to be dynamically generated.

warning: systemd: /var/log/journal (GID mismatch)
systemd: 2076 total files, 1 altered file

$ sudo paccheck --file-properties --quiet systemd
systemd: '/var/log/journal' GID mismatch (expected 0/root)

$ stat /var/log/journal
  File: /var/log/journal
  Size: 4096      	Blocks: 16         IO Block: 4096   directory
Device: 259,2	Inode: 2622008     Links: 6
Access: (2755/drwxr-sr-x)  Uid: (    0/    root)   Gid: (  984/systemd-journal)
Access: 2022-11-21 16:07:20.705368205 -0500
Modify: 2022-01-15 17:35:14.439999972 -0500
Change: 2022-01-15 17:35:14.439999972 -0500
 Birth: 2021-02-17 20:42:47.405905440 -0500

This is the one remaining line item that I've not fully understood, but since journal ain't broke... don't fix.
I understand SGIDs, but highly unlikely that I modified that myself.

$ sudo pacman -Qkk vlc
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Modification time mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (Size mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (MD5 checksum mismatch)
warning: vlc: /usr/lib/vlc/plugins/plugins.dat (SHA256 checksum mismatch)
vlc: 1058 total files, 1 altered file

This file appears to be created dynamically at install-time, so these warnings make perfect sense.

Last edited by tekstryder (2022-11-21 22:09:40)

cfr · 2022-11-25 17:32:49

From systemd's installation script:

setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx var/log/journal/ 2>/dev/null

Arch Linux

#1 2022-11-21 20:15:21

[SOLVED ] Pacman -Qkk Anomaly - False Positives?

#2 2022-11-21 20:20:40

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

#3 2022-11-21 20:42:34

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

#4 2022-11-21 20:50:39

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

#5 2022-11-21 21:37:04

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

#6 2022-11-25 17:32:49

Re: [SOLVED ] Pacman -Qkk Anomaly - False Positives?

Board footer