In prepping some RHEL 5.5 laptops, I noticed something odd. Very odd. I had made some changes to a base system and did an rsync -av -n from the base system to a pristine source installation to see what had changed. I was expecting to see differences configuration files in /etc, /root, perhaps /var. Nothing prepared me for this:
# ls -al base/bin/bash pristine-source/bin/bash -rwxr-xr-x 1 root root 801512 Oct 21 2008 base/bin/bash -rwxr-xr-x 1 root root 768664 Oct 21 2008 pristine-source/bin/bash
Whoa! My base system’s bash shell increased in size. When this happens, it is paramount to determine why. The repercussions are significant.
The first place to look is to see if what RPM installs the executable.
# chroot /mnt/pristine-source rpm -q -f /bin/bash bash-3.2-24.el5 # chroot /mnt/base rpm -q -f /bin/bash bash-3.2-24.el5
Strike one. I should probably post the md5sums here:
# md5sum /mnt/pristine-source/bin/bash /mnt/base/bin/bash dbb9e394d5e2017fb460c4f7d8618f59 /mnt/pristine-source/bin/bash ecb556dec39092617bbbe8fbef06e381 /mnt/base/bin/bash
Perhaps there is a different RPM installed?
# chroot /mnt/base rpm -q -a > /tmp/base.rpms # chroot /mnt/pristine-source rpm -q -a > /tmp/pristine-source.rpms # diff /tmp/pristine-source.rpms /tmp/base.rpms #
Strike two. I just queried both installations, and they have the exact same RPMs installed. Taking a look at shared libraries required to run bash:
# ldd -v /mnt/pristine-source/bin/bash /mnt/base/bin/bash /mnt/pristine-source/bin/bash: libtermcap.so.2 => /lib64/libtermcap.so.2 (0x00002b0e241c1000) libdl.so.2 => /lib64/libdl.so.2 (0x00002b0e243c4000) libc.so.6 => /lib64/libc.so.6 (0x00002b0e245c8000) /lib64/ld-linux-x86-64.so.2 (0x00002b0e23fa4000) Version information: /mnt/pristine-source/bin/bash: libdl.so.2 (GLIBC_2.2.5) => /lib64/libdl.so.2 libc.so.6 (GLIBC_2.4) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.3) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.3.4) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.2.5) => /lib64/libc.so.6 /lib64/libtermcap.so.2: libc.so.6 (GLIBC_2.4) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.3.4) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.2.5) => /lib64/libc.so.6 /lib64/libdl.so.2: ld-linux-x86-64.so.2 (GLIBC_PRIVATE) => /lib64/ld-linux-x86-64.so.2 libc.so.6 (GLIBC_PRIVATE) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.2.5) => /lib64/libc.so.6 /lib64/libc.so.6: ld-linux-x86-64.so.2 (GLIBC_2.3) => /lib64/ld-linux-x86-64.so.2 ld-linux-x86-64.so.2 (GLIBC_PRIVATE) => /lib64/ld-linux-x86-64.so.2 /mnt/base/bin/bash: libtermcap.so.2 => /lib64/libtermcap.so.2 (0x00002ab1f0ec8000) libdl.so.2 => /lib64/libdl.so.2 (0x00002ab1f10cb000) libc.so.6 => /lib64/libc.so.6 (0x00002ab1f12cf000) /lib64/ld-linux-x86-64.so.2 (0x00002ab1f0cab000) Version information: /mnt/base/bin/bash: libdl.so.2 (GLIBC_2.2.5) => /lib64/libdl.so.2 libc.so.6 (GLIBC_2.4) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.3) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.3.4) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.2.5) => /lib64/libc.so.6 /lib64/libtermcap.so.2: libc.so.6 (GLIBC_2.4) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.3.4) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.2.5) => /lib64/libc.so.6 /lib64/libdl.so.2: ld-linux-x86-64.so.2 (GLIBC_PRIVATE) => /lib64/ld-linux-x86-64.so.2 libc.so.6 (GLIBC_PRIVATE) => /lib64/libc.so.6 libc.so.6 (GLIBC_2.2.5) => /lib64/libc.so.6 /lib64/libc.so.6: ld-linux-x86-64.so.2 (GLIBC_2.3) => /lib64/ld-linux-x86-64.so.2 ld-linux-x86-64.so.2 (GLIBC_PRIVATE) => /lib64/ld-linux-x86-64.so.2
I am picking on bash, but you’ll see how systemic this problem is:
ls -alL /mnt/pristine-source/lib/libc.so.6 /mnt/base/lib/libc.so.6 -rwxr-xr-x 1 root root 1611564 Mar 10 2010 /mnt/base/lib/libc.so.6 -rwxr-xr-x 1 root root 1608148 Mar 10 2010 /mnt/pristine-source/lib/libc.so.6
Right. Strike 3. All programs use the shared C library.
Here is the bash file, stored with xz and base64. This format prevents accidentally running the suspect shell.