Keith C. Perry via plug on 27 Dec 2022 12:10:00 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Possible Break in on Arch Linux Systems:


I was just about to make a similar comment.  I'm very rarely in my Arch partition and invariable I have to do keyring upgrades (and maybe some things I can't remember right now) before even pacman -Syy will work.

Always good to be skeptical but I think for Arch this is normal fare.


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Managing Member, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com


From: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Tuesday, December 27, 2022 3:05:12 PM
Subject: Re: [PLUG] Possible Break in on Arch Linux Systems:

On Tue, Dec 27, 2022, 14:27 Michael Lazin via plug <plug@lists.phillylinux.org> wrote:
That is the gpg key for your package manager.  I don't think that should change.  Try installing rkhunter and running "rkhunter --scan" as root.  It will tell you if other files may have been modified.

Thanks,

Michael 


Let's not make assumptions and jump to potential compromise unless we're familiar with the respective distro's internals.
 

On Tue, Dec 27, 2022, 1:44 PM LeRoy Cressy via plug <plug@lists.phillylinux.org> wrote:
I do a daily backup which checks for any changes in /etc and other
directories that should not change unless you have done a backup.  On
Christmas Day someone or something changed the following files:

/etc/pacman.d/gnupg/pubring.gpg
/etc/pacman.d/gnupg/pubring.gpg~
/etc/pacman.d/gnupg/pubring.gpg.tmp
/etc/pacman.d/gnupg/trustdb.gpg

I rebuilt my repositories with pacman -Syy
I reinstalled archlinux-keyring

I am familiar with the shenanigans  of cups changing their /etc files
daily, but this is a first for me.

I'm posting this as a warning of a possible break-in on Arch Linux
systems.


LeRoy, this is normal and expected. I'm guessing you haven't done a full system update in a while?

$ systemctl cat archlinux-keyring-wkd-sync.timer
# /usr/lib/systemd/system/archlinux-keyring-wkd-sync.timer
[Unit]
Description=Refresh existing PGP keys of archlinux-keyring regularly

[Timer]
_OnCalendar_=weekly
Persistent=true
RandomizedDelaySec=1week

[Install]
WantedBy=timers.target
It is part of Arch Linux system internals (the archlinux-keyring package itself).

$ pacman -Ql archlinux-keyring | grep -E '\.timer'
archlinux-keyring /usr/lib/systemd/system/archlinux-keyring-wkd-sync.timer
archlinux-keyring /usr/lib/systemd/system/timers.target.wants/archlinux-keyring-wkd-sync.timer
 

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug