#!/bin/sh -norc
# This script was written by Garen Erdoisa to verify the installed redhat rpm 
# packages once a month under the control of the root crontab. The script 
# should be located at /etc/cron.monthly/rpmverify in a redhat 4.2 install.
# for more information on redhat linux, see http://www.redhat.com/
#
# Copyright 1997 by Garen L. Erdoisa all rights reserved.
# Licence Terms: See the GNU General Public Licence as used on redhat 4.2
#                systems.
# Permission is granted to freely use, distribute, and/or modify this script 
# for use on your system provided that credits to the author are maintained.
# The author can be contacted at the following email addresses:
# scamper@trisk.com
# gerdoisa@micron.net
#
# bugs: I have noticed that some versions of rpm will coredump when verifying
#       rpms that were installed by a prior rpm version.
#       the /root/rpmverify.script attempts to catch this problem by
#       buliding a test for a core file after each rpm is tested.
#       If a core dump is found, the rpmverify.script will abort and the
#       results of the verify up to the core dump will be mailed
#       to the root user. This is a bug in some versions of rpm, not
#       in this script.

echo "/etc/cron.monthly/rpmverify"
if ! [ -d /root/tmp ]; then
 {
  # This fixes a potential security hole by not using /tmp which is open 
  # to all users.
  echo "/etc/cron.monthly/rpmverify creating directory /root/tmp"
  mkdir -p /root/tmp
 }
fi

cd /root/tmp

# security fix: change to user nobody in the alternat verify method 
# during the actual verification which 
# will produce more missing file errors when user nobody tries to verify 
# files in directories it does not have access to read, but is safer in 
# case it verifies rpms that might have a trojan script in as a part of 
# the verify process. Otherwise, if you wish to run the verify as root, 
# the normal method, then its safer to run the verify with the --noscripts 
# switch.

# alternate verify method as user nobody that allow verify scripts that are 
# a part of the rpm to be run.

# rpm -qa |awk '{print "echo -----------------\necho rpm -Vv "$1" as user nobody\nsu -l nobody -c \"rpm -Vv "$1"\"\n if [ -f core ]; then\n  exit\nfi\n"}' >/root/tmp/rpmverify.script

# normal verify as root with the --noscripts switch to avoid trojan verify 
# scrips that might be built into the rpm being verified..
rpm -qa |awk '{print "echo -----------------\necho rpm -Vv --noscripts "$1" as user root\n rpm -Vv --noscripts "$1"\n if [ -f core ]; then\n  exit\nfi\n"}' >/root/tmp/rpmverify.script

chmod u+x /root/tmp/rpmverify.script
nice -n 20 /root/tmp/rpmverify.script >& /root/tmp/temp2
if [ -f /root/tmp/core ]; then
  {
   echo "core dumpped while executing /root/tmp/rpmverify.script"
   echo "suggest rpm --install --force  on the rpm package that caused the coredump during verify."
   vdir /root/tmp/core
  }
else
  {
   echo "S      File size"
   echo "M      Mode (includes permissions and file type)"
   echo "5      MD5 checksum"
   echo "D      DeviceD"
   echo "L      Symlink"
   echo "U      User"
   echo "G      Group"
   echo "T      Modification time"
   echo "  c    File is a modified Config file"
   cat /root/tmp/temp2
   rm -f /root/tmp/temp2 /root/tmp/rpmverify.script

   # security fix, use /root/tmp to run the temporary scripts from instead 
   # of /tmp since /tmp is world writable.
   # /root/tmp is not a normal directory on a redhat system, so will check 
   # to see if its empty, and if so remove it.  Two links means its empty.

   cd /root
   find /root -type d -links 2 -maxdepth 1 -path "/root/tmp" -exec echo "/etc/cron.monthly/rpmverify: cleanup - removing empty directory {}" \; -exec rmdir {} \;
  }
fi
