On Sat, 2021-12-04 at 09:37 -0500, Stephen John Smoogen wrote:
Or just pad /usr/bin/rpm with some null characters at the end to break
its signature and also stop updates from happening. [Or the fs-verity
daemon which will report that these problems are occuring. ]
If the attacker has filesystem access, this wouldn't work, as fs-verity
makes the file immutable. If they have block level access to the
underlying storage, they can alter the data blocks of the rpm binary,
and that would indeed result in failure on the next exec as the
signature wouldn't match.
Cheers
Davide