353 lines
10 KiB
Groff
353 lines
10 KiB
Groff
.\" $OpenBSD: mtree.8,v 1.38 2015/03/13 19:58:41 jmc Exp $
|
|
.\" $NetBSD: mtree.8,v 1.4 1995/03/07 21:26:25 cgd Exp $
|
|
.\"
|
|
.\" Copyright (c) 1989, 1990, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)mtree.8 8.2 (Berkeley) 12/11/93
|
|
.\"
|
|
.Dd $Mdocdate: March 13 2015 $
|
|
.Dt MTREE 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm mtree
|
|
.Nd map a directory hierarchy
|
|
.Sh SYNOPSIS
|
|
.Nm mtree
|
|
.Bk -words
|
|
.Op Fl cdeilnqrtUux
|
|
.Op Fl f Ar spec
|
|
.Op Fl K Ar keywords
|
|
.Op Fl k Ar keywords
|
|
.Op Fl p Ar path
|
|
.Op Fl s Ar seed
|
|
.Ek
|
|
.Sh DESCRIPTION
|
|
The utility
|
|
.Nm mtree
|
|
compares the file hierarchy rooted in the current directory against a
|
|
specification read from the standard input.
|
|
Messages are written to the standard output for any files whose
|
|
characteristics do not match the specification, or which are
|
|
missing from either the file hierarchy or the specification.
|
|
For an explanation of the directory hierarchy,
|
|
see
|
|
.Xr hier 7 .
|
|
.Pp
|
|
The options are as follows:
|
|
.Bl -tag -width Ds
|
|
.It Fl c
|
|
Print a specification for the file hierarchy to the standard output.
|
|
.It Fl d
|
|
Ignore everything except directory type files.
|
|
.It Fl e
|
|
Don't complain about files that are in the file hierarchy, but not in the
|
|
specification.
|
|
.It Fl f Ar spec
|
|
Read the specification from file
|
|
.Ar spec ,
|
|
instead of from the standard input.
|
|
.It Fl i
|
|
Indents the output 4 spaces each time a directory level is descended when
|
|
creating a specification with the
|
|
.Fl c
|
|
option.
|
|
This does not affect either the /set statements or the comment before each
|
|
directory.
|
|
It does however affect the comment before the close of each directory.
|
|
.It Fl K Ar keywords
|
|
Add the specified (whitespace or comma separated) keywords to the current
|
|
set of keywords.
|
|
.It Fl k Ar keywords
|
|
Use the
|
|
.Dq type
|
|
keyword plus the specified (whitespace or comma separated)
|
|
keywords instead of the current set of keywords.
|
|
.It Fl l
|
|
Do
|
|
.Dq loose
|
|
permissions checks, in which more stringent permissions
|
|
will match less stringent ones.
|
|
For example, a file marked mode 0444 will pass a check for mode 0644.
|
|
.Dq Loose
|
|
checks apply only to read, write and execute permissions -- in
|
|
particular, if other bits like the sticky bit or suid/sgid bits are
|
|
set either in the specification or the file, exact checking will be
|
|
performed.
|
|
This flag may not be set at the same time as the
|
|
.Fl u
|
|
or
|
|
.Fl U
|
|
flags.
|
|
.It Fl n
|
|
Do not emit pathname comments when creating a specification.
|
|
Normally
|
|
a comment is emitted before each directory and before the close of that
|
|
directory when using the
|
|
.Fl c
|
|
option.
|
|
.It Fl p Ar path
|
|
Use the file hierarchy rooted in
|
|
.Ar path ,
|
|
instead of the current directory.
|
|
.It Fl q
|
|
Quiet mode.
|
|
Do not complain when a
|
|
.Dq missing
|
|
directory cannot be created because it already exists.
|
|
This occurs when the directory is a symbolic link.
|
|
.It Fl r
|
|
Remove any files in the file hierarchy that are not described in the
|
|
specification.
|
|
.It Fl s Ar seed
|
|
Display a single checksum to the standard error output that represents all
|
|
of the files for which the keyword
|
|
.Cm cksum
|
|
was specified.
|
|
The checksum is seeded with the specified value.
|
|
.It Fl t
|
|
If a file's timestamp is different from the specification,
|
|
.Dq touch
|
|
it to match the specification (and list as modified).
|
|
.It Fl U
|
|
Modify the owner, group, and permissions of existing files to match
|
|
the specification and create any missing directories.
|
|
User, group, and permissions must all be specified for missing directories
|
|
to be created.
|
|
Exit with a status of 0 on success, 1 if any error occurred;
|
|
a mismatch is not considered an error if it was corrected.
|
|
.It Fl u
|
|
Same as the
|
|
.Fl U
|
|
option except a status of 2 is returned if the file hierarchy
|
|
did not match the specification.
|
|
.It Fl x
|
|
Don't descend below mount points in the file hierarchy.
|
|
.El
|
|
.Pp
|
|
Specifications are mostly composed of
|
|
.Dq keywords
|
|
(i.e., strings that specify values relating to files).
|
|
No keywords have default values, and if a keyword has no value set, no
|
|
checks based on it are performed.
|
|
.Pp
|
|
Currently supported keywords are as follows:
|
|
.Bl -tag -width sha256digest
|
|
.It Cm cksum
|
|
The checksum of the file using the default algorithm specified by
|
|
the
|
|
.Xr cksum 1
|
|
utility.
|
|
.It Cm flags
|
|
The current file's flags (whitespace or comma separated) in symbolic form
|
|
as specified by
|
|
.Xr chflags 1 .
|
|
The string
|
|
.Dq none
|
|
may be used to indicate that no flags should be set on the file.
|
|
.It Cm gid
|
|
The file group as a numeric value.
|
|
.It Cm gname
|
|
The file group as a symbolic name.
|
|
.It Cm ignore
|
|
Ignore any file hierarchy below this file.
|
|
.It Cm link
|
|
The file the symbolic link is expected to reference.
|
|
.It Cm md5digest
|
|
The MD5 message digest of the file.
|
|
.It Cm mode
|
|
The current file's permissions as a numeric (octal) or symbolic
|
|
value.
|
|
.It Cm nlink
|
|
The number of hard links the file is expected to have.
|
|
.It Cm nochange
|
|
Do not change the attributes (owner, group, mode, etc) on a file or directory.
|
|
.It Cm optional
|
|
The file is optional; don't complain about the file if it's
|
|
not in the file hierarchy.
|
|
.It Cm rmd160digest
|
|
The RIPEMD-160 message digest of the file.
|
|
.It Cm sha1digest
|
|
The SHA-1 message digest of the file.
|
|
.It Cm sha256digest
|
|
The SHA-256 message digest of the file.
|
|
.It Cm size
|
|
The size, in bytes, of the file.
|
|
.It Cm time
|
|
The last modification time of the file.
|
|
.It Cm type
|
|
The type of the file; may be set to any one of the following:
|
|
.Pp
|
|
.Bl -tag -width Cm -compact
|
|
.It Cm block
|
|
block special device
|
|
.It Cm char
|
|
character special device
|
|
.It Cm dir
|
|
directory
|
|
.It Cm fifo
|
|
FIFO
|
|
.It Cm file
|
|
regular file
|
|
.It Cm link
|
|
symbolic link
|
|
.It Cm socket
|
|
socket
|
|
.El
|
|
.It Cm uid
|
|
The file owner as a numeric value.
|
|
.It Cm uname
|
|
The file owner as a symbolic name.
|
|
.El
|
|
.Pp
|
|
The default set of keywords are
|
|
.Cm gid ,
|
|
.Cm mode ,
|
|
.Cm nlink ,
|
|
.Cm size ,
|
|
.Cm link ,
|
|
.Cm time ,
|
|
and
|
|
.Cm uid .
|
|
.Pp
|
|
There are four types of lines in a specification.
|
|
.Pp
|
|
The first type of line sets a global value for a keyword, and consists of
|
|
the string
|
|
.Dq /set
|
|
followed by whitespace, followed by sets of keyword/value
|
|
pairs, separated by whitespace.
|
|
Keyword/value pairs consist of a keyword, followed by an equals sign
|
|
.Pq Sq = ,
|
|
followed by a value, without whitespace characters.
|
|
Once a keyword has been set, its value remains unchanged until either
|
|
reset or unset.
|
|
.Pp
|
|
The second type of line unsets keywords and consists of the string
|
|
.Dq /unset ,
|
|
followed by whitespace, followed by one or more keywords,
|
|
separated by whitespace.
|
|
.Pp
|
|
The third type of line is a file specification and consists of a file
|
|
name, followed by whitespace, followed by zero or more whitespace
|
|
separated keyword/value pairs.
|
|
The file name may be preceded by whitespace characters.
|
|
The file name may contain any of the standard file name matching
|
|
characters
|
|
.Po
|
|
.Dq \&[ ,
|
|
.Dq \&] ,
|
|
.Dq \&? ,
|
|
or
|
|
.Dq \&*
|
|
.Pc ,
|
|
in which case files in the hierarchy will be associated with the first
|
|
pattern that they match.
|
|
.Pp
|
|
Each of the keyword/value pairs consist of a keyword, followed by an
|
|
equals sign, followed by the keyword's value, without
|
|
whitespace characters.
|
|
These values override, without changing, the global value of the
|
|
corresponding keyword.
|
|
.Pp
|
|
All paths are relative.
|
|
Specifying a directory will cause subsequent files to be searched
|
|
for in that directory hierarchy.
|
|
Which brings us to the last type of line in a specification: a line
|
|
containing only the string
|
|
.Dq ..
|
|
causes the current directory
|
|
path to ascend one level.
|
|
.Pp
|
|
Empty lines and lines whose first non-whitespace character is a hash
|
|
mark
|
|
.Pq Sq #
|
|
are ignored.
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/mtree -compact
|
|
.It Pa /etc/mtree
|
|
system specification directory
|
|
.El
|
|
.Sh EXIT STATUS
|
|
The
|
|
.Nm mtree
|
|
utility exits with a status of 0 on success, 1 if any error occurred,
|
|
and 2 if the file hierarchy did not match the specification.
|
|
A status of 2 is converted to a status of 0 if the
|
|
.Fl U
|
|
option is used.
|
|
.Sh EXAMPLES
|
|
To detect system binaries that have been
|
|
.Dq trojan horsed ,
|
|
it is recommended
|
|
that
|
|
.Nm mtree
|
|
.Fl cK
|
|
.Cm sha256digest
|
|
be run on the file systems, and a copy of the results stored on a different
|
|
machine or, at least, in encrypted form.
|
|
The output file itself should be digested using the
|
|
.Xr sha256 1
|
|
utility.
|
|
Then, periodically,
|
|
.Nm mtree
|
|
and
|
|
.Xr sha256 1
|
|
should be run against the on-line specifications.
|
|
While it is possible for the bad guys to change the on-line specifications
|
|
to conform to their modified binaries, it is believed to be
|
|
impractical for them to create a modified specification which has
|
|
the same SHA-256 digest as the original.
|
|
.Pp
|
|
The
|
|
.Fl d
|
|
and
|
|
.Fl u
|
|
options can be used in combination to create directory hierarchies
|
|
for distributions and other such things; the files in
|
|
.Pa /etc/mtree
|
|
were used to create almost all directories in a normal binary
|
|
distribution.
|
|
.Sh SEE ALSO
|
|
.Xr chgrp 1 ,
|
|
.Xr chmod 1 ,
|
|
.Xr cksum 1 ,
|
|
.Xr md5 1 ,
|
|
.Xr stat 2 ,
|
|
.Xr fts 3 ,
|
|
.Xr md5 3 ,
|
|
.Xr rmd160 3 ,
|
|
.Xr sha1 3 ,
|
|
.Xr sha2 3 ,
|
|
.Xr hier 7 ,
|
|
.Xr chown 8
|
|
.Sh HISTORY
|
|
The
|
|
.Nm mtree
|
|
utility appeared in
|
|
.Bx 4.3 Reno .
|