|MTREE(8)||System Manager's Manual||MTREE(8)|
mtree — map a
mtree utility compares the file
hierarchy rooted in the current directory against a specification read from
the standard input. Messages are written to the standard output for any
files whose characteristics do not match the specification, or which are
missing from either the file hierarchy or the specification.
The options are as follows:
- Print a specification for the file hierarchy to the standard output.
- Ignore everything except directory type files.
- Print (‘dump’) the specification as provided by
-fspec in a format that's easier to parse with various tools. The full path name is always printed as the first field, and
-Rcan be used to control which other keywords are printed, and
-Ican be used to control which files are printed.
- As per
-C, except that the path name is always printed as the last field instead of the first.
- Add the comma separated tags to the “exclusion” list.
Non-directories with tags which are in the exclusion list are not printed
- Don't complain about files that are in the file hierarchy, but not in the specification.
- Read the specification from file, instead of from the standard input.
- Add the comma separated tags to the “inclusion” list.
Non-directories with tags which are in the inclusion list are printed with
-D. If no inclusion list is provided, the default is to display all files.
- If specified, set the schg and/or sappnd flags.
- Add the specified (whitespace or comma separated) keywords to the current
set of keywords. If ‘
all’ is specified, add all of the other keywords.
- Use the type keyword plus the specified (whitespace or
comma separated) keywords instead of the current set of keywords. If
all’ is specified, use all of the other keywords. If the type keyword is not desired, suppress it with
- Do “loose” permissions checks, in which more stringent
permissions will match less stringent ones. For example, a file marked
mode 0444 will pass a check for mode 0644. “Loose” checks
apply only to read, write and execute permissions -- in particular, if
other bits like the sticky bit or suid/sgid bits are set either in the
specification or the file, exact checking will be performed. This flag may
not be set at the same time as the
- Follow all symbolic links in the file hierarchy.
- If the schg and/or sappnd flags are specified, reset these flags. Note that this is only possible with securelevel less than 1 (i.e. in single user mode or while the system is running in insecure mode). See init(8) for information on security levels.
- Permit merging of specification entries with different types, with the last entry take precedence.
- Use the user database text file master.passwd and group database text file group from dbdir, rather than using the results from the system's getpwnam(3) and getgrnam(3) (and related) library calls.
- Use the file hierarchy rooted in path, instead of the current directory.
- Don't follow symbolic links in the file hierarchy, instead consider the symbolic link itself in any comparisons. This is the default.
- Remove any files in the file hierarchy that are not described in the specification.
- Remove the specified (whitespace or comma separated) keywords from the
current set of keywords. If ‘
all’ is specified, remove all of the other keywords.
- Display a single checksum to the standard error output that represents all of the files for which the keyword cksum was specified. The checksum is seeded with the specified value.
- Modify the owner, group, permissions, and flags of existing files, the
device type of devices, and symbolic link targets, to match the
specification. Create any missing directories, devices or symbolic links.
User, group, and permissions must all be specified for missing directories
to be created. Note that unless the
-ioption is given, the schg and sappnd flags will not be set, even if specified. If
-mis given, these flags will be reset. Exit with a status of 0 on success, 2 if the file hierarchy did not match the specification, and 1 if any other error occurred.
- Same as
-uexcept that a mismatch is not considered to be an error if it was corrected.
- Don't attempt to set various file attributes such as the ownership, mode,
flags, or time when creating new directories or changing existing entries.
This option will be most useful when used in conjunction with
- Don't descend below mount points in the file hierarchy.
- The specified file contains fnmatch(3) patterns matching
files to be excluded from the specification, one to a line. If the pattern
contains a ‘
/’ character, it will be matched against entire pathnames (relative to the starting directory); otherwise, it will be matched against basenames only. Comments are permitted in the exclude-list file.
Specifications are mostly composed of “keywords”, i.e. strings that that specify values relating to files. No keywords have default values, and if a keyword has no value set, no checks based on it are performed.
Currently supported keywords are as follows:
- The checksum of the file using the default algorithm specified by the cksum(1) utility.
- The device number to use for block or
char file types. The argument must be one of the
- A device with major and minor fields, for an operating system specified with format. See below for valid formats.
- A device with major, unit, and subunit fields, for an operating system specified with format. (Currently this is only supported by the bsdos format.)
- Opaque number (as stored on the file system).
See mknod(8) for more details.
- The file flags as a symbolic name. See chflags(1) for
information on these names. If no flags are to be set the string
none’ may be used to override the current default. Note that the schg and sappnd flags are treated specially (see the
- Ignore any file hierarchy below this file.
- The file group as a numeric value.
- The file group as a symbolic name.
- The file the symbolic link is expected to reference.
- The MD5 cryptographic message digest of the file.
- Synonym for md5.
- The current file's permissions as a numeric (octal) or symbolic value.
- The number of hard links the file is expected to have.
- The file is optional; don't complain about the file if it's not in the file hierarchy.
- The RMD-160 cryptographic message digest of the file.
- Synonym for rmd160.
- The SHA-1 cryptographic message digest of the file.
- Synonym for sha1.
- The 256-bits SHA-2 cryptographic message digest of the file.
- Synonym for sha256.
- The 384-bits SHA-2 cryptographic message digest of the file.
- Synonym for sha384.
- The 512-bits SHA-2 cryptographic message digest of the file.
- Synonym for sha512.
- The size, in bytes, of the file.
- Comma delimited tags to be matched with
-I. These may be specified without leading or trailing commas, but will be stored internally with them.
- The last modification time of the file.
- The type of the file; may be set to any one of the following:
- The file owner as a numeric value.
- The file owner as a symbolic name.
The default set of keywords are flags, gid, link, mode, nlink, size, time, type, and uid.
There are four types of lines in a specification:
- Set global values for a keyword. This consists of the string
/set’ followed by whitespace, followed by sets of keyword/value pairs, separated by whitespace. Keyword/value pairs consist of a keyword, followed by an equals sign (‘
=’), followed by a value, without whitespace characters. Once a keyword has been set, its value remains unchanged until either reset or unset.
- Unset global values for a keyword. This consists of the string
/unset’, followed by whitespace, followed by one or more keywords, separated by whitespace. If ‘
all’ is specified, unset all of the keywords.
- A file specification, consisting of a path name, followed by whitespace,
followed by zero or more whitespace separated keyword/value pairs.
The path name may be preceded by whitespace characters. The path name may contain any of the standard path name matching characters (‘
?’ or ‘
*’), in which case files in the hierarchy will be associated with the first pattern that they match.
mtreeuses strsvis(3) (in VIS_CSTYLE format) to encode path names containing non-printable characters. Whitespace characters are encoded as ‘
\s’ (space), ‘
\t’ (tab), and ‘
\n’ (new line). ‘
#’ characters in path names are escaped by a preceding backslash ‘
\’ to distinguish them from comments.
Each of the keyword/value pairs consist of a keyword, followed by an equals sign (‘
=’), followed by the keyword's value, without whitespace characters. These values override, without changing, the global value of the corresponding keyword.
The first path name entry listed must be a directory named ‘
.’, as this ensures that intermixing full and relative path names will work consistently and correctly. Multiple entries for a directory named ‘
.’ are permitted; the settings for the last such entry override those of the existing entry.
A path name that contains a slash (‘
/’) that is not the first character will be treated as a full path (relative to the root of the tree). All parent directories referenced in the path name must exist. The current directory path used by relative path names will be updated appropriately. Multiple entries for the same full path are permitted if the types are the same (unless
-Mis given, and then the types may differ); in this case the settings for the last entry take precedence.
A path name that does not contain a slash will be treated as a relative path. Specifying a directory will cause subsequent files to be searched for in that directory hierarchy.
- A line containing only the string
..’ which causes the current directory path (used by relative paths) to ascend one level.
Empty lines and lines whose first non-whitespace character is a
hash mark (‘
#’) are ignored.
mtree utility exits with a status of 0
on success, 1 if any error occurred, and 2 if the file hierarchy did not
match the specification.
- system specification directory
To detect system binaries that have been “trojan
horsed”, it is recommended that
mtree be run
on the file systems, and a copy of the results stored on a different
machine, or, at least, in encrypted form. The seed for the
-s option should not be an obvious value and the
final checksum should not be stored on-line under any circumstances! Then,
mtree should be run against the
on-line specifications and the final checksum compared with the previous
value. While it is possible for the bad guys to change the on-line
specifications to conform to their modified binaries, it shouldn't be
possible for them to make it produce the same final checksum value. If the
final checksum value changes, the off-line copies of the specification can
be used to detect which of the binaries have actually been modified.
options can be used in combination to create directory hierarchies for
distributions and other such things.
mtree utility appeared in
4.3BSD-Reno. The optional keyword
appeared in NetBSD 1.2. The
-U flag appeared in NetBSD
1.3. The flags and md5 keywords,
-m flags appeared
in NetBSD 1.4. The device,
rmd160, sha1, tags,
-X flags, and
support for full paths appeared in NetBSD 1.6. The
sha256, sha384, and
sha512 keywords appeared in NetBSD
|September 12, 2006||Debian|