[Aide] File type attribute

gentuxx gentuxx at gmail.com
Fri Oct 28 21:46:14 EEST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bob Proulx wrote:

>gentuxx wrote:
>
>>jacob martinson wrote:
>>
>>>What do you mean by file type? Unix doesn't have a file typing
>>>framework the way Windows does.
>>
>>At the risk of going off-topic, Unix does recognize file types. It
>>isn't the same type of system you allude to with Windows, i.e. file
>>extensions, but it knows the difference:
>
>
>I know this is drifting pretty far afield but I can't go on letting
>people think that the 'file' command is doing something that it is not
>doing.


Well, thanks for correcting me.  I'm always happy to learn something new!

>
>>gentuxx at gentoo ~ $ file install-sparc64-universal-2005.1.iso
>>install-sparc64-universal-2005.1.iso: Sun disk label 'SPARC bootable
>>CD-ROM: Gentoo Linux SPARC64 2005.1' 0 blocks, boot block present
>>gentuxx at gentoo ~ $ file lastRSS.zip
>>lastRSS.zip: Zip archive data, at least v2.0 to extract
>>gentuxx at gentoo ~ $ file /usr/bin/ls
>>/usr/bin/ls: symbolic link to `/bin/ls'
>>gentuxx at gentoo ~ $ file /bin/ls
>>/bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
>>GNU/Linux 2.4.1, dynamically linked (uses shared libs), stripped
>
>
>The file command is sampling data from the file at certain locations
>and then looking at its map table to determine what to say about it.
>Usually the 'file' program's table is /etc/magic because it lists the
>magic numbers in the files. Now /usr/share/misc/file/magic on my
>current system so that local customizations to /etc will be preserved.
>
>For example, traditionally a file starting with the four bytes "#! /"
>would be reported as a script. Looking at the string would indicate
>what type of script. (This is one reason why some people prefer the
>script start "#! /" instead of "#!/". Because some old file commands
>would look at all four of the first bytes for the signature. But
>personally I prefer the one without the space.)
>
>Meanwhile, the output of 'file' has no bearing on anything else in the
>system. It is just a convenient program that takes a guess the file
>contents. But it is only a guess. It is often out of date if a new
>data file comes into being such as a new compression format or some
>such thing.


Cool.  I probably could have figured that out if I looked at the
source for 'file'.  ;-)

>
>>At the most fundamental level, it's binary or text.
>
>
>I must disagree. On unix system even text files are binary.
>
>On MS-Windows a distinction is made that text files are different and
>upon reading and writing a byte transation is applied by convention.
>Logical line endings are encoded with CR-NL sequences and a file is
>logically ended by a ^Z character even if more data exists and may be
>read after it. But neither of those are true for unix files.
>
By this distinction, every file on any operating system is binary.
Bits are bits; you can do with them what you want.

>>It determines file type based on the file header.
>
>
>With 'file' it is not always a "header". Files don't really have
>headers unless the author designed one into the data of the file.
>Whenever possible 'file' uses the data at offset zero because that is
>the most convenient data to use. But it is not required. The author
>of the /etc/magic file tries to find some unique signature in the data
>of the file and tries to map that to a string to print to identify the
>file.
>
>>To the point of this discussion, it might be handy to know that my
>>install-sparc64-universal-2005.1.iso is really:
>>
>>gentuxx at gentoo ~ $ file scripts/install-sparc64-universal-2005.1.iso
>>scripts/install-sparc64-universal-2005.1.iso: perl script text executable
>
>
>Such as copying a perl script on top of the iso image thereby
>replacing it, as you must have done for your example.
>
Actually, if you look closely, the perl script is in a sub-directory.

>>but if that were to actually happen, the ctime, mtime, (possibly)
>>inode, md5 hash, sha1 hash, etc. are all going to be different, which
>>would be flagged by 'aide -c'.
>
>
>Agreed.


Thanks.  At least I wasn't totally off the mark on everything.  ;-)

>Bob
>_______________________________________________
>Aide mailing list
>Aide at cs.tut.fi
>https://mailman.cs.tut.fi/mailman/listinfo/aide
>


- --
gentux
echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40  9795 2D81 924A
6996 0993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDYnH2LYGSSmmWCZMRAtlRAJ9fGKpEQeC0YI6tvI3Bv/4KHAktKACdE1cw
fBQttowDN7IccetFbtOzyEo=
=1Cho
-----END PGP SIGNATURE-----

More information about the Aide mailing list