Get diff changes between original files installed with apt and current files

Try something like this:

# exit on failure
set -e

package=php5-fpm
mkdir $package
cd $package

# you could also get the file from a package mirror if you have
#  an older version of apt-get that doesn't support 'download' 
#  or if you would like more control over what package version
#  you are downloading.
# (e.g. http://archive.ubuntu.com/ubuntu/pool/main/)
apt-get download $package

# deb package files are ar archives
ar vx ${package}*.deb
# containing some compressed tar archives
tar xzf data.tar.gz
# now you have the files

# you can get diffs for all of the files in etc if you would like
find etc -type f |
while read file ; do
    diff $file /$file
done

As suggested by others, definitely put your configuration files under revision control. That way, you can see exactly what you changed and when you changed it.


etc directory

For tracking changes to your /etc directory you can do as @Anthon has suggested and use git, subversion, mercurial, etc. to version control that directory. You can also use a tool such as etckeeper. There's a tutorial here as well as here.

etckeeper is a collection of tools to let /etc be stored in a git, mercurial, bazaar or darcs repository. It hooks into apt to automatically commit changes made to /etc during package upgrades. It tracks file metadata that git does not normally support, but that is important for /etc, such as the permissions of /etc/shadow. It's quite modular and configurable, while also being simple to use if you understand the basics of working with version control.

package files

To my knowledge apt does not have a way to check the files on disk vs. the files that are in the actual .deb. Neither does dpkg, the tool that apt is actually using to do the management of files.

However you can use a tool such as debsums to compare some of the files you have installed, it only looks at their checksums (md5sum) of what's in the .deb file vs. what's on your systems disk.

See this serverfault question for more details about debsum and dpkg checksumming, as well as this askubuntu question.

debsum example

% debsums openssh-server
/usr/lib/openssh/sftp-server                                                  OK
/usr/sbin/sshd                                                                OK
/usr/share/lintian/overrides/openssh-server                                   OK
/usr/share/man/man5/sshd_config.5.gz                                          OK
/usr/share/man/man8/sshd.8.gz                                                 OK
/usr/share/man/man8/sftp-server.8.gz                                          OK

I wrote the following simple script to automatically retrieve the original file from the right Debian package and diff the current file against it: https://a3nm.net/git/mybin/tree/debdiffconf

Use it as follows: debdiffconf FILE

#!/bin/bash

# Usage: debdiffconf.sh FILE
# Produce on stdout diff of FILE against the first installed Debian package
# found that provides it.
# Returns the exit code of diff if everything worked, 3 or 4 otherwise.

# https://stackoverflow.com/a/4785518
command -v apt >/dev/null 2>&1 || {
  echo "apt not found, this is probably not a Debian system. Aborting." >&2;
  exit 4; }
command -v apt-file >/dev/null 2>&1 || {
  echo "Please install apt-file: sudo apt install apt-file. Aborting." >&2;
  exit 4; }
command -v realpath >/dev/null 2>&1 || {
  echo "Please install realpath: sudo apt install realpath. Aborting." >&2;
  exit 4; }

FILE=$(realpath -m "$1")
while read PACKAGE
do
  # verify from first installed package
  if dpkg-query -W --showformat='${Status}\n' | grep installed > /dev/null
  then
    DIR=$(mktemp -d)
    cd "$DIR"
    echo "Trying $PACKAGE..." >&2
    apt download "$PACKAGE" >&2
    # downloaded archive is the only file present...
    ARCHIVE=$(ls)
    mkdir contents
    # extract entire archive
    dpkg-deb -x "$ARCHIVE" contents/ >&2
    if [ -f "contents$FILE" ]
    then
      # package contained required file
      diff "contents$FILE" "$FILE"
      RET=$?
      # cleanup
      cd
      rm -Rf "$DIR"
      # exit entire script as this is the main shell
      # with the return code from diff
      exit $RET
    else
      # cleanup
      cd
      rm -Rf "$DIR"
    fi
  fi
done < <(apt-file -l search "$FILE")
# if we are here, it means we have found no suitable package
echo "Could not find original package for $FILE" >&2
exit 3