Verfication of command binaries before execution

Instead of validating binaries you're going to execute, you could execute the right binaries from the start. E.g. if you want to make sure you're not going to run /tmp/surprise/tar, just run /usr/bin/tar in your script. Alternatively, set your $PATH to a sane value before running anything.

If you don't trust files in /usr/bin/ and other system directories, there's no way to regain confidence. In your example, you're checking the owner with ls, but how do you know you can trust ls? The same argument applies to other solutions such as md5sum and strace.

Where high confidence in system integrity is required, specialized solutions like IMA are used. But this is not something you could use from a script: the whole system has to be set up in a special way, with the concept of immutable files in place.


If an intruder has gained access to your system and is able to modify your $PATH (which should not include /tmp under any circumstances), then it's too late to start worrying about the ownerships of the executables.

Instead you should read about how to deal with an intrusion.

Better to concentrate on avoiding intrusion altogether.

If you have a system where these sorts of things matter, then it may be a good idea to isolate the parts of it that needs to be public from the parts that needs to be private, as well as performing an audit of the modes of communication between these.


It is possible to some extent by verifying the md5sum of a file. Thus on systems that use apt package management - in my particular case, Ubuntu 16.04 - there is the file /var/lib/dpkg/info/tar.md5sums, which stores the md5 sums of all files that came from tar during installation. So you could write a simple if-statement that checks whether the output of md5sum /bin/tar matches what is in that file.

That of course assumes that the file itself hasn't been tampered with. This of course can only happen when attacker has gotten root/sudo access, at which point all bets are off.