map a directory hierarchy
mtree compares the file
hierarchy rooted in the current directory against a specification read from
the standard input. Messages are written to the standard output for any
files whose characteristics do not match the specification, or which are
missing from either the file hierarchy or the specification. For an
explanation of the directory hierarchy, see
The options are as follows:
- Print a specification for the file hierarchy to the standard output.
- Ignore everything except directory type files.
- Don't complain about files that are in the file hierarchy, but not in the specification.
- Read the specification from file spec, instead of from the standard input.
- Indents the output 4 spaces each time a directory level is descended when
creating a specification with the
-coption. This does not affect either the /set statements or the comment before each directory. It does however affect the comment before the close of each directory.
- Add the specified (whitespace or comma separated) keywords to the current set of keywords.
- Use the “type” keyword plus the specified (whitespace or comma separated) keywords instead of the current set of keywords.
- Do “loose” permissions checks, in which more stringent
permissions will match less stringent ones. For example, a file marked
mode 0444 will pass a check for mode 0644. “Loose” checks
apply only to read, write and execute permissions -- in particular, if
other bits like the sticky bit or suid/sgid bits are set either in the
specification or the file, exact checking will be performed. This flag may
not be set at the same time as the
- Do not emit pathname comments when creating a specification. Normally a
comment is emitted before each directory and before the close of that
directory when using the
- Use the file hierarchy rooted in path, instead of the current directory.
- Quiet mode. Do not complain when a “missing” directory cannot be created because it already exists. This occurs when the directory is a symbolic link.
- Remove any files in the file hierarchy that are not described in the specification.
- Display a single checksum to the standard error output that represents all
of the files for which the keyword
cksumwas specified. The checksum is seeded with the specified value.
- If a file's timestamp is different from the specification, “touch” it to match the specification (and list as modified).
- Modify the owner, group, and permissions of existing files to match the specification and create any missing directories. User, group, and permissions must all be specified for missing directories to be created. Exit with a status of 0 on success, 1 if any error occurred; a mismatch is not considered an error if it was corrected.
- Same as the
-Uoption except a status of 2 is returned if the file hierarchy did not match the specification.
- Don't descend below mount points in the file hierarchy.
Specifications are mostly composed of “keywords” (i.e., strings that specify values relating to files). No keywords have default values, and if a keyword has no value set, no checks based on it are performed.
Currently supported keywords are as follows:
- The checksum of the file using the default algorithm specified by the cksum(1) utility.
- The current file's flags (whitespace or comma separated) in symbolic form as specified by chflags(1). The string “none” may be used to indicate that no flags should be set on the file.
- The file group as a numeric value.
- The file group as a symbolic name.
- Ignore any file hierarchy below this file.
- The file the symbolic link is expected to reference.
- The MD5 message digest of the file.
- The current file's permissions as a numeric (octal) or symbolic value.
- The number of hard links the file is expected to have.
- Do not change the attributes (owner, group, mode, etc) on a file or directory.
- The file is optional; don't complain about the file if it's not in the file hierarchy.
- The RIPEMD-160 message digest of the file.
- The SHA-1 message digest of the file.
- The SHA-256 message digest of the file.
- The size, in bytes, of the file.
- The last modification time of the file.
- The type of the file; may be set to any one of the following:
- block special device
- character special device
- regular file
- symbolic link
- The file owner as a numeric value.
- The file owner as a symbolic name.
The default set of keywords are
There are four types of lines in a specification.
The first type of line sets a global value for a keyword, and consists of the string “/set” followed by whitespace, followed by sets of keyword/value pairs, separated by whitespace. Keyword/value pairs consist of a keyword, followed by an equals sign (‘=’), followed by a value, without whitespace characters. Once a keyword has been set, its value remains unchanged until either reset or unset.
The second type of line unsets keywords and consists of the string “/unset”, followed by whitespace, followed by one or more keywords, separated by whitespace.
The third type of line is a file specification and consists of a file name, followed by whitespace, followed by zero or more whitespace separated keyword/value pairs. The file name may be preceded by whitespace characters. The file name may contain any of the standard file name matching characters (“[”, “]”, “?”, or “*”), in which case files in the hierarchy will be associated with the first pattern that they match.
Each of the keyword/value pairs consist of a keyword, followed by an equals sign, followed by the keyword's value, without whitespace characters. These values override, without changing, the global value of the corresponding keyword.
All paths are relative. Specifying a directory will cause subsequent files to be searched for in that directory hierarchy. Which brings us to the last type of line in a specification: a line containing only the string “..” causes the current directory path to ascend one level.
Empty lines and lines whose first non-whitespace character is a hash mark (‘#’) are ignored.
- system specification directory
mtree utility exits with a status of 0
on success, 1 if any error occurred, and 2 if the file hierarchy did not
match the specification. A status of 2 is converted to a status of 0 if the
-U option is used.
To detect system binaries that have been “trojan
horsed”, it is recommended that
sha256digest be run on
the file systems, and a copy of the results stored on a different machine
or, at least, in encrypted form. The output file itself should be digested
using the sha256(1) utility. Then, periodically,
sha256(1) should be run against the on-line specifications. While it
is possible for the bad guys to change the on-line specifications to conform
to their modified binaries, it is believed to be impractical for them to
create a modified specification which has the same SHA-256 digest as the
options can be used in combination to create directory hierarchies for
distributions and other such things; the files in
/etc/mtree were used to create almost all
directories in a normal binary distribution.
chgrp(1), chmod(1), cksum(1), md5(1), stat(2), fts_open(3), MD5Init(3), RMD160Init(3), SHA1Init(3), SHA256Init(3), hier(7), chown(8)
mtree utility appeared in