+------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery | | Published by Onsight, Inc. | | | | 11-September-2003 | | http://www.hackinglinuxexposed.com/articles/20030911.html | +------------------------------------------------------------------+ This issue sponsored by Onsight, Inc, your source for open-source solutions. Onsight offers on-site training on Linux software development, Linux, Unix, and Network Security, Basic/Advanced Perl programming, CGIs and Dynamic Web Content, Tcl/Tk, and XML. All courses are hands-on, designed by real-world consultants and fully customizable. Every Onsight instructor is a seasoned consultant able to provide back-end web programming, network security, system administration and other support services. For more information, visit http://www.onsight.com -------------------------------------------------------------------- The wrong way to upgrade your RPMs By Brian Hatch Summary: Keeping your machine up to date requires that you update your software. If your distro uses RPM packages, be sure you aren't accidentally installing new software when you upgrade. Most Linux distributions use the RPM[1] format for their software packages. RPMs are managed by the rpm program, which typically lives at /usr/bin/rpm.[2] The problem with any system is that your software is out of date the second you install it, and when security problems are found, you need to upgrade your software. Linux is great in that you don't need to reboot, you can upgrade your software on the fly.[3] Most Linux distributions maintain a web or FTP site that provides updated RPMs for security or other critical bugs. Some even include handy helpful programs to make it easier to identify older software and automatically upgrade to the newest available version, for example Red Hat's up2date. Some of these are subscription based (hey, creating good tools and providing the bandwidth costs money) so often people prefer to simply upgrade their RPMs directly. It's fairly trivial to mirror the updates section of your distro's website. For example I used to use the following to snag all the Red Hat 6.2 upgrade RPMs: $ wget ftp://ftp.valinux.com/pub/mirrors/redhat/redhat/updates/6.2/en/os/i386 The above command would download all the x86 updates. Run it nightly from cron, and you've always got a repository of updated packages. Now that you have them, it's time to upgrade. Say you are running Apache (who isn't) and there's an upgrade for it, you'd do the following to upgrade: # cd /path/to/my/mirrored/upgrade/packages # rpm -U apache-1.3.27.rpm The -U option to rpm tells it to upgrade the package, which is effectively just an install of the new package followed by an uninstall (erase) of the old. Your configuration files are all left alone, and in the case of security upgrades you shouldn't need to make any changes.[4] Life is good. Now wouldn't it be tempting to just run rpm -U out of cron after the directory is mirrored? Yes, it is tempting, and it's problematic, and here's why: Calling rpm -U will upgrade a package even if it isn't already installed. So if you weren't running Apache and attempt to 'upgrade' it, rpm -U will install it for you! Now you're running something you weren't expecting, and probably aren't paying attention to. The less software you have installed and running, especially network-accessible daemons, the better. Instead of using rpm -U, you should use rpm -F. The -F stands for 'freshen', and is the same as 'upgrade' except that it will only install the upgraded package if the old version is already installed. This will prevent you from accidentally installing something that wasn't installed. If you do want to run upgrades out of cron (which I don't suggest in general), be careful about kernel upgrades. These should only be installed manually, lest you end up rendering your machine unable to boot, have a foobared /etc/lilo.conf or /etc/grub.conf, or install kernel includes that are incompatible with your current running kernel and goof up subsequent software compiles. NOTES: [1] RPM stands for "Red Hat Package Manager", created by, unsurprisingly, Red Hat. [2] Naturally there are many front ends to rpm functionality. I'll admit, I'm an old foggie command line guy, and just can't keep up with the GUI frontend of the week. [3] In many cases, such as daemon programs, you need to restart your software, and this is likely not built into the post-upgrade functionality of the RPM. See the article "Upgrade Process: Restarting vs Rebooting" (http://www.hackinglinuxexposed.com/articles /20030409.html). [4] Usually, when a package has a security problem, the bug is fixed in the exact same version of the software, rather than upgrading you to a new version of the software. Upgrading Apache-1.3.x to Apache-1.3.y could cause problems (perhaps some of your modules aren't available for the new version) so patches are 'backported' to the currently-available version when necessary. Because of this, you shouldn't need to change any of your configuration or setup in 95% of your upgrades. ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He gets a lot of work done at Starbucks while waiting for his wife's car to get fixed. If only he had a second battery for his laptop... Brian can be reached at brianat_private -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-requestat_private Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2003, Brian Hatch. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Sep 12 2003 - 02:50:44 PDT