Is this safe @Matt @eva2000 ? Code: # yum --disablerepo=* --enablerepo=axivo update Loaded plugins: downloadonly, fastestmirror, priorities Loading mirror speeds from cached hostfile axivo | 2.9 kB 00:00 axivo/primary_db | 98 kB 00:00 Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package cmake.x86_64 0:2.6.4-5.el6 will be updated ---> Package cmake.x86_64 0:2.8.12.2-1.el6 will be an update ---> Package pcre.x86_64 0:7.8-6.el6 will be updated --> Processing Dependency: libpcre.so.0()(64bit) for package: 2:postfix-2.11.1-1.el6.x86_64 --> Processing Dependency: libpcre.so.0()(64bit) for package: grep-2.6.3-4.el6_5.1.x86_64 --> Processing Dependency: libpcre.so.0()(64bit) for package: less-436-10.el6.x86_64 ---> Package pcre.x86_64 0:8.35-1.el6 will be an update ---> Package pcre-devel.x86_64 0:7.8-6.el6 will be updated ---> Package pcre-devel.x86_64 0:8.35-1.el6 will be an update ---> Package re2c.x86_64 0:0.13.5-1.el6 will be updated ---> Package re2c.x86_64 0:0.13.6-1.el6 will be an update --> Running transaction check ---> Package libpcre.x86_64 0:8.21-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================== Package Arch Version Repository Size ======================================================================================================== Updating: cmake x86_64 2.8.12.2-1.el6 axivo 8.0 M pcre x86_64 8.35-1.el6 axivo 1.4 M pcre-devel x86_64 8.35-1.el6 axivo 218 k re2c x86_64 0.13.6-1.el6 axivo 127 k Installing for dependencies: libpcre x86_64 8.21-1.el6 axivo 443 k Transaction Summary ======================================================================================================== Install 1 Package(s) Upgrade 4 Package(s) Total download size: 10 M
should be.. although I don't use them myself as default Centmin Mod takes care of most with cmake28 and re2c version pretty close. PCRE is older but Centmin Mod Nginx compiles PCRE 8.35 already. Code: yum list cmake28 pcre re2c -q Installed Packages cmake28.x86_64 2.8.11.2-1.el6 @epel pcre.x86_64 7.8-6.el6 @anaconda-CentOS-201311272149.x86_64/6.5 re2c.x86_64 0.13.5-1.el6 @epel
Of course is safe. However, I see that you have devel packages installed, which should NEVER be present in a production environment. Same goes for cmake, gcc, etc., you should never install compile programs in production.
Yes I do have devel packages and that's because of some of the source install requirements as you know. And as to compile programs in production, that is a personal preference as I know you like your pure RPM package environments
I would strongly suggest to automate your script to quietly install and remove the devel packages, if you really want to temporarily build Centminmod in a production environment. Having devel packages and compilers in production is a very dangerous game. I agree that an attacker who is able to use the compilers installed on a system should generally by in a position to do worse things anyway, such as uploading their own (possibly statically linked) executables. But the rule of thumb remains: devel packages and compilers are designed for development environments, not production. You could easily automate your build process with something like: Code: if [ -z `rpm -q cmake` ]; then yum -q -y install cmake # do some fancy compile code here yum -q -y remove cmake fi At least you are responsible and leave user's system secure, while still having handy all compilers and other package deps handy for your build. Doing this will have everyone a happy camper. If the user have those packages already installed, is his problem, not yours. In CentOS 6 is even easier to undo all your installed packages, look at yum history.
Thanks for the suggestion and definitely for Centmin Mod specifically installed software would be ideal. However, folks also install software themselves whether it be by source or RPM so they'd run up against source compile issues with missing devel packages and end up coming back me for support (for a few folks that would be fine but once it gets into 1000s of folks would just be unmanageable despite me saying Centmin Mod is provided as is and without support heh) But as you said if the attacker already have system/root access then it's already a compromised system. So it's really a balance I need to work out. But definitely thanks for the suggestion
I hear you. Still if you educate your users, I'm sure they will follow your guidelines and remove any devel packages after build. IMO, having a VM on local computer just for building Centminmod is really the ideal work environment. It avoids errors and other crazy things happening into production.
Indeed I do suggest folks do test installs on test server/environment first as precaution so would be that much of a stretch to suggest devel package removal after builds. But as you know, how many folks read the manual or instructions fully ?
Guys, please stop using --disablerepo=*, it is not the proper way. Disable instead all the extra repos you installed and always allow the official repositories to update by default. Some of AXIVO packages will install dependencies available in official repos, if you disable them yum install will fail.
@Floren Centmin Mod follows proper guidelines to setup each external YUM repo with YUM priorities so external repos can not conflict with CentOS base ones https://community.centminmod.com/threads/openssl-security-advisory.295/page-2#post-2386. So if you want to use a 3rd party YUM repository to override CentOS base packages, you'd need to use with AXIVO yum command and appending the --disableplugin=priorities to the end. See https://community.centminmod.com/threads/openssl-security-advisory.295/page-2#post-2386