Want to subscribe to topics you're interested in?
Become a Member

Yum update axivo repo only?

Discussion in 'System Administration' started by rdan, Jun 11, 2014.

Tags:
  1. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    9:34 AM
    Mainline
    10.2
    Is this safe @Matt @eva2000 ?
    Code:
    # yum --disablerepo=* --enablerepo=axivo update
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    axivo                                                                            | 2.9 kB     00:00
    axivo/primary_db                                                                 |  98 kB     00:00
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package cmake.x86_64 0:2.6.4-5.el6 will be updated
    ---> Package cmake.x86_64 0:2.8.12.2-1.el6 will be an update
    ---> Package pcre.x86_64 0:7.8-6.el6 will be updated
    --> Processing Dependency: libpcre.so.0()(64bit) for package: 2:postfix-2.11.1-1.el6.x86_64
    --> Processing Dependency: libpcre.so.0()(64bit) for package: grep-2.6.3-4.el6_5.1.x86_64
    --> Processing Dependency: libpcre.so.0()(64bit) for package: less-436-10.el6.x86_64
    ---> Package pcre.x86_64 0:8.35-1.el6 will be an update
    ---> Package pcre-devel.x86_64 0:7.8-6.el6 will be updated
    ---> Package pcre-devel.x86_64 0:8.35-1.el6 will be an update
    ---> Package re2c.x86_64 0:0.13.5-1.el6 will be updated
    ---> Package re2c.x86_64 0:0.13.6-1.el6 will be an update
    --> Running transaction check
    ---> Package libpcre.x86_64 0:8.21-1.el6 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ========================================================================================================
    Package                  Arch                 Version                        Repository           Size
    ========================================================================================================
    Updating:
    cmake                    x86_64               2.8.12.2-1.el6                 axivo               8.0 M
    pcre                     x86_64               8.35-1.el6                     axivo               1.4 M
    pcre-devel               x86_64               8.35-1.el6                     axivo               218 k
    re2c                     x86_64               0.13.6-1.el6                   axivo               127 k
    Installing for dependencies:
    libpcre                  x86_64               8.21-1.el6                     axivo               443 k
    
    Transaction Summary
    ========================================================================================================
    Install       1 Package(s)
    Upgrade       4 Package(s)
    
    Total download size: 10 M
    


     
  2. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    should be.. although I don't use them myself as default Centmin Mod takes care of most with cmake28 and re2c version pretty close. PCRE is older but Centmin Mod Nginx compiles PCRE 8.35 already.

    Code:
    yum list cmake28 pcre re2c -q
    Installed Packages
    cmake28.x86_64                                            2.8.11.2-1.el6                                             @epel                                  
    pcre.x86_64                                               7.8-6.el6                                                  @anaconda-CentOS-201311272149.x86_64/6.5
    re2c.x86_64                                               0.13.5-1.el6                                               @epel 
     
  3. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    9:34 AM
    Mainline
    10.2
    So if I select Yes, those packages will be replace by the latest packages from axivo right?
    Thanks !
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yes they should. If unsure, just test on a test VPS first ;)
     
  5. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    9:34 AM
    Mainline
    10.2
    I'm sure because your the one who advice :)
    Thanks !
     
  6. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    9:34 PM
    Of course is safe. However, I see that you have devel packages installed, which should NEVER be present in a production environment. Same goes for cmake, gcc, etc., you should never install compile programs in production.
     
    Last edited: Jun 12, 2014
  7. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yes I do have devel packages and that's because of some of the source install requirements as you know. And as to compile programs in production, that is a personal preference as I know you like your pure RPM package environments :)
     
  8. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    9:34 PM
    I would strongly suggest to automate your script to quietly install and remove the devel packages, if you really want to temporarily build Centminmod in a production environment. Having devel packages and compilers in production is a very dangerous game. I agree that an attacker who is able to use the compilers installed on a system should generally by in a position to do worse things anyway, such as uploading their own (possibly statically linked) executables. But the rule of thumb remains: devel packages and compilers are designed for development environments, not production.

    You could easily automate your build process with something like:
    Code:
    if [ -z `rpm -q cmake` ]; then
            yum -q -y install cmake
            # do some fancy compile code here
            yum -q -y remove cmake
    fi
    At least you are responsible and leave user's system secure, while still having handy all compilers and other package deps handy for your build. Doing this will have everyone a happy camper. If the user have those packages already installed, is his problem, not yours. :)

    In CentOS 6 is even easier to undo all your installed packages, look at yum history.
     
    Last edited: Jun 12, 2014
  9. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks for the suggestion and definitely for Centmin Mod specifically installed software would be ideal. However, folks also install software themselves whether it be by source or RPM so they'd run up against source compile issues with missing devel packages and end up coming back me for support (for a few folks that would be fine but once it gets into 1000s of folks would just be unmanageable despite me saying Centmin Mod is provided as is and without support heh)

    But as you said if the attacker already have system/root access then it's already a compromised system. So it's really a balance I need to work out. But definitely thanks for the suggestion :)
     
  10. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    9:34 PM
    I hear you. :) Still if you educate your users, I'm sure they will follow your guidelines and remove any devel packages after build. IMO, having a VM on local computer just for building Centminmod is really the ideal work environment. It avoids errors and other crazy things happening into production.
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Indeed I do suggest folks do test installs on test server/environment first as precaution so would be that much of a stretch to suggest devel package removal after builds. But as you know, how many folks read the manual or instructions fully ? :)
     
  12. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    9:34 PM
    Guys, please stop using --disablerepo=*, it is not the proper way. Disable instead all the extra repos you installed and always allow the official repositories to update by default. Some of AXIVO packages will install dependencies available in official repos, if you disable them yum install will fail.
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @Floren Centmin Mod follows proper guidelines to setup each external YUM repo with YUM priorities so external repos can not conflict with CentOS base ones https://community.centminmod.com/threads/openssl-security-advisory.295/page-2#post-2386. So if you want to use a 3rd party YUM repository to override CentOS base packages, you'd need to use with AXIVO yum command and appending the --disableplugin=priorities to the end. See https://community.centminmod.com/threads/openssl-security-advisory.295/page-2#post-2386