Paranoid Penguin - Using Yum for RPM Updates
Updating your Linux system's software whenever security updates become available is one of the most important things you can do to reduce your exposure to bug-related vulnerabilities. It's so important that I've written at length about it both in Linux Journal (“Staying Current without Going Insane”, July 2002) and in Chapter 3 of my book Building Secure Servers With Linux.
Since I wrote those items (two years ago), the means by which you update Debian and SuSE systems haven't changed too much: apt-get and YaST, respectively, still are the preferred tools for this task. But the Red Hat world has a new and noteworthy utility called Yum (for Yellow Dog Updater, Modified). This month I explain where to get Yum, how to set it up and how to use it to simplify the task of keeping your Red Hat, Fedora or Mandrake system up to date.
Patching Is Only One Step in the Security Dance
Let me be clear about one thing, keeping up to date with software patches is something you must do in addition to, not instead of, other system-hardening tasks. These other tasks include but are by no means limited to:
Removing unnecessary software packages.
Minimizing the number of things that runs setuid root.
Running dæmons as nonprivileged users whenever possible.
Running dæmons in chroot jails whenever possible.
Understanding and using whatever security features a given dæmon supports.
Physically securing your system (for example, keeping it in a locked computer room).
Making a habit of watching system and application logs for suspicious activity.
Like log watching, applying security updates must be an ongoing process. Subscribe to your distribution's security mailing list, and apply patches as soon as they're made available. The bad guys may not have the courtesy to wait before striking.
As its name implies, the Yellow Dog Updater, Modified evolved from the Yellow Dog Updater, Yup, which is part of the Yellow Dog Linux distribution for Macintosh computers. Whereas Yup runs only on Yellow Dog (Macintosh) systems, Yum presently works on Red Hat, Fedora, Mandrake and Yellow Dog Linux, where it's replaced Yup. Yum is a project of the Linux@DUKE team at Duke University; Seth Vidal and Michael Stenner are credited with the better part of the development work.
In a nutshell, Yum does for RPM-based systems what apt-get does for Debian. It provides a simple command that can be used to install or update a software package automatically, after first installing and updating any other packages necessary to satisfy the desired package's dependencies.
Yum actually consists of two commands: yum is the client command, and yum-arch is a server-side command for creating the header files necessary to turn a Web or FTP server into a Yum repository. The yum-arch command is beyond the scope of this article, but you need to use it if you want to set up a public Yum repository, a private Yum repository for packages you maintain for local systems or even for a non-networked Yum repository on your hard drive. yum-arch is simple to use, and the yum-arch(8) man page tells you everything you need to know.
Unlike apt-rpm, a popular port of apt-get for RPM-based distributions, Yum is native to the RPM package format. And, says Michael Stenner, “Yum is designed to be simple and reliable, with more emphasis on keeping your machine safe and stable than on client-side customization.”
The Yum download site (see the on-line Resources section) explains which version of Yum to download, depending on which version of Red Hat or Fedora Linux you use. If you're a Fedora user, Yum is part of Fedora Core 1, and the package yum-2.0.4-2.noarch.rpm is on Disk 1 of your Fedora installation CD-ROMs. If you use Mandrake 9.2, the package yum-2.0.1-1mdk.noarch.rpm is included in the distribution's contrib/i586 directory.
Yum is written entirely in Python. Therefore, in order to install any Yum RPM, your system needs the Fedora/Red Hat packages python, gettext, rpm-python and libxml2-python or their Mandrake equivalents. Chances are, all of these packages already are on your system.
From where can Yum pull its RPMs? Usually, this happens from a remote site over the Internet. This being a security column, my emphasis here is using Yum to grab security patches, so network updates are the focus of the rest of this column. In the interest of completeness, however, Yum can read RPMs from local filesystems or virtually local filesystems, such as NFS mounts.
Whether on a remote or local server, the RPM collection must be a Yum repository. It must include a directory called headers that contains the RPM header information with which Yum identifies and satisfies RPM dependencies. Therefore, you can't arbitrarily point Yum at any old Red Hat mirror or Mandrake CD-ROM.
If you use Fedora Core 1 or 1.90, you can use Yum with any Fedora mirror. Because Yum is an officially supported update mechanism for Fedora, Fedora mirrors are set up as Yum repositories. And, did you know about the Fedora Legacy Project? This branch of the Fedora effort provides security updates to legacy Red Hat distributions, currently Red Hat 7.3, 8.0 and 9.0. Thus, many Fedora mirrors also contain Red Hat updates in the form of Yum repositories.
If in doubt, a limited but handy list of Yum repositories for a variety of distributions is available (see Resources). Each of the links on this list yields a block of text you can copy and paste directly into your /etc/yum.conf file, which we explore in depth shortly. If all else fails, Googling for mydistroname Yum repository is another way to find repositories.
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
|Dart: a New Web Programming Experience||May 07, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- Validate an E-Mail Address with PHP, the Right Way
- New Products
- Trying to Tame the Tablet
- Developer Poll
12 min 1 sec ago
- not living upto the mobile revolution
3 hours 3 min ago
- Deceptive Advertising and
3 hours 38 min ago
- Let\'s declare that you have
3 hours 39 min ago
- Alterations in Contest Due
3 hours 40 min ago
- At a numbers mindset, your
3 hours 42 min ago
- Do not get Just Almost any
3 hours 45 min ago
- A fantastic rule-of-thumb to
3 hours 46 min ago
- Keren mastah..
4 hours 44 min ago
- mini tablet compare
6 hours 3 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.