Paranoid Penguin - Using Yum for RPM Updates
Updating your Linux system's software whenever security updates become available is one of the most important things you can do to reduce your exposure to bug-related vulnerabilities. It's so important that I've written at length about it both in Linux Journal (“Staying Current without Going Insane”, July 2002) and in Chapter 3 of my book Building Secure Servers With Linux.
Since I wrote those items (two years ago), the means by which you update Debian and SuSE systems haven't changed too much: apt-get and YaST, respectively, still are the preferred tools for this task. But the Red Hat world has a new and noteworthy utility called Yum (for Yellow Dog Updater, Modified). This month I explain where to get Yum, how to set it up and how to use it to simplify the task of keeping your Red Hat, Fedora or Mandrake system up to date.
Patching Is Only One Step in the Security Dance
Let me be clear about one thing, keeping up to date with software patches is something you must do in addition to, not instead of, other system-hardening tasks. These other tasks include but are by no means limited to:
Removing unnecessary software packages.
Minimizing the number of things that runs setuid root.
Running dæmons as nonprivileged users whenever possible.
Running dæmons in chroot jails whenever possible.
Understanding and using whatever security features a given dæmon supports.
Physically securing your system (for example, keeping it in a locked computer room).
Making a habit of watching system and application logs for suspicious activity.
Like log watching, applying security updates must be an ongoing process. Subscribe to your distribution's security mailing list, and apply patches as soon as they're made available. The bad guys may not have the courtesy to wait before striking.
As its name implies, the Yellow Dog Updater, Modified evolved from the Yellow Dog Updater, Yup, which is part of the Yellow Dog Linux distribution for Macintosh computers. Whereas Yup runs only on Yellow Dog (Macintosh) systems, Yum presently works on Red Hat, Fedora, Mandrake and Yellow Dog Linux, where it's replaced Yup. Yum is a project of the Linux@DUKE team at Duke University; Seth Vidal and Michael Stenner are credited with the better part of the development work.
In a nutshell, Yum does for RPM-based systems what apt-get does for Debian. It provides a simple command that can be used to install or update a software package automatically, after first installing and updating any other packages necessary to satisfy the desired package's dependencies.
Yum actually consists of two commands: yum is the client command, and yum-arch is a server-side command for creating the header files necessary to turn a Web or FTP server into a Yum repository. The yum-arch command is beyond the scope of this article, but you need to use it if you want to set up a public Yum repository, a private Yum repository for packages you maintain for local systems or even for a non-networked Yum repository on your hard drive. yum-arch is simple to use, and the yum-arch(8) man page tells you everything you need to know.
Unlike apt-rpm, a popular port of apt-get for RPM-based distributions, Yum is native to the RPM package format. And, says Michael Stenner, “Yum is designed to be simple and reliable, with more emphasis on keeping your machine safe and stable than on client-side customization.”
The Yum download site (see the on-line Resources section) explains which version of Yum to download, depending on which version of Red Hat or Fedora Linux you use. If you're a Fedora user, Yum is part of Fedora Core 1, and the package yum-2.0.4-2.noarch.rpm is on Disk 1 of your Fedora installation CD-ROMs. If you use Mandrake 9.2, the package yum-2.0.1-1mdk.noarch.rpm is included in the distribution's contrib/i586 directory.
Yum is written entirely in Python. Therefore, in order to install any Yum RPM, your system needs the Fedora/Red Hat packages python, gettext, rpm-python and libxml2-python or their Mandrake equivalents. Chances are, all of these packages already are on your system.
From where can Yum pull its RPMs? Usually, this happens from a remote site over the Internet. This being a security column, my emphasis here is using Yum to grab security patches, so network updates are the focus of the rest of this column. In the interest of completeness, however, Yum can read RPMs from local filesystems or virtually local filesystems, such as NFS mounts.
Whether on a remote or local server, the RPM collection must be a Yum repository. It must include a directory called headers that contains the RPM header information with which Yum identifies and satisfies RPM dependencies. Therefore, you can't arbitrarily point Yum at any old Red Hat mirror or Mandrake CD-ROM.
If you use Fedora Core 1 or 1.90, you can use Yum with any Fedora mirror. Because Yum is an officially supported update mechanism for Fedora, Fedora mirrors are set up as Yum repositories. And, did you know about the Fedora Legacy Project? This branch of the Fedora effort provides security updates to legacy Red Hat distributions, currently Red Hat 7.3, 8.0 and 9.0. Thus, many Fedora mirrors also contain Red Hat updates in the form of Yum repositories.
If in doubt, a limited but handy list of Yum repositories for a variety of distributions is available (see Resources). Each of the links on this list yields a block of text you can copy and paste directly into your /etc/yum.conf file, which we explore in depth shortly. If all else fails, Googling for mydistroname Yum repository is another way to find repositories.