Paranoid Penguin - Using Yum for RPM Updates
Updating your Linux system's software whenever security updates become available is one of the most important things you can do to reduce your exposure to bug-related vulnerabilities. It's so important that I've written at length about it both in Linux Journal (“Staying Current without Going Insane”, July 2002) and in Chapter 3 of my book Building Secure Servers With Linux.
Since I wrote those items (two years ago), the means by which you update Debian and SuSE systems haven't changed too much: apt-get and YaST, respectively, still are the preferred tools for this task. But the Red Hat world has a new and noteworthy utility called Yum (for Yellow Dog Updater, Modified). This month I explain where to get Yum, how to set it up and how to use it to simplify the task of keeping your Red Hat, Fedora or Mandrake system up to date.
Patching Is Only One Step in the Security Dance
Let me be clear about one thing, keeping up to date with software patches is something you must do in addition to, not instead of, other system-hardening tasks. These other tasks include but are by no means limited to:
Removing unnecessary software packages.
Minimizing the number of things that runs setuid root.
Running dæmons as nonprivileged users whenever possible.
Running dæmons in chroot jails whenever possible.
Understanding and using whatever security features a given dæmon supports.
Physically securing your system (for example, keeping it in a locked computer room).
Making a habit of watching system and application logs for suspicious activity.
Like log watching, applying security updates must be an ongoing process. Subscribe to your distribution's security mailing list, and apply patches as soon as they're made available. The bad guys may not have the courtesy to wait before striking.
As its name implies, the Yellow Dog Updater, Modified evolved from the Yellow Dog Updater, Yup, which is part of the Yellow Dog Linux distribution for Macintosh computers. Whereas Yup runs only on Yellow Dog (Macintosh) systems, Yum presently works on Red Hat, Fedora, Mandrake and Yellow Dog Linux, where it's replaced Yup. Yum is a project of the Linux@DUKE team at Duke University; Seth Vidal and Michael Stenner are credited with the better part of the development work.
In a nutshell, Yum does for RPM-based systems what apt-get does for Debian. It provides a simple command that can be used to install or update a software package automatically, after first installing and updating any other packages necessary to satisfy the desired package's dependencies.
Yum actually consists of two commands: yum is the client command, and yum-arch is a server-side command for creating the header files necessary to turn a Web or FTP server into a Yum repository. The yum-arch command is beyond the scope of this article, but you need to use it if you want to set up a public Yum repository, a private Yum repository for packages you maintain for local systems or even for a non-networked Yum repository on your hard drive. yum-arch is simple to use, and the yum-arch(8) man page tells you everything you need to know.
Unlike apt-rpm, a popular port of apt-get for RPM-based distributions, Yum is native to the RPM package format. And, says Michael Stenner, “Yum is designed to be simple and reliable, with more emphasis on keeping your machine safe and stable than on client-side customization.”
The Yum download site (see the on-line Resources section) explains which version of Yum to download, depending on which version of Red Hat or Fedora Linux you use. If you're a Fedora user, Yum is part of Fedora Core 1, and the package yum-2.0.4-2.noarch.rpm is on Disk 1 of your Fedora installation CD-ROMs. If you use Mandrake 9.2, the package yum-2.0.1-1mdk.noarch.rpm is included in the distribution's contrib/i586 directory.
Yum is written entirely in Python. Therefore, in order to install any Yum RPM, your system needs the Fedora/Red Hat packages python, gettext, rpm-python and libxml2-python or their Mandrake equivalents. Chances are, all of these packages already are on your system.
From where can Yum pull its RPMs? Usually, this happens from a remote site over the Internet. This being a security column, my emphasis here is using Yum to grab security patches, so network updates are the focus of the rest of this column. In the interest of completeness, however, Yum can read RPMs from local filesystems or virtually local filesystems, such as NFS mounts.
Whether on a remote or local server, the RPM collection must be a Yum repository. It must include a directory called headers that contains the RPM header information with which Yum identifies and satisfies RPM dependencies. Therefore, you can't arbitrarily point Yum at any old Red Hat mirror or Mandrake CD-ROM.
If you use Fedora Core 1 or 1.90, you can use Yum with any Fedora mirror. Because Yum is an officially supported update mechanism for Fedora, Fedora mirrors are set up as Yum repositories. And, did you know about the Fedora Legacy Project? This branch of the Fedora effort provides security updates to legacy Red Hat distributions, currently Red Hat 7.3, 8.0 and 9.0. Thus, many Fedora mirrors also contain Red Hat updates in the form of Yum repositories.
If in doubt, a limited but handy list of Yum repositories for a variety of distributions is available (see Resources). Each of the links on this list yields a block of text you can copy and paste directly into your /etc/yum.conf file, which we explore in depth shortly. If all else fails, Googling for mydistroname Yum repository is another way to find repositories.
Configuring Yum is fairly simple; all you need to do is edit one file, which is named, predictably, /etc/yum.conf. Listing 1 shows the default /etc/yum.conf file that comes with Fedora Core 1's Yum RPM.
Listing 1. Fedora Core 1's /etc/yum.conf File
[main] cachedir=/var/cache/yum debuglevel=2 logfile=/var/log/yum.log pkgpolicy=newest distroverpkg=fedora-release tolerant=1 exactarch=1 [base] name=Fedora Core $releasever - $basearch - Base baseurl=http://fedora.redhat.com/releases/fedora-core-$releasever [updates-released] name=Fedora Core $releasever - $basearch - Released Updates baseurl=http://fedora.redhat.com/updates/released/fedora-core-$releasever #[updates-testing] #name=Fedora Core $releasever - $basearch - Unreleased Updates #baseurl=http://fedora.redhat.com/updates/testing/fedora-core-$releasever
As you can see, this file consists of a list of global variable settings, followed by one or more [server] blocks ([base] and [updates-released] in Listing 1), each of which specifies settings for a different type of RPM group. I'm not going to cover every possible global or server block setting; that's what the yum.conf(5) man page is for. But let's discuss a few key settings.
In the global section, debuglevel determines how verbose Yum's output is. This value may range from 0, for no output, to 10, for maximum debugging output. The default value of 2 is shown in Listing 1. As far as I can tell, this debuglevel affects only standard output, not Yum's log file, whose location is specified by logfile. Still, I like to change this value to 4, which I arrived at by playing with the yum command's -d value. For example, (yum -d 4 yum-commands) is equivalent to and overrides debuglevel.
Also in the global section, pkgpolicy specifies how Yum should decide which version to use if a given package turns up across multiple [server] blocks. distroverpkg specifies the name of your local release file package. Your release file, for example, /etc/fedora-release or /etc/redhat-release, contains the name and version of your Linux distribution.
Each [server] block defines a set of RPMs. Personally, I wish these were called [package-type] blocks instead, because they don't distinguish by server but rather by RPM group. A single block may contain the URLs of many servers. In Listing 1, the [base] block contains a single URL pointing to the main Fedora repository at fedora.redhat.com.
Fedora mirrors that contain the same collection of RPMs can be listed with additional baseurl lines. Any line in a [server] block may use the variables $releasever, which resolves to the version number of your Linux distribution, and $basearch, which expands to the CPU family of your system. CPU families exist here in the most generic sense; Athlons are considered part of i386 in this context.
The /etc/yum.conf file installed by your Yum RPM probably works fine, but you should augment each default URL, http://fedora.redhat.com... in Listing 1, with at least one mirror site URL. Doing so minimizes the chance that your updates fail due to one server being unavailable. Be sure to use your favorite Web browser to test-drive any URL you add to yum.conf to make sure it successfully resolves to a directory containing a directory named headers. Also, make sure your URL ends with a trailing slash.
The other thing worth noting in Listing 1 is that one important [server] option is missing: gpgcheck. Listing 2 shows a corrected [base] block that uses this option.
Listing 2. Customized [base] Section
[base] name=Fedora Core $releasever - $basearch - Base baseurl=http://mirror.eas.muohio.edu/fedora/ ↪linux/core/$releasever/$basearch/os/baseurl= ↪http://fedora.redhat.com/releases/ ↪fedora-core-$releasever gpgcheck=1 failovermethod=priority
Setting gpgcheck=1 causes Yum to check the GnuPG signature in each RPM it downloads. For this to work, you need the appropriate GnuPG keys incorporated into your RPM database. On Fedora Core 1 systems, these keys were installed on your system as part of the fedora-release package. To copy them to your RPM database, execute this command:
rpm --import /usr/share/doc/fedora-release-1/RPM-GPG*
The rpm --import command also can use a URL as its argument, so if the GnuPG key of your Yum source is on-line, you can use the form:
rpm --import http://your.distro.homepage/GPGsignature
where http://your.distro.homepage/GPGsignature should be replaced with a real URL.
This may seem like a hassle, but it's worth it. Several intrusions on Linux distributors' sites over the years have resulted in trojaned or otherwise compromised software packages being downloaded by unsuspecting users. Taking advantage of RPM's support for GnuPG signatures is the best defense against such skulduggery.
The other notable change in Listing 2 is that I've specified failovermethod=priority, which tells Yum to try the URLs on this list in order, starting with the one at the top. The default behavior, failovermethod=roundrobin, is for Yum to choose one of the listed URLs at random. Personally, I prefer the priority method because it lets me prioritize faster, closer mirrors over my distribution's primary site.
Now we come to the easy part, using the yum command. There are two ways to run Yum, manually from a command prompt or automatically by way of the /etc/init.d/yum startup script. If enabled, which you must do manually by issuing a chkconfig --add yum command, this script simply touches a runfile, /var/lock/subsys/yum, which the cron.daily job yum.cron checks for. If the script is enabled, that is, if the runfile exists, this cron job runs the Yum command first to check for and install an updated Yum package and then to check for and install updates for all other system packages. In so doing, Yum automatically and transparently resolves any relevant dependencies. If an updated package depends on another package, even if it didn't previously, Yum retrieves and installs the other package.
For most users, this script is powerful and useful stuff. If your environment demands meticulous change-control procedures, however, and you don't want any new software installed automatically, you should run Yum manually.
To see a list of available updates without installing anything, use yum check-update (Listing 3).
Listing 3. Checking for updates (output slightly reformatted and truncated for readability).
[root@iwazaru-fedora etc]# yum check-update Gathering header information file(s) from server(s) Server: Fedora Core 1 - i386 - Base Server: Fedora Core 1 - i386 - Released Updates Finding updated packages Downloading needed headers getting /var/cache/yum/updates-released/headers/ ↪coreutils-0-5.0-34.1.i386.hdr coreutils-0-5.0-34.1.i386 100% |=================| ↪13 kB 00:01 Name Arch Version Repo ----------------------------------------------------- XFree86 i386 4.3.0-55 updates-released XFree86-100dpi-fonts i386 4.3.0-55 updates-released XFree86-75dpi-fonts i386 4.3.0-55 updates-released XFree86-Mesa-libGL i386 4.3.0-55 updates-released
To install a single update, plus any other updates necessary to resolve dependencies, use yum update packagename, for example: yum update yum.
This example actually updates Yum itself. If indeed an updated version of the package Yum is available, you are prompted to go ahead and install it. If you're invoking Yum from a script and you want all such prompts to be answered y automatically, use the -y option:
yum -y update yum
The check-update command, the Yum command that is, isn't mandatory before installing updates. If you prefer, you can use yum update directly—it performs the same checks as yum check-update.
In the last sample command, we specified a single package to update, yum. To initiate a complete update session for all installed packages on your system, you simply can omit the last argument, the package specification: yum update.
After Yum checks for all available updates and calculates dependencies, it presents you with a list of all updates it intends to download. Unless you used the -y option, it asks you whether to download and install each of them.
For the sake of completeness here's a bonus tip: you also can install new packages with Yum—you probably figured that out already. For any package contained in the sources you've defined in /etc/yum.conf, you can use the command yum install packagename to install the latest version of that package, plus anything it depends on. For example, to install the FTP server package vsftpd, you'd issue this command: yum install vsftpd.
If you have any problems using Yum, ample help, including two excellent FAQs, is available on-line. See the on-line Resources section. If the on-line documentation doesn't help, a Yum mailing list is available too. Before posting a question, however, be sure to try a Google search or two. In the course of writing this article, I found a number of postings to the Yum mailing list addressing various questions and problems I had, all located with Google.
Resources for this article: /article/7501.
Mick Bauer, CISSP, is Linux Journal's security editor and an IS security consultant in Minneapolis, Minnesota. He's the author of Building Secure Servers With Linux (O'Reilly & Associates, 2002).