KBTAG: kben10000077
URL: http://www.securityportal.com/lskb/10000050/kben10000077.html
Date created: 17/07/2000
Date modified: 10/08/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Linux - RPM software management
Keywords: Software/RPM
RPM is a software management tool originally created by Red Hat, and later GNU'ed and given to the public (http://www.rpm.org/). It forms the core of administration on most systems, since one of the major tasks for any administrator is installing and keeping software up to date. Various estimates place most of the blame for security break-ins on bad passwords, and old software with known vulnerabilities. This isn't exactly surprising one would think, but while the average server contains 200-400 software packages on average, one begins to see why keeping software up to date can be a major task.
The man page for RPM is pretty bad, there is no nice way of putting it. The book "Maximum RPM" (ISBN: 0-672-31105-4) on the other hand is really wonderful (freely available at http://www.rpm.org/ in post script format). I would suggest this book for any Red Hat administrator, and can say safely that it is required reading if you plan to build RPM packages. The basics of RPM are pretty self explanatory, packages come in an rpm format, with a simple filename convention:
package_name-package_version-rpm_build_version-architecture.rpm
nfs-server-2.2beta29-5.i386.rpm
would be nfs-server, version 2.2beta29 of nfs-server, the fifth build of that rpm (i.e. it has been packaged and built 5 times, minor modifications, changes in file locations, etc.), for the Intel architecture, and its an rpm file.
Command Function
-q Queries Packages / Database for info
-i Install software
-U Upgrades or Installs the software
-e Extracts the software from the system (removes)
-v be more Verbose
-h Hash marks, a.k.a. done-o-dial
Command Example |
Function |
rpm -ivh package.rpm |
Install 'package.rpm', be verbose, show hash marks |
rpm -Uvh package.rpm |
Upgrade 'package.rpm', be verbose, show hash marks |
rpm -qf /some/file |
Check which package owns a file |
rpm -qpi package.rpm |
Queries 'package.rpm', lists info |
rpm -qpl package.rpm |
Queries 'package.rpm', lists all files |
rpm -qa |
Queries RPM database lists all packages installed |
rpm -e package-name |
Removes 'package-name' from the system (as listed by rpm -qa) |
rpm -K package-name |
Checks the signature on "package-name" (can also use "--checksig") |
Red Hat Linux 5.1 shipped with 528 packages, and Red Hat Linux
5.2 shipped with 573, which when you think about it is a heck of
a lot of software (SuSE 6.0 ships on 5 CD's, I havent
bothered to count how many packages). Typically you will end up
with 2-300 packages installed (more apps on workstations, servers
tend to be leaner, but this is not always the case). So which of
these should you install and which should you avoid if possible
(like the r services packages). One thing I will say, the RPM's
that ship with Red Hat distributions are usually pretty good, and
typically last 6-12 months before they are found to be broken.
There is a list of URL's and mailing lists where distribution specific errata and updates are available later on in this document.
RPM integrity
RPM packages can (and typically are) PGP signed by the author. This signature can be checked to ensure the package has not been tampered with or is a trojaned version. This is described in great deal in chapter 7 of Maximum RPM (online at http://www.rpm.org/), but consists of adding the developers keys to your public PGP key ring, and then using the K option which will grab the appropriate key from the key ring and verify the signature. This way, to trojan a package and sign it correctly, they would have to steal the developers private PGP key and the password to unlock it, which should be near impossible.
AutoRPM is probably the best tool for keeping rpms up to date, simply put you point it at an ftp directory, and it downloads and installs any packages that are newer then the ones you have. Please keep in mind however if someone poisons your DNS cache you will be easily compromised, so make sure you use the ftp sites IP address and not its name. Also you should consider pointing it at an internal ftp site with packages you have tested, and have tighter control over. AutoRPM requires that you install the libnet package Net::FTP for Perl and is available from: http://www.kaybee.org/~kirk/html/linux.html.
Rhlupdate will also connect to an ftp site and grab any needed updates, the same caveats apply as above, and again it requires that you install the libnet package Net::FTP for Perl and is available at: ftp://missinglink.darkorb.net/pub/rhlupdate/.
RpmWatch is a simple Perl script that will install updates for you, note it will not suck down the packages you need so you must mirror them locally, or make them accessible locally via something like NFS or CODA. RpmWatch is available from: http://www.iaehv.nl/users/grimaldo/info/scripts/.