Summary: Keeping your machine up to date requires that you update your software. If your distro uses RPM packages, be sure you aren't accidentally installing new software when you upgrade.

Most Linux distributions use the RPM[1] format for their software packages. RPMs are managed by the rpm program, which typically lives at /usr/bin/rpm.[2]

The problem with any system is that your software is out of date the second you install it, and when security problems are found, you need to upgrade your software. Linux is great in that you don't need to reboot, you can upgrade your software on the fly.[3]

Most Linux distributions maintain a web or FTP site that provides updated RPMs for security or other critical bugs. Some even include handy helpful programs to make it easier to identify older software and automatically upgrade to the newest available version, for example Red Hat's up2date. Some of these are subscription based (hey, creating good tools and providing the bandwidth costs money) so often people prefer to simply upgrade their RPMs directly.

It's fairly trivial to mirror the updates section of your distro's website. For example I used to use the following to snag all the Red Hat 6.2 upgrade RPMs:

  $ wget -m --no-parent ftp://ftp.valinux.com/pub/mirrors/redhat/redhat/updates/6.2/en/os/i386

The above command would download all the x86 updates. Run it nightly from cron, and you've always got a repository of updated packages. Now that you have them, it's time to upgrade. Say you are running Apache (who isn't) and there's an upgrade for it, you'd do the following to upgrade:

  # cd /path/to/my/mirrored/upgrade/packages
  # rpm -U apache-1.3.27.rpm

The -U option to rpm tells it to upgrade the package, which is effectively just an install of the new package followed by an uninstall (erase) of the old. Your configuration files are all left alone, and in the case of security upgrades you shouldn't need to make any changes.[4] Life is good.

Now wouldn't it be tempting to just run rpm -U out of cron after the directory is mirrored? Yes, it is tempting, and it's problematic, and here's why:

Calling rpm -U will upgrade a package even if it isn't already installed. So if you weren't running Apache and attempt to 'upgrade' it, rpm -U will install it for you! Now you're running something you weren't expecting, and probably aren't paying attention to. The less software you have installed and running, especially network-accessible daemons, the better.

Instead of using rpm -U, you should use rpm -F. The -F stands for 'freshen', and is the same as 'upgrade' except that it will only install the upgraded package if the old version is already installed. This will prevent you from accidentally installing something that wasn't installed.

If you do want to run upgrades out of cron (which I don't suggest in general), be careful about kernel upgrades. These should only be installed manually, lest you end up rendering your machine unable to boot, have a foobared /etc/lilo.conf or /etc/grub.conf, or install kernel includes that are incompatible with your current running kernel and goof up subsequent software compiles.

NOTES:

[1] RPM stands for "Red Hat Package Manager", created by, unsurprisingly, Red Hat.

[2] Naturally there are many front ends to rpm functionality. I'll admit, I'm an old foggie command line guy, and just can't keep up with the GUI frontend of the week.

[3] In many cases, such as daemon programs, you need to restart your software, and this is likely not built into the post-upgrade functionality of the RPM. See the article Upgrade Process: Restarting vs Rebooting.

[4] Usually, when a package has a security problem, the bug is fixed in the exact same version of the software, rather than upgrading you to a new version of the software. Upgrading Apache-1.3.x to Apache-1.3.y could cause problems (perhaps some of your modules aren't available for the new version) so patches are 'backported' to the currently-available version when necessary. Because of this, you shouldn't need to change any of your configuration or setup in 95% of your upgrades.

Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He gets a lot of work done at Starbucks while waiting for his wife's car to get fixed. If only he had a second battery for his laptop... Bri can be reached at bri@hackinglinuxexposed.com.

Copyright Bri Hatch, 2003

This is the September 11, 2003 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Security-request@lists.onsight.com.