Re: Up2date and SysAdmin auth.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Scot L. Harris wrote:

On Mon, 2004-08-09 at 05:32, Stanley Allely wrote:


I noticed that when I run up2date in fc2, that the sys admin auth. doesn't always go away immediately once it moves to package retrieval. Sometimes it takes several minutes before the "keys" disappear (yeah I use dial up). I don't like to expose root online any longer than necessary, so can I safely click "forget authorization" as soon as up2date switches to package retrieval mode? I don't want to mess up the update but then I also don't want to find I got a "surprise" with my upgrade. How secure is the actual upgrade process? BTW thank you list contributors, you've sometimes answered questions I didn't even know I had!
Stan



Good question.

I would think up2date would still need root level permissions until the
install process was completed.

That being said, you may want to switch to using yum instead.  I have
found yum updates to run much quicker than using up2date.  Not sure why
as I believe up2date actually uses yum behind the scenes but maybe it
adds some additional overhead.  You can still use the rhn applet to
notify you of available updates and give you a quick list of what is
available.  Just use yum to actually get the update directly instead of
the up2date application.

Probably the best thing you can do to secure your box is to disable
any/all services you don't really need or use. In addition run iptables
and only open ports that you actually need.


If you were to encounter a problem during an update it would most likely
be due to a hacked mirror server passing out trojan copies of
programs. Unfortunately there is not much you can do to protect
yourself from that except wait a few days/weeks before upgrading
something new (let others act as canaries (why did that make me think of
Red Dwarf?) and try it before you unleash it on your box).


You could also run tools like iptraf or ethereal to monitor the
connections on your system during such operations if you are really
paranoid.




I do already run the full firewall with SPI, I just happened to notice that up2date closes the authorization before package retrieval is done, I'm just not sure how early is ok. I always thought it would require sys admin auth. all the way through, but it evidently does not. I was just worried about somebody outside the update system hacking in a third party packet during the update process (like a rootkit), but I suppose that would qualify as a "new" packet under the iptables and get stopped? The only open port I have in the system is http for internet access. I guess it's the fact that root is open during updates, or as they say "Just because your paranoid, doesn't mean someone is not out to get you" especially on line with and all the other nasty gotcha's being available. And I've had good luck with the default up2date, and having watched the yum update thread I'll go with "if it ain't broke, don't fix it".
Thanks, Stan




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux