Title: Linux - RPM software management

KBTAG: kben10000077
URL: http://www.securityportal.com/lskb/10000050/kben10000077.html
Date created: 17/07/2000
Date modified: 10/08/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Linux - RPM software management
Keywords: Software/RPM

Summary:

RPM is a software management tool originally created by Red Hat, and later GNU'ed and given to the public (http://www.rpm.org/). It forms the core of administration on most systems, since one of the major tasks for any administrator is installing and keeping software up to date. Various estimates place most of the blame for security break-ins on bad passwords, and old software with known vulnerabilities. This isn't exactly surprising one would think, but while the average server contains 200-400 software packages on average, one begins to see why keeping software up to date can be a major task.

More information:

The man page for RPM is pretty bad, there is no nice way of putting it. The book "Maximum RPM" (ISBN: 0-672-31105-4) on the other hand is really wonderful (freely available at http://www.rpm.org/ in post script format). I would suggest this book for any Red Hat administrator, and can say safely that it is required reading if you plan to build RPM packages. The basics of RPM are pretty self explanatory, packages come in an rpm format, with a simple filename convention:

package_name-package_version-rpm_build_version-architecture.rpm
nfs-server-2.2beta29-5.i386.rpm

would be “nfs-server”, version “2.2beta29” of “nfs-server”, the fifth build of that rpm (i.e. it has been packaged and built 5 times, minor modifications, changes in file locations, etc.), for the Intel architecture, and it’s an rpm file.

Command Function
-q Queries Packages / Database for info
-i Install software
-U Upgrades or Installs the software
-e Extracts the software from the system (removes)
-v be more Verbose
-h Hash marks, a.k.a. done-o-dial

Command Example
Function
rpm -ivh package.rpm
Install 'package.rpm', be verbose, show hash marks
rpm -Uvh package.rpm
Upgrade 'package.rpm', be verbose, show hash marks
rpm -qf /some/file
Check which package owns a file
rpm -qpi package.rpm
Queries 'package.rpm', lists info
rpm -qpl package.rpm
Queries 'package.rpm', lists all files
rpm -qa
Queries RPM database lists all packages installed
rpm -e package-name
Removes 'package-name' from the system (as listed by rpm -qa)
rpm -K package-name
Checks the signature on "package-name" (can also use "--checksig")


Red Hat Linux 5.1 shipped with 528 packages, and Red Hat Linux 5.2 shipped with 573, which when you think about it is a heck of a lot of software (SuSE 6.0 ships on 5 CD's, I haven’t bothered to count how many packages). Typically you will end up with 2-300 packages installed (more apps on workstations, servers tend to be leaner, but this is not always the case). So which of these should you install and which should you avoid if possible (like the r services packages). One thing I will say, the RPM's that ship with Red Hat distributions are usually pretty good, and typically last 6-12 months before they are found to be broken.

There is a list of URL's and mailing lists where distribution specific errata and updates are available later on in this document. 

RPM integrity

RPM packages can (and typically are) PGP signed by the author. This signature can be checked to ensure the package has not been tampered with or is a trojaned version. This is described in great deal in chapter 7 of “Maximum RPM” (online at http://www.rpm.org/), but consists of adding the developers keys to your public PGP key ring, and then using the –K option which will grab the appropriate key from the key ring and verify the signature. This way, to trojan a package and sign it correctly, they would have to steal the developers private PGP key and the password to unlock it, which should be near impossible.

Automating updates with RPM

AutoRPM

AutoRPM is probably the best tool for keeping rpm’s up to date, simply put you point it at an ftp directory, and it downloads and installs any packages that are newer then the ones you have. Please keep in mind however if someone poisons your DNS cache you will be easily compromised, so make sure you use the ftp site’s IP address and not its name. Also you should consider pointing it at an internal ftp site with packages you have tested, and have tighter control over. AutoRPM requires that you install the libnet package Net::FTP for Perl and is available from: http://www.kaybee.org/~kirk/html/linux.html.

Rhlupdate

Rhlupdate will also connect to an ftp site and grab any needed updates, the same caveats apply as above, and again it requires that you install the libnet package Net::FTP for Perl and is available at: ftp://missinglink.darkorb.net/pub/rhlupdate/

RpmWatch

RpmWatch is a simple Perl script that will install updates for you, note it will not suck down the packages you need so you must mirror them locally, or make them accessible locally via something like NFS or CODA. RpmWatch is available from: http://www.iaehv.nl/users/grimaldo/info/scripts/.