[CentOS] why not have yum-updatesd running by default?

Les Mikesell lesmikesell at gmail.com
Thu Dec 29 17:49:43 UTC 2011 

On Thu, Dec 29, 2011 at 2:01 AM, Bennett Haselton <bennett at peacefire.org> wrote:
>
> (Side note: my friend replied to clarify that the "kernel exploit" he was
> talking about that was found in March of this year, was one that allowed a
> local user to gain root privilege, not one that allowed a remote user to
> get in through the webserver or sshd.

Look back through the changelogs if you  want to see what
vulnerabilities have existed for long intervals before being fixed -
but perhaps not long after being found and published.   If you have a
web service running, I'd say it is a fairly safe bet that there is a
vulnerability somewhere in the server, language(s), libraries, or the
application itself that can be exploited to execute some arbitrary
command.  That turns what is classified as a local root exploit into
something anyone on the internet can do.  And I've seen some very
sophisticated attempts show up in the logs...

> So let's say it really is true
> that running automatic "yum" updates is not the most important thing to
> keep out remote users, and that the majority of webserver hacks do occur
> through out-of-date web apps.

I'm not convinced.  Assume that some people  will know the
vulnerabilities before they are published (otherwise they obviously
would never be published/fixed) and that a lot of other people will
start attempting exploits immediately after publication.   Look
through your logs to see how many hits you are getting that are likely
to be probes for vulnerabilities to get a feeling for how much of this
is going on.

> Would it not be best for the vast majority of those users to have updates
> turned on by default?  If not, why not?  (Power users can always turn them
> off, after all.)

If your service is important, then it is worth testing changes before
making them on your important server.   But no one else can tell you
whether your server is that important or not...   It's fairly trivial
to run a 'yum update' on a lab server daily, and if anything  updates,
make sure that things still work before repeating it on the production
box(es).   The update checks can be scripted, but the "does it still
work" test will be unique to your services.

> What would your proposal be?  (Remembering that you can't change human
> nature, so if it relies on the majority of end users devoting time that you
> think they "should" do, it won't happen :) )

Mine is to assume that there are very good reasons for 'Enterprise'
distributions to go to the trouble of publishing updates.  Install
them.  Always assume that there are still more vulnerabilities that
you don't know about yet - and if you have to ask the question, you
aren't going to do better than the developers and Red Hat at keeping
up with them.

-- 
   Les Mikesell
     lesmikesell at gmail.com

More information about the CentOS mailing list