apache upgrade

Epsas Nova epsas at inflicted.net
Fri Jan 11 11:38:19 PST 2002


Aloha,

Please don't get excited friend.  I am not spreading FUD - I am just relaying my personal and professional experiences as a Unix hacker.  If it seems that I am a bit draconian in my reccomendations it is only because I consider Systems Administration to be a serious craft, practicing and teaching it at such.  

There are several reasons why using default RPMs or Debs on production machines is frowned upon in the sysadmin world.  A packaged application is compiled for the lowest common denominator of systems across the world.  Because of this, there may be features that your application does not require, or there may be some functionality that is missing in the binary - it is a mixed bag.  In any case, applications should be compiled ONLY for their intended tasks.  

Features which are not needed introduce complexity to the system, complexity introduce headaches to the administrator, headaches introduce alcohol, and alcohol introduce dire solutions involving unground circuits and super soakers.  This is the Zen of Systems.

In addition, security conscious shops should be aware that binaries included inside of packages are only as safe as the machines on which they were compiled.  Sysadmins who are not concerned by this should chat with their package maintainers and ask them what their Snort logs look like :) 

As far as Webmin goes - It is a web based system configuration tool aimed towards new sysadmins.  While the features may be helpful, it promotes a certain amount of laziness in the sysadmin, as it doesn't encourage him or her to actually learn just WHAT the program is doing.  The real concern is security, however.  Webmin is only as secure as the web server that it is hosted on.  Allowing a CGI script to execute arbitrary commands with root permissions is INHERENTLY insecure. (extra emphasis)

While there is no formal convention about file structures across Linux machines, it should be noted that /opt is meant to be used as the repository for vendor supplied applications (Solaris, SuSe and maybe others) - locally compiled applications should be placed in /usr/local.  

peas,
Charles





On Fri, Jan 11, 2002 at 08:40:19AM -1000, R Scott Belford wrote:
> So, let's see, despite the fact that their distribution has been 
> successfully sold to "production" customers for years, using their RPM 
> is asking for trouble.  Specifically, what kind of trouble is one asking 
> for by using Redhat's apache RPM?  I'm still wondering what's so 
> insecure about webmin which you insisted was trouble weeks ago.  Sharing 
> knowledge is helpful, spreading FUD without evidence/documentation is 
> not.  With regards to where to install apache should you choose to roll 
> your own, I like Warren's suggestion of /opt/[program name]  There is no 
> rule about where to install packages.
> 
> scott
> 
> On Friday, January 11, 2002, at 12:49  AM, epsas at inflicted.net wrote:
> 
> > A production web server should always use custom compiled versions of 
> > Apache/MySQL.  Using Redhat's (or, for that matter, anyone else's) RPM 
> > is asking for trouble.  As far as installing software goes - 
> > /usr/local/ is the place to dump local packages.  /opt is a 
> > SuSe/Solaris convention, not Redhat iirc.
> >
> >



More information about the LUAU mailing list