apache upgrade
R Scott Belford
scott at belford.net
Fri Jan 11 13:26:22 PST 2002
No excitement here. I too take seriously the craft of system
administration. More importantly, I take very seriously the process of
objectively imparting this knowledge to others.
We're talking about the apache rpm. That's all. Do you really think
that the folks at redhat or debian would support your theory that your
compilation of apache would be more secure? If it is compiled with
modules you don't need, disable them. If it is compiled without modules
you need, get them. I can't comment on the fact that features create
complexity which leads to alcoholism. If it is that bad, get out. This
is the zen of life.
Do you really think that security conscious shops should talk to redhat
or debian to see what their snort logs look like? Seriously. First
off, this would only inform you of suspicious activity. These logs
would afford no evidence of a security breach. Do you know of many
security conscious shops populated with personnel more knowledgeable
than these "package providers" capable of questioning their security
expertise? You can't believe that it is up to local shops to be sure
that debian or redhat are not compiling their packages on hacked
machines. Why don't you contact them and ask to see the snort logs. :)
This person just wanted to upgrade his apache rpm. All he needed to
know was that if he had RPM upgrade apache, then the newer files would
replace the older files. If he had RPM install the new version of
apache, then it would exist beside the old version and possibly make
things bad. I don't see any reason why he should touch a tarball for
his purposes.
While you are clearly full of more knowledge than I expect to attain any
time soon, I don't accept your assertion is that webmin promotes
laziness because you don't know what is actually being done. Calling it
a "web based system configuration tool aimed at new sysadmins" is a bit
condescending. You can't use the program to administer your system if
you don't know what you are administering. Any command-line jockey can
make a convincing case that their method is faster and requires more
knowledge. This does not make it better, and certainly does not qualify
webmin as a newbie tool. Obviously webmin is only as secure as the the
webserver hosting it. Surely you know that you can accept connections
to webmin only from specific ip addressess or specific interfaces.
Users of webmin don't have to have root access, the modules available to
them can be limited, etc. I fail to see why this is not a great tool
for those of us entering the realm of linux without the time to read
through countless man pages to perform basic sysadmin tasks.
I want to see the world using linux. I want to see those of you with
advanced skills making lots of money administering linux based
enterprises. To get there one must develop greater empathy for those
who are just starting out. Undermining someone's confidence in an rpm
should be accompanied with something other than an opinion. Criticizing
a tool like webmin because it is not complicated enough or because you
don't know about it's security measures threatens to scare new users
away from a tool that could save them a lot of time and headaches.
These users you intimidate may one day comprise the market force that
keeps you gainfully employed, or they may turn to the comfort and ease
of micro$oft.
Linux is for everybody if everyone helps
scott
knowledge without humility is just an indulgence in arrogance
On Friday, January 11, 2002, at 09:38 AM, Epsas Nova wrote:
> Aloha,
>
> Please don't get excited friend. I am not spreading FUD - I am just
> relaying my personal and professional experiences as a Unix hacker. If
> it seems that I am a bit draconian in my reccomendations it is only
> because I consider Systems Administration to be a serious craft,
> practicing and teaching it at such.
>
> There are several reasons why using default RPMs or Debs on production
> machines is frowned upon in the sysadmin world. A packaged application
> is compiled for the lowest common denominator of systems across the
> world. Because of this, there may be features that your application
> does not require, or there may be some functionality that is missing in
> the binary - it is a mixed bag. In any case, applications should be
> compiled ONLY for their intended tasks.
>
> Features which are not needed introduce complexity to the system,
> complexity introduce headaches to the administrator, headaches
> introduce alcohol, and alcohol introduce dire solutions involving
> unground circuits and super soakers. This is the Zen of Systems.
>
> In addition, security conscious shops should be aware that binaries
> included inside of packages are only as safe as the machines on which
> they were compiled. Sysadmins who are not concerned by this should
> chat with their package maintainers and ask them what their Snort logs
> look like :)
>
> As far as Webmin goes - It is a web based system configuration tool
> aimed towards new sysadmins. While the features may be helpful, it
> promotes a certain amount of laziness in the sysadmin, as it doesn't
> encourage him or her to actually learn just WHAT the program is doing.
> The real concern is security, however. Webmin is only as secure as the
> web server that it is hosted on. Allowing a CGI script to execute
> arbitrary commands with root permissions is INHERENTLY insecure. (extra
> emphasis)
>
> While there is no formal convention about file structures across Linux
> machines, it should be noted that /opt is meant to be used as the
> repository for vendor supplied applications (Solaris, SuSe and maybe
> others) - locally compiled applications should be placed in /usr/local.
>
> peas,
> Charles
>
>
>
>
>
> On Fri, Jan 11, 2002 at 08:40:19AM -1000, R Scott Belford wrote:
>> So, let's see, despite the fact that their distribution has been
>> successfully sold to "production" customers for years, using their RPM
>> is asking for trouble. Specifically, what kind of trouble is one
>> asking
>> for by using Redhat's apache RPM? I'm still wondering what's so
>> insecure about webmin which you insisted was trouble weeks ago.
>> Sharing
>> knowledge is helpful, spreading FUD without evidence/documentation is
>> not. With regards to where to install apache should you choose to roll
>> your own, I like Warren's suggestion of /opt/[program name] There is
>> no
>> rule about where to install packages.
>>
>> scott
>>
>> On Friday, January 11, 2002, at 12:49 AM, epsas at inflicted.net wrote:
>>
>>> A production web server should always use custom compiled versions of
>>> Apache/MySQL. Using Redhat's (or, for that matter, anyone else's) RPM
>>> is asking for trouble. As far as installing software goes -
>>> /usr/local/ is the place to dump local packages. /opt is a
>>> SuSe/Solaris convention, not Redhat iirc.
>>>
>>>
>
> ---
> You are currently subscribed to luau as: scott at belford.net
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
More information about the LUAU
mailing list