apache upgrade

R Scott Belford scott at belford.net
Fri Jan 11 13:26:22 PST 2002 

No excitement here.  I too take seriously the craft of system 
administration.  More importantly, I take very seriously the process of 
objectively imparting this knowledge to others.

We're talking about the apache rpm.  That's all.  Do you really think 
that the folks at redhat or debian would support your theory that your 
compilation of apache would be more secure?  If it is compiled with 
modules you don't need, disable them.  If it is compiled without modules 
you need, get them.  I can't comment on the fact that features create 
complexity which leads to alcoholism.  If it is that bad, get out.  This 
is the zen of life.

Do you really think that security conscious shops should talk to redhat 
or debian to see what their snort logs look like?  Seriously.  First 
off, this would only inform you of suspicious activity.  These logs 
would afford no evidence of a security breach.  Do you know of many 
security conscious shops populated with personnel more knowledgeable 
than these "package providers" capable of questioning their security 
expertise?  You can't believe that it is up to local shops to be sure 
that debian or redhat are not compiling their packages on hacked 
machines.  Why don't you contact them and ask to see the snort logs. :)

This person just wanted to upgrade his apache rpm.  All he needed to 
know was that if he had RPM upgrade apache, then the newer files would 
replace the older files.  If he had RPM install the new version of 
apache, then it would exist beside the old version and possibly make 
things bad.  I don't see any reason why he should touch a tarball for 
his purposes.

While you are clearly full of more knowledge than I expect to attain any 
time soon, I don't accept your assertion is that webmin promotes 
laziness because you don't know what is actually being done.  Calling it 
a "web based system configuration tool aimed at new sysadmins" is a bit 
condescending.  You can't use the program to administer your system if 
you don't know what you are administering.  Any command-line jockey can 
make a convincing case that their method is  faster and requires more 
knowledge.  This does not make it better, and certainly does not qualify 
webmin as a newbie tool.  Obviously webmin is only as secure as the the 
webserver hosting it.  Surely you know that you can accept connections 
to webmin only from specific ip addressess or specific interfaces.  
Users of webmin don't have to have root access, the modules available to 
them can be limited, etc.  I fail to see why this is not a great tool 
for those of us entering the realm of linux without the time to read 
through countless man pages to perform basic sysadmin tasks.

I want to see the world using linux.  I want to see those of you with 
advanced skills making lots of money administering linux based 
enterprises.  To get there one must develop greater empathy for those 
who are just starting out.  Undermining someone's confidence in an rpm 
should be accompanied with something other than an opinion.  Criticizing 
a tool like webmin because it is not complicated enough or because you 
don't know about it's security measures threatens to scare new users 
away from a tool that could save them a lot of time and headaches.  
These users you intimidate may one day comprise the market force that 
keeps you gainfully employed, or they may turn to the comfort and ease 
of micro$oft.

Linux is for everybody if everyone helps

scott

knowledge without humility is just an indulgence in arrogance




On Friday, January 11, 2002, at 09:38  AM, Epsas Nova wrote:

> Aloha,
>
> Please don't get excited friend.  I am not spreading FUD - I am just 
> relaying my personal and professional experiences as a Unix hacker.  If 
> it seems that I am a bit draconian in my reccomendations it is only 
> because I consider Systems Administration to be a serious craft, 
> practicing and teaching it at such.
>
> There are several reasons why using default RPMs or Debs on production 
> machines is frowned upon in the sysadmin world.  A packaged application 
> is compiled for the lowest common denominator of systems across the 
> world.  Because of this, there may be features that your application 
> does not require, or there may be some functionality that is missing in 
> the binary - it is a mixed bag.  In any case, applications should be 
> compiled ONLY for their intended tasks.
>
> Features which are not needed introduce complexity to the system, 
> complexity introduce headaches to the administrator, headaches 
> introduce alcohol, and alcohol introduce dire solutions involving 
> unground circuits and super soakers.  This is the Zen of Systems.
>
> In addition, security conscious shops should be aware that binaries 
> included inside of packages are only as safe as the machines on which 
> they were compiled.  Sysadmins who are not concerned by this should 
> chat with their package maintainers and ask them what their Snort logs 
> look like :)
>
> As far as Webmin goes - It is a web based system configuration tool 
> aimed towards new sysadmins.  While the features may be helpful, it 
> promotes a certain amount of laziness in the sysadmin, as it doesn't 
> encourage him or her to actually learn just WHAT the program is doing.  
> The real concern is security, however.  Webmin is only as secure as the 
> web server that it is hosted on.  Allowing a CGI script to execute 
> arbitrary commands with root permissions is INHERENTLY insecure. (extra 
> emphasis)
>
> While there is no formal convention about file structures across Linux 
> machines, it should be noted that /opt is meant to be used as the 
> repository for vendor supplied applications (Solaris, SuSe and maybe 
> others) - locally compiled applications should be placed in /usr/local.
>
> peas,
> Charles
>
>
>
>
>
> On Fri, Jan 11, 2002 at 08:40:19AM -1000, R Scott Belford wrote:
>> So, let's see, despite the fact that their distribution has been
>> successfully sold to "production" customers for years, using their RPM
>> is asking for trouble.  Specifically, what kind of trouble is one 
>> asking
>> for by using Redhat's apache RPM?  I'm still wondering what's so
>> insecure about webmin which you insisted was trouble weeks ago.  
>> Sharing
>> knowledge is helpful, spreading FUD without evidence/documentation is
>> not.  With regards to where to install apache should you choose to roll
>> your own, I like Warren's suggestion of /opt/[program name]  There is 
>> no
>> rule about where to install packages.
>>
>> scott
>>
>> On Friday, January 11, 2002, at 12:49  AM, epsas at inflicted.net wrote:
>>
>>> A production web server should always use custom compiled versions of
>>> Apache/MySQL.  Using Redhat's (or, for that matter, anyone else's) RPM
>>> is asking for trouble.  As far as installing software goes -
>>> /usr/local/ is the place to dump local packages.  /opt is a
>>> SuSe/Solaris convention, not Redhat iirc.
>>>
>>>
>
> ---
> You are currently subscribed to luau as: scott at belford.net
> To unsubscribe send a blank email to $subst('Email.Unsub')
>

More information about the LUAU mailing list