YaST2 can remove security updates without permission
Dear All, I have reported a couple of YaST2 bugs to SuSE, and one of them has security implications that people should be aware of. I was using yast2 to install extra packages on a running system, and was having great difficulty because yast2 kept on hanging after I had made my package selection. So I used the feature (available on the Extras button) to save my configuration then loaded it on the next run. After loading the configuration yast2 took it upon itself to reinstall from CD all the packages that were already installed as well as the new ones I had requested. This was irritating, but what makes it much worse is that it *downgraded* packages which had had security updates installed. So I would warn people: when you run yast2 watch what it does and always be ready to reinstall your security updates if necessary. Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
On Fri, 5 Jul 2002 10:51:58 +0100 (BST)
Bob Vickers
Dear All,
I have reported a couple of YaST2 bugs to SuSE, and one of them has security implications that people should be aware of.
I was using yast2 to install extra packages on a running system, and was having great difficulty because yast2 kept on hanging after I had made my package selection. So I used the feature (available on the Extras button) to save my configuration then loaded it on the next run.
After loading the configuration yast2 took it upon itself to reinstall from CD all the packages that were already installed as well as the new ones I had requested. This was irritating, but what makes it much worse is that it *downgraded* packages which had had security updates installed.
So I would warn people: when you run yast2 watch what it does and always be ready to reinstall your security updates if necessary.
Yes. I had exactly this problem to, when trying to clone servers. With Yast1 you could save a package selection and then load that on a new machine during install (Forinstance, I usually do a minimum install, but remove sendmail and add postfix, same for lpd vs cups). When you load this saved package list onto a new machine it will ADD the extra packages, but not remove the ones you had deselected. It is for this reason that I have not yet rolled out SuSE 8.0 on any production servers :-( Everyone here knows I am a great supporter of SuSE, but this problem is a serious PITA! I hope SuSE can make Yast2 better for 8.1, as I will be only using 8.0 on my workstation and custom built servers :-( I for one also miss the documentation that used to be in /etc/rc.config and now does not exist in /etc/sysconfig/ for instance, where is the switch to turn off NSCD?? (If someone knwos how to do this without firing up the runlevel editor in yast2 please let me know!!) Please consider this positive criticism, and not a flame at SuSE. 8.0 is certainly the best yet desktop distro from SuSE, but I feel there are a few steps backward from a server point of view. Online Update is also less than ideal, however thanks to Markus we have fou4s to work around that. -- Viel Spaß Peter Nixon - nix@susesecurity.com SuSE Security FAQ Maintainer http://www.susesecurity.com/faq/ "If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem."
On Montag, 8. Juli 2002 16:24, Peter Nixon wrote:
I for one also miss the documentation that used to be in /etc/rc.config and now does not exist in /etc/sysconfig/ for instance, where is the switch to turn off NSCD?? (If someone knwos how to do this without firing up the runlevel editor in yast2 please let me know!!)
http://sdb.suse.de/en/sdb/html/start_foo80.html man chkconfig man insserv /sbin/chkconfig nscd off to turn off nscd. /sbin/chkconfig to display which services will be fired up at boot. -- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
I for one also miss the documentation that used to be in /etc/rc.config and now does not exist in /etc/sysconfig/ for instance, where is the switch to turn off NSCD?? (If someone knwos how to do this without firing up the runlevel editor in yast2 please let me know!!)
Use the runleveleditor in yast2 or delete the calls for nscd in the /etc/rc.d/rc3.d/ and /etc/rc.d/rc5.d/ directorys (rc3 for network only and rc5 for X)! This doesn't damage anything, because the startscript is in /etc/init.d (don't delete this one!) and it can be reactivated everytime with yast2 again. This is the fastest solution. The nscd is normally not needed if this is a normal workstation and you spare memory by deactivating it. If you run server I think e.g.: postfix needs it. If you got >= 256 MB RAM it doesn't matter. Philippe
participants (4)
-
Bob Vickers -
David Huecking -
Peter Nixon -
Philippe Vogel