This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
Bits & Bolts
Thanks to YUM, Linux updates are as reliable as Old Yeller.
YUM is more scalable and tolerant than other Linux updating programs, such as Red Hat-based up2date and Debian-based APT-RPM (now managed by Conectiva), which makes it more suitable for enterprise environments.
YUM handles dependencies more gracefully than the others, supports multiple repositories, groups and failover, and simplifies the management of multiple centralized and decentralized machines.
YUM, like up2date, is written in Python, while APT-RPM is written in C++; the difference is 33,000 lines of code, meaning YUM and up2date are faster and less complex. On the other hand, up2date and APT-RPM have native GUIs, while YUM is command-line only (third-party GUIs are available). Also, up2date has a rollback feature absent in YUM, which is important in case of incorrect or incomplete updates.
YUM may be used in other popular distributions such as Novell's SuSE Linux or Mandrake, but there are less likely to be issues with Red Hat and Fedora. SuSE and Mandrake users may want to consider their native updaters, YaST and urpmi.
Linux is here to stay. Its appeal as an open-source OS and the perception that it's more secure than Windows have given it a strong foothold in businesses, government agencies and universities. Gartner reported that the revenue from sales of Linux-based servers grew by 55.7 percent in third quarter 2004 over the previous year, and IDC said that Linux accounted for 9 percent of worldwide server sales in the same quarter.
But updating and patching Linux can be a tedious and error-prone process, even if you have resident Linux gurus. That's where Yellowdog Updater, Modified (YUM) can help.
YUM (derived from a similar tool originally crafted for the Yellowdog OS, a Linux distro for Macs, and maintained by Duke University) is the most flexible and arguably the best of several automated tools available to manage Linux software updates easily and consistently.
The cost of supporting Linux servers and workstations can surpass that of your Windows boxes in a hurry; vulnerabilities remain unpatched, and ad hoc configurations spring up across the enterprise. Commercial patching/updating products are ex-pensive and focus mostly on Windows.
YUM saves time, money and security headaches by centralizing administration and version control.
Updating the Hard Way
Red Hat Package Manager (RPM), originally developed by Red Hat, is a command-line tool that can be used to install, uninstall and update a package for almost any Linux OS or application. (RPM is also referred to as RPM Package Manager because of its ubiquity across Linux platforms.)
Each RPM package consists of a header, signature and compressed archive. The utility installs or uninstalls a package based on the header information the package contains.
This is a purely manual process; you have to update each package on each server at the console or by remote access. Most packages require not only the particular files you're updating, but numerous contingent tools and libraries, called dependencies, and each of these, in turn, may require additional tools and libraries.
Resolving all these dependencies and getting the install right is time-consuming and prone to error. It's all too easy to get it wrong and break an app or crash a box.
Imagine patching and updating a handful of servers and workstations this way. For large, distributed environments, this would be unthinkable. The cost would be prohibitive, and you'd need a number of Linux experts to install and troubleshoot across the enterprise.
Updating the YUM Way
YUM solves most of these problems by enabling automatic updates to servers and workstations across an enterprise. While it lacks some of the features of high-end commercial tools, it's a viable option and a dramatic improvement over pure RPM updates.
The update works with any Linux OS (though it's most tightly integrated with Red Hat and Fedora Core) or application that relies on the RPM format. YUM runs on top of RPM as a shell, automating its processes. There are two primary components: yum-arch, which is used to create the server-based RPM package repository, and the YUM client, which pulls in and installs the updates.
The cornerstone of the tool is yum-arch. It creates a header file for each RPM package on the repository (an FTP, NFS or HTTP server). YUM's magic is its ability to separate these headers on the repository; yum-arch has a variety of debugging, informational and security switches that are primarily of use to admins setting up a repository.
The YUM client polls the target repository for pertinent OS or application (say, Mozilla or Snort) updates. It downloads the header file and compares that information to the client's cached header information, determining which updates are needed, and automatically resolving all the dependencies and completing the installs.
By downloading only the headers first, YUM minimizes network traffic. It downloads packages only after it determines what is required, which is particularly important over slower connections like a fractional T1. The locally cached headers are updated and/or incremented to reflect the current status for the next update check.
If YUM encounters a problem—like a package conflict, wrong version or dependency loop (a circular dependency where A requires B, and B requires A)—it stops the install and sends an error message. YUM has failover capabilities, so you can designate URLs for both primary and mirror repositories. YUM generates logs that can easily be viewed to verify installations and updates.
The YUM client can easily be installed via Telnet or SSH. Once installed, it doesn't require root access, so updating packages requires no additional overhead or special privileges. In addition, it can be configured to perform GPG signature checking.
This was first published in June 2005