Csvup on freebsd 4.10

Hi Experts,

Please kindly guide me the command to update a specific port (squid) and to update the whole port collection.

Do we update any kernels or libraries needed in Freebsd to secure the box? Freebsd v4.10 fresh install.

Thanks.
LVL 1
lynntonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

m0nk3yzaCommented:
Hi Lynnton,

First make sure you installed:
/usr/ports/net/cvsup-without-gui
and
/usr/ports/sysutils/portupgrade
and
/usr/ports/security/portaudit

Now, from within /usr/ports run
#portaudit -F
This will update the database (will take a few minutes)
Make sure all errors are addressed before continuing to next step.

Then run:
#portaudit
This will indicate any issues with your installed ports.
It's a good idea to sort these out for obvious reasons.

Then run:
#portupgrade squid
Depending on the severity of problems, you may or may not receive a long list of errors or inconsistencies.
Go through them and fix as required.
(post here for help on those errors).

Now, onto the cvsup:

You may want to look at this link first:

 http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html

It includes a full list of cvsup mirrors.

My cvsup file (ports-supfile) for the ports collection looks like this:

*default host=cvsup.FreeBSD.org
#choose the mirror closest to you
*default base=/usr
*default prefix=/usr
*default release=cvs tag=.
*default delete use-rel-suffix
*default compress
ports-all

From the root prompt run:
#cvsup ports-supfile
or, for a more verbose output:
#cvsup -g -L 2 ports-supfile

My source file (stable-supfile), will update the source:

*default host=cvsup.FreeBSD.org
*default base=/usr
*default prefix=/usr
*default release=cvs tag=RELENG_4_11
*default delete use-rel-suffix
*default compress
src-all
src-crypto
src-eBones
src-secure

This file will update to the latest 4.11 release.

Run:
# cvsup stable-supfile

This may take a while depending on your connection speed.

After source is done:

#cd /usr/src/sys/i386/conf
#ls
find your kernel. (eg. MYKERNEL)
Then:
#config MYKERNEL
If your kernel is OK, you should get this message:
     Don't forget to do a ``make depend''
     Kernel build directory is ../../compile/MYKERNEL
Then:
#cd ../../compile/MYKERNEL
#make depend ; make ; make install
This will take some time depending on your machine, but is automated and will only fail in exceptional cases. (only happened to me once due to hardware failure).
Reboot and you should have a nice 4.11 release!

To make you box more secure includes many aspects, one of which would be updated software, but also a properly configure firewall (ipfw), correct user permissions and groups, and regular log file inspections are to name but a few requirements.

Good luck.

Jo
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lynntonAuthor Commented:
m0nk3yza,

ok, i can see makefile under /usr/ports/net/cvsup-without-gui

is it "make clean install" or ?

Please kindly guide me to use the proper command.

Thanks.
0
lynntonAuthor Commented:
m0nk3yza,

You're really an amazing person, yes you are correct, i've read on the handbook..

Updating one port isn't enough, updating the tree will almost always solve the problem.

Just wanted to share..

Thanks.
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

lynntonAuthor Commented:
m0nk3yza,

Please don't forget the question I've ask.. I'm not sure how to install the makefile :-)

Thanks.
0
lynntonAuthor Commented:
m0nk3yza,

Sad to say when using pkg_add, the following error message appears.

Thanks.

bsdhost# pkg_add -r /usr/ports/net/cvsup-without-gui/makefile
Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.10-release/Latest//usr/ports/net/cvsup-without-gui/makefile.tgz: Service not available, closing control connection
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.10-release/Latest//usr/ports/net/cvsup-without-gui/makefile.tgz' by URL

bsdhost# pkg_add -r /usr/ports/net/cvsup-without-gui
Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.10-release/Latest//usr/ports/net/cvsup-without-gui.tgz: Service not available, closing control connection
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.10-release/Latest//usr/ports/net/cvsup-without-gui.tgz' by URL
0
lynntonAuthor Commented:
m0nk3yza,

After running "portaudit" the following below showed up.

Thanks.


bsdhost# portaudit
Affected package: perl-5.6.1_15
Type of problem: perl -- File::Path insecure file/directory permissions.
Reference: <http://www.FreeBSD.org/ports/portaudit/c418d472-6bd1-11d9-93ca-000a95bc6fae.html>

Affected package: ruby-1.8.2.p2_1
Type of problem: ruby -- CGI DoS.
Reference: <http://www.FreeBSD.org/ports/portaudit/d656296b-33ff-11d9-a9e7-0001020eed82.html>

Affected package: apache-1.3.31_4
Type of problem: apache mod_include buffer overflow vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/6e6a6b8a-2fde-11d9-b3a2-0050fc56d258.html>

Affected package: gd-2.0.25,1
Type of problem: gd -- integer overflow.
Reference: <http://www.FreeBSD.org/ports/portaudit/62239968-2f2a-11d9-a9e7-0001020eed82.html>

Affected package: linux_base-7.1_7
Type of problem: xpm -- image decoding vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/ef253f8b-0727-11d9-b45d-000c41e2cdad.html>

Affected package: XFree86-libraries-4.4.0
Type of problem: xpm -- image decoding vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/ef253f8b-0727-11d9-b45d-000c41e2cdad.html>

6 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.
0
m0nk3yzaCommented:
Hi  Lynnton,

To install the port:

#cd  /usr/ports/net/cvsup-without-gui
# make install
This should do it
you could also do:
#make clean
afterwards.
Just make sure you are in the  /usr/ports/net/cvsup-without-gui  directory.
If, for example, you are in  /usr/ports/net/  the "make clean" command will clean all ports under the /net subdirectory, even if nothing else is installed under that dir. (This will take a very long time).

---------------------------------------------

You don't need to use the pkg-add command, the Makefile is automatically created / updated with cvsup.
Just make sure your ports tree has been updated first (use cvsup).

If you continue to receive "Service not available" errors, check your make file (/etc/make.conf)

Mine looks like this:

#--------------------------------------------------------------------

NO_SENDMAIL=    true    # do not build sendmail and related programs
NO_X=           true    # do not compile in XWindows support (e.g. doscmd)
NOGAMES=        true    # do not build games (games/ subdir)

#BOOTWAIT=500
USA_RESIDENT=NO

HTTP_PROXY=     cache.yourserver.com:8080

MASTER_SITE_BACKUP?=    \
        ftp://ftp.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/

MASTER_SITE_OVERRIDE?=  ${MASTER_SITE_BACKUP}
#--------------------------------------------------------------------

You want to have a look at the "MASTER_SITE_BACKUP" line, try an alternative location
Also change "HTTP_PROXY= "  to the hostname of the proxy server you use (if you use one)

----------------------------------------------

Regarding your portaudit results:

They all refer to vulrenabilities in your installed ports.
This means that there are potential or existing exploits for these issues.
Depending on you bandwith (DSL, T1 etc) the answer is to update your ports daily (my cvsup runs every 12 hours), once you've updated your ports start with the first problem:

(1) perl-5.6.1_15.
Perhaps upgrade to perl-5.8.4 (/usr/ports/lang/perl5.8) unless you need to use ver 5.6?
I think the new version of perl doesn't need the following: but the last time I upgraded perl (about a year ago), I had to run this command:
#use.perl port
Which will force bsd to use the perl version installed from ports.

(2) ruby-1.8.2.p2_1
Type of problem: ruby -- CGI DoS
Denial of Service attacks could cripple your system or just be an annoyance - you need to run cvsup until a new version is available.

(3)  apache-1.3.31_4
apache mod_include buffer overflow vulnerability
Another exploit.
If you use this box as your webserver for public access, address this asap.
If it's on your LAN and used for http access to your intranet, it's not that big an issue.

(4) gd-2.0.25,1
gd -- integer overflow.
Wasn't sure what this does, but followed the link in the output you received:
 http://www.FreeBSD.org/ports/portaudit/62239968-2f2a-11d9-a9e7-0001020eed82.html
Has a nice explanation.
Doesn't seem too serious.

(5)  linux_base-7.1_7
xpm -- image decoding vulnerabilities
You might want to upgrade to: /usr/ports/emulators/linux_base-8

(6)  XFree86-libraries-4.4.0
xpm -- image decoding vulnerabilities.
This is only used when you run a X-server on the box (not a good idea for a production server).

---------------------------------------------------------

The portaudit error messages are very helpful, take time to follow the links in the output.
(I know, time is an issue for all sys admins, but it's worth it).
Usually you'll be able to determine whether this requires your immediate attention or not.
6 errors aren't bad, Ive seen 40+ issues on some neglected servers!

You seem to regard security as an important issue, therefore consider upgrading to 4.11.
If you have extra hardware and some time to experiment, have a look at 5.3 (pf is excelent!).

Hope this helps,
Jo
0
lynntonAuthor Commented:
m0nk3yza,

Sad, I can't add any feedback since I've already close the question.

I'll still get a change though, I was goign to add "Jo is Simply the Best" in your feedback.

Please see below for error message, seems there's another one running? how do we proceed?

Thanks.


--- building in FreeBSD4 ---
new source -> compiling ../src/Upass.i3
new source -> compiling ../src/Secret.i3
new source -> compiling ../src/Secret.m3
new source -> compiling ../src/Main.m3
 -> linking cvpasswd
===>  Installing for cvsup-without-gui-16.1h
===>   Generating temporary packing list
===>  Checking if net/cvsup-without-gui already installed
===>   cvsup-without-gui-16.1h is already installed
      You may wish to ``make deinstall'' and install this port again
      by ``make reinstall'' to upgrade it properly.
      If you really wish to overwrite the old port of net/cvsup-without-gui
      without deleting it first, set the variable "FORCE_PKG_REGISTER"
      in your environment or the "make install" command line.
*** Error code 1

Stop in /usr/ports/net/cvsup-without-gui.
0
m0nk3yzaCommented:
Hi  Lynnton,

This error is fairly common and was probably caused by your previous attempt to install cvsup-without-gui..
All you do is:
#cd /usr/ports/net/cvsup-without-gui
#make deinstall
This might take a minute or two.
Then do:
#make reinstall
That's it.
If the port was allready successfully installed, and you do:
#make install
Then you will get no output, just a root prompt, like this:
#

Good luck,
Jo
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.