?
Solved

Csvup on freebsd 4.10

Posted on 2005-03-14
9
Medium Priority
?
714 Views
Last Modified: 2013-11-22
Hi Experts,

Please kindly guide me the command to update a specific port (squid) and to update the whole port collection.

Do we update any kernels or libraries needed in Freebsd to secure the box? Freebsd v4.10 fresh install.

Thanks.
0
Comment
Question by:lynnton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 1

Accepted Solution

by:
m0nk3yza earned 2000 total points
ID: 13536577
Hi Lynnton,

First make sure you installed:
/usr/ports/net/cvsup-without-gui
and
/usr/ports/sysutils/portupgrade
and
/usr/ports/security/portaudit

Now, from within /usr/ports run
#portaudit -F
This will update the database (will take a few minutes)
Make sure all errors are addressed before continuing to next step.

Then run:
#portaudit
This will indicate any issues with your installed ports.
It's a good idea to sort these out for obvious reasons.

Then run:
#portupgrade squid
Depending on the severity of problems, you may or may not receive a long list of errors or inconsistencies.
Go through them and fix as required.
(post here for help on those errors).

Now, onto the cvsup:

You may want to look at this link first:

 http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html

It includes a full list of cvsup mirrors.

My cvsup file (ports-supfile) for the ports collection looks like this:

*default host=cvsup.FreeBSD.org
#choose the mirror closest to you
*default base=/usr
*default prefix=/usr
*default release=cvs tag=.
*default delete use-rel-suffix
*default compress
ports-all

From the root prompt run:
#cvsup ports-supfile
or, for a more verbose output:
#cvsup -g -L 2 ports-supfile

My source file (stable-supfile), will update the source:

*default host=cvsup.FreeBSD.org
*default base=/usr
*default prefix=/usr
*default release=cvs tag=RELENG_4_11
*default delete use-rel-suffix
*default compress
src-all
src-crypto
src-eBones
src-secure

This file will update to the latest 4.11 release.

Run:
# cvsup stable-supfile

This may take a while depending on your connection speed.

After source is done:

#cd /usr/src/sys/i386/conf
#ls
find your kernel. (eg. MYKERNEL)
Then:
#config MYKERNEL
If your kernel is OK, you should get this message:
     Don't forget to do a ``make depend''
     Kernel build directory is ../../compile/MYKERNEL
Then:
#cd ../../compile/MYKERNEL
#make depend ; make ; make install
This will take some time depending on your machine, but is automated and will only fail in exceptional cases. (only happened to me once due to hardware failure).
Reboot and you should have a nice 4.11 release!

To make you box more secure includes many aspects, one of which would be updated software, but also a properly configure firewall (ipfw), correct user permissions and groups, and regular log file inspections are to name but a few requirements.

Good luck.

Jo
0
 
LVL 1

Author Comment

by:lynnton
ID: 13536655
m0nk3yza,

ok, i can see makefile under /usr/ports/net/cvsup-without-gui

is it "make clean install" or ?

Please kindly guide me to use the proper command.

Thanks.
0
 
LVL 1

Author Comment

by:lynnton
ID: 13536688
m0nk3yza,

You're really an amazing person, yes you are correct, i've read on the handbook..

Updating one port isn't enough, updating the tree will almost always solve the problem.

Just wanted to share..

Thanks.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:lynnton
ID: 13536730
m0nk3yza,

Please don't forget the question I've ask.. I'm not sure how to install the makefile :-)

Thanks.
0
 
LVL 1

Author Comment

by:lynnton
ID: 13536965
m0nk3yza,

Sad to say when using pkg_add, the following error message appears.

Thanks.

bsdhost# pkg_add -r /usr/ports/net/cvsup-without-gui/makefile
Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.10-release/Latest//usr/ports/net/cvsup-without-gui/makefile.tgz: Service not available, closing control connection
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.10-release/Latest//usr/ports/net/cvsup-without-gui/makefile.tgz' by URL

bsdhost# pkg_add -r /usr/ports/net/cvsup-without-gui
Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.10-release/Latest//usr/ports/net/cvsup-without-gui.tgz: Service not available, closing control connection
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.10-release/Latest//usr/ports/net/cvsup-without-gui.tgz' by URL
0
 
LVL 1

Author Comment

by:lynnton
ID: 13537102
m0nk3yza,

After running "portaudit" the following below showed up.

Thanks.


bsdhost# portaudit
Affected package: perl-5.6.1_15
Type of problem: perl -- File::Path insecure file/directory permissions.
Reference: <http://www.FreeBSD.org/ports/portaudit/c418d472-6bd1-11d9-93ca-000a95bc6fae.html>

Affected package: ruby-1.8.2.p2_1
Type of problem: ruby -- CGI DoS.
Reference: <http://www.FreeBSD.org/ports/portaudit/d656296b-33ff-11d9-a9e7-0001020eed82.html>

Affected package: apache-1.3.31_4
Type of problem: apache mod_include buffer overflow vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/6e6a6b8a-2fde-11d9-b3a2-0050fc56d258.html>

Affected package: gd-2.0.25,1
Type of problem: gd -- integer overflow.
Reference: <http://www.FreeBSD.org/ports/portaudit/62239968-2f2a-11d9-a9e7-0001020eed82.html>

Affected package: linux_base-7.1_7
Type of problem: xpm -- image decoding vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/ef253f8b-0727-11d9-b45d-000c41e2cdad.html>

Affected package: XFree86-libraries-4.4.0
Type of problem: xpm -- image decoding vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/ef253f8b-0727-11d9-b45d-000c41e2cdad.html>

6 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.
0
 
LVL 1

Expert Comment

by:m0nk3yza
ID: 13538860
Hi  Lynnton,

To install the port:

#cd  /usr/ports/net/cvsup-without-gui
# make install
This should do it
you could also do:
#make clean
afterwards.
Just make sure you are in the  /usr/ports/net/cvsup-without-gui  directory.
If, for example, you are in  /usr/ports/net/  the "make clean" command will clean all ports under the /net subdirectory, even if nothing else is installed under that dir. (This will take a very long time).

---------------------------------------------

You don't need to use the pkg-add command, the Makefile is automatically created / updated with cvsup.
Just make sure your ports tree has been updated first (use cvsup).

If you continue to receive "Service not available" errors, check your make file (/etc/make.conf)

Mine looks like this:

#--------------------------------------------------------------------

NO_SENDMAIL=    true    # do not build sendmail and related programs
NO_X=           true    # do not compile in XWindows support (e.g. doscmd)
NOGAMES=        true    # do not build games (games/ subdir)

#BOOTWAIT=500
USA_RESIDENT=NO

HTTP_PROXY=     cache.yourserver.com:8080

MASTER_SITE_BACKUP?=    \
        ftp://ftp.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/

MASTER_SITE_OVERRIDE?=  ${MASTER_SITE_BACKUP}
#--------------------------------------------------------------------

You want to have a look at the "MASTER_SITE_BACKUP" line, try an alternative location
Also change "HTTP_PROXY= "  to the hostname of the proxy server you use (if you use one)

----------------------------------------------

Regarding your portaudit results:

They all refer to vulrenabilities in your installed ports.
This means that there are potential or existing exploits for these issues.
Depending on you bandwith (DSL, T1 etc) the answer is to update your ports daily (my cvsup runs every 12 hours), once you've updated your ports start with the first problem:

(1) perl-5.6.1_15.
Perhaps upgrade to perl-5.8.4 (/usr/ports/lang/perl5.8) unless you need to use ver 5.6?
I think the new version of perl doesn't need the following: but the last time I upgraded perl (about a year ago), I had to run this command:
#use.perl port
Which will force bsd to use the perl version installed from ports.

(2) ruby-1.8.2.p2_1
Type of problem: ruby -- CGI DoS
Denial of Service attacks could cripple your system or just be an annoyance - you need to run cvsup until a new version is available.

(3)  apache-1.3.31_4
apache mod_include buffer overflow vulnerability
Another exploit.
If you use this box as your webserver for public access, address this asap.
If it's on your LAN and used for http access to your intranet, it's not that big an issue.

(4) gd-2.0.25,1
gd -- integer overflow.
Wasn't sure what this does, but followed the link in the output you received:
 http://www.FreeBSD.org/ports/portaudit/62239968-2f2a-11d9-a9e7-0001020eed82.html
Has a nice explanation.
Doesn't seem too serious.

(5)  linux_base-7.1_7
xpm -- image decoding vulnerabilities
You might want to upgrade to: /usr/ports/emulators/linux_base-8

(6)  XFree86-libraries-4.4.0
xpm -- image decoding vulnerabilities.
This is only used when you run a X-server on the box (not a good idea for a production server).

---------------------------------------------------------

The portaudit error messages are very helpful, take time to follow the links in the output.
(I know, time is an issue for all sys admins, but it's worth it).
Usually you'll be able to determine whether this requires your immediate attention or not.
6 errors aren't bad, Ive seen 40+ issues on some neglected servers!

You seem to regard security as an important issue, therefore consider upgrading to 4.11.
If you have extra hardware and some time to experiment, have a look at 5.3 (pf is excelent!).

Hope this helps,
Jo
0
 
LVL 1

Author Comment

by:lynnton
ID: 13539718
m0nk3yza,

Sad, I can't add any feedback since I've already close the question.

I'll still get a change though, I was goign to add "Jo is Simply the Best" in your feedback.

Please see below for error message, seems there's another one running? how do we proceed?

Thanks.


--- building in FreeBSD4 ---
new source -> compiling ../src/Upass.i3
new source -> compiling ../src/Secret.i3
new source -> compiling ../src/Secret.m3
new source -> compiling ../src/Main.m3
 -> linking cvpasswd
===>  Installing for cvsup-without-gui-16.1h
===>   Generating temporary packing list
===>  Checking if net/cvsup-without-gui already installed
===>   cvsup-without-gui-16.1h is already installed
      You may wish to ``make deinstall'' and install this port again
      by ``make reinstall'' to upgrade it properly.
      If you really wish to overwrite the old port of net/cvsup-without-gui
      without deleting it first, set the variable "FORCE_PKG_REGISTER"
      in your environment or the "make install" command line.
*** Error code 1

Stop in /usr/ports/net/cvsup-without-gui.
0
 
LVL 1

Expert Comment

by:m0nk3yza
ID: 13547225
Hi  Lynnton,

This error is fairly common and was probably caused by your previous attempt to install cvsup-without-gui..
All you do is:
#cd /usr/ports/net/cvsup-without-gui
#make deinstall
This might take a minute or two.
Then do:
#make reinstall
That's it.
If the port was allready successfully installed, and you do:
#make install
Then you will get no output, just a root prompt, like this:
#

Good luck,
Jo
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses
Course of the Month12 days, 10 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question