Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ximian Testing Red Carpet Daemon

Posted by ryuzaki0 on from the machine-update-self dept.

rainmanjag writes "GNOMEdesktop.org noted a new page on Ximian's site announcing the testing release of Red Carpet Daemon which would allow administrators to do automatic software updates on workstations within the enterprise. You can also get a command line copy of Red Carpet." Hopefully this works out better than the time I cronned apt-get upgrade under Debian's unstable tree. Whoops.

4 of 80 comments (clear)

  1. autoupdate by guacamole · · Score: 3, Informative

    For the last eight months, we have been using autoupdate at our site to keep about 50 RedHat Linux boxes up-to-date. It seems to work pretty well. Though, this red carpet stuff looks pretty interesting too.

  2. Not sure I'd trust this... by wowbagger · · Score: 4, Insightful

    I'm not sure I'd trust Ximian to auto-update my system - while they try pretty hard, I've had just too many dependancy conflicts updating RPMS from them to feel really warm and fuzzy about having it happen automatically.

    Also, one thing I like about RedHat's up2date vs. RedCarpet is that I can tell up2date to leave my damn X server alone!. Neither RedHat 7.2 nor Ximian have XFree 4.2, but at least I can tell up2date "hands off any package with XFree in the title" and not worry about it downgrading me to 4.1. Every time I run RedCarpet I have to tell it "No, I DON'T want you updating my X server, yes I know this is a "security release", but I don't need it!"

    Unless redcarpetd has the ability to prevent upgrades on selected packages I wouldn't trust it.

    And until the packages get vetted better for conflicts I would be careful. That's what ALL RPM based distro's need - a standard base of packages and libraries that released packages are not allowed to deviate from. Any RPM that call for "foo-1.4.2-unreleased-unstable-pl1.4-thursday.rpm" should be uncerimoniously bounced from any stable release. That's one area I will give the Debian folks credit - they maintain their packages.

    --
    www.eFax.com are spammers
  3. No, I agree - what are Ximian smoking? by marm · · Score: 5, Interesting

    Sounds like a clueless poster.

    No, not at all. This is a very genuine concern. Personally, I think having a separate daemon to do this job is a very dumb idea. Existing, well tested tools like ssh and cron could do this, and the less new, untested code that runs on the network, the better for security.

    For a start, it's going to have a port open on the network in order for a master computer to contact it and tell it to update. This in itself is a major security risk - any open port is. Now also remember that, because it will be updating packages system-wide, part of the update process is going to have to run as root - I hope at least the network-facing daemon doesn't. If it does - instant remote root when the first stack-smashing or format string exploit comes along - and it will, have no doubt about that. Even if the daemon itself has limited privileges, it is going to have to talk to something setuid root in order to perform the package upgrades, so a remote root shell is only two exploits away, one for the daemon and then another for the setuid program that does the updating.

    Remember, this is new code, untested in the wild for any length of time, unexamined yet by anyone external. ssh would do the job fine instead, and, although ssh has had security problems, it has had a lot of pounding on it for a long time now. The Red Carpet daemon - hasn't.

    In short, wtf aren't Ximian using ssh instead of their own potentially hokey code?

    Second, there is a big problem with automatic updating generally. If I can get root on a machine within a network - or in fact, just plug my laptop into this network - then with a bit of spoofing trickery I can convince any other machine within that network that I am the update server, and next time they update, they will download packages from me, which I could easily trojan - and then I've got control of every single box on the network, and almost all the work was done for me. Signed packages are supposed to alleviate this problem, but past incidents with both OpenSSL and ssh suggest that certificate checking is not always up to scratch, and there may still be other ways to convince the Red Carpet daemon to install unsigned packages. If you have an insecure wireless network attached, then you're going to have even larger problems as an attacker who wants to get in this way doesn't even have to be physically connected to your network.

    This sounds like a very convenient way to automatically update software - although nothing that ssh/apt doesn't already offer - but it also sounds like a potentially gaping security hole that will bite people hard in the future.

  4. Unfair: Ximian are now a lot better by anonymous+cupboard · · Score: 3, Informative
    I have one machine still on up2date and one on Red Carpet. The Red Carpet updater has been going for all of this year and in the beginning, it was dependency hell (reminded me of DLLs under Win). However since about Easter, it has been very stable. The only issue is if I trigger so many dependencies that /var is filled up with incomming rpms.

    If you don't want beta, just don't subscribe to the beta releases. The other stuff seems fine. This particular system is an RH7.1ish 2.4.19 kernel with Ximian Gnome.