Extra security
Gentoo Linux Security Advisories are now distributed as part of the portage tree, so each time you update your portage tree you also receive information about security vulnerabilities. This section describes how you can utilise this information to automatically download, compile, and install fixed versions of any insecure packages you might have on your system.
- Make sure that you have gentoolkit by doing:
emerge gentoolkit .
- Now we need to list all the packages that have potential security issues. For this we use the
glsa-check script. Run
glsa-check -l | grep "\[N\]" .
- Do a pretend emerge on each of the packages that glsa-check lists. Then remove any packages that
don't need to be compiled (either because they are up to date, or it is not installed), and then redo
the pretend emerge.
- Once you are happy with what is to be updated, carry out the emerge.
- The system is up-to-date for now. However we need to make the system keep updating itself with a
cron job. To do this we need a cron daemon installed, so
emerge vixie-cron .
- Now make it run on boot using
rc-update add vixie-cron default , and start it now using
/etc/init.d/vixie-cron start .
- Create a file called
/root/getglsas.sh and add the following to it:
for i in `glsa-check -l | grep " \[N\] " | sed s/".*(\(.*\) )"/"\1"/ | sed s/" \.\.\."/""/ | sed s/" "/"\n"/g | grep "/" | sed s/".*\/\(.*\)"/"\1"/ | xargs` ; do emerge -p --columns $i | grep "\[ebuild U " | sed s/"\[ebuild U \] \(.*\)\/\(.*\) \(.*\)\[\(.*\)\[\(.*\)"/"\2"/ ; done ;
This script gets all the potentially vulnerable packages, formats them in a list, does a pretend emerge
to ensure that they are already on the system, and then outputs the package names.
- Create a file called
/root/getupdates.sh and add the following to it:
emerge -p --columns world | grep "\[ebuild U " | sed s/"\[ebuild U \] \(.*\)\/\(.*\) \(.*\)\[\(.*\)\[\(.*\)"/"\2"/
This script just gets the packages that need updating (ignoring package rebuilds etc) and outputs their names.
- Create a file called
/root/doupdate.sh and add the following to it:
emerge sync ; emerge `/root/getupdates.sh | xargs` ; emerge `/root/getglsas.sh | xargs`
This script pulls the previous two scripts together into one command to update the system
- Now apply
chmod 755 <script_name.sh> to all three scripts to make them runnable.
- Now we need to make our cron daemon call this update script. Type
crontab -e . This will start an editor where you can add your cron scripts.
- The format of a cron file is: mins, hours, days, months, day of the week, command (all space separated).
We want to update every week, so add the following:
0 1 * * mon /root/doupdate.sh
This will update the system every week at 1:00am on monday.
- Now edit the file
/var/lib/portage/world . Remove all source entries apart from
gentoo-dev-sources, and add any packages that you may want to add. It is not entirely essential
that you do this for security sake however, since the glsa-check will pick up on any package updates
that aren't in the world file, but that have potential vulnerablilities.
- This whole process saves a lot of time, however one step still needs to be carried out manually every
week - executing
etc-update .
|