Thursday, January 26, 2006

FreeBSD - Updating Ports

The FreeBSD ports collection offers a simple way for users and administrators to install applications. The ports made FreeBSD quite popular. Keeping ports up to date is an essential task.

(1) Install cvsup
If you never upgraded freebsd ports collection then first step is required; otherwise skip this step and goto step # 2

#pkg_add -r cvsup-without-gui
#mkdir /usr/ports

CVSup is a software package for distributing and updating collections of files (ports) across a network.

(2) Update ports collection/tree

#cvsup -L 2 -h cvsup9.FreeBSD.org /usr/share/examples/cvsup/ports-supfile
Above step will take some to fetch files and
it will update your ports collection.

Note if you got an error as follows:

"Rejected by server: Access limit exceeded; try again later
Will retry at 01:36:41"

Then replace cvsup9.FreeBSD.org with cvs8.freebsd.org, cvs7.freebsd.org etc. You are done.

Running the cvsup command later agian will download and apply all the recent changes to your Ports Collection, except actually rebuilding the ports for your own system. Next time you will see howto use the portupgrade utility to upgrade installed ports.

Update: You can use portsnap command. It is an alternative system for distributing the Ports Collection. It was first included in FreeBSD 6.0. Install portsnap as follows:

#mkdir /usr/ports
#pkg_add -r portsnap
#portsnap fetch
#portsnap extract
#portsnap update

Please Note Before Installing Ports enable Security Port Auditing to avoid any
Vulnerabilities :

A port called portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities. After installation it will update this security database automatically and include its reports in the output of the daily security run. If you get message like as follows

Vulnerability check disabled, database not found

Then you need enable this small port:

1)Install port auditing (login as root)
# cd /usr/ports/security/portaudit

2) Install portaudit:
# make install

3) Fetch the database so that port auditing get activated immediately. By default it install a shell script 'portaudit' in /usr/local/etc/periodic/security/:
# /usr/local/etc/periodic/security/*portaudit

4) portaudit script automatically get called via FreeBSD's periodic (cron job) facility. So your database get updated automatically eyerday.

5) Portaudit in action. Let us assum you would like to install port called sudo. If it has known vulnerabilities it will not install sudo:
# cd /usr/ports/security/sudo
# make install


Example

===>  sudo-1.6.8.7 has known vulnerabilities:
=> sudo -- local race condition vulnerability.
Reference: &tt;http://www.FreeBSD.org/ports/portaudit/3bf157fa-
e1c6-11d9-b875-0001020eed82.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/security/sudo.
#/usr/local/sbin/portaudit -Fda

This will list if any installed packages are affected.