Is the Connection between Update Server and Me Secure When I Update System with YUM?

Support for security such as Firewalls and securing linux
Post Reply
yok36092
Posts: 3
Joined: 2018/11/03 12:44:04

Is the Connection between Update Server and Me Secure When I Update System with YUM?

Post by yok36092 » 2018/11/03 12:55:51

Hi everyone,

I'm a beginner with CentOS, here I have a question about security of updating.

When I use 'yum update' to update my system, are there some risks for me to receive fake packages? Because I guess something might happen as follows:

1. My computer sends some commands to CentOS server to require some update package over Internet.
2. But my requests are kidnapped by a bad guy, and reply me with fake packages.
3. My system installs the fake update packages.
4. Then I hacked...

Does CentOS has any protection methods to avoid such kind of risks? Would you please let me know?

Thanks in advance!

Best regards,

User yok36092

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Is the Connection between Update Server and Me Secure When I Update System with YUM?

Post by TrevorH » 2018/11/03 14:30:43

All CentOS Packages are GPG signed and yum will check the gpg signature matches before it installs them. If they don't then it won't. This can be turned off in the files in /etc/yum.repos.d/ but is on by default (and shouldn't be turned off).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

yok36092
Posts: 3
Joined: 2018/11/03 12:44:04

Re: Is the Connection between Update Server and Me Secure When I Update System with YUM?

Post by yok36092 » 2018/11/04 12:08:56

Hi TrevorH,

Thanks for your reply.

According to my understanding, when I do "yum -update", computer will automatically verify all of the packages and then install, is that correct?

And, "yum install XXX" also do security checking, correct?

Best regards,

User yok36092

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Is the Connection between Update Server and Me Secure When I Update System with YUM?

Post by hunter86_bg » 2018/11/05 05:06:10

Yes, that's right.
The following is an example of NO gpg check:

Code: Select all

yum local install /home/user/some_downloaded_pkg.rpm
When localinstall is used, yum doesn't check gpg signatures.

yok36092
Posts: 3
Joined: 2018/11/03 12:44:04

Re: Is the Connection between Update Server and Me Secure When I Update System with YUM?

Post by yok36092 » 2018/11/12 13:16:55

hunter86_bg wrote:
2018/11/05 05:06:10
Yes, that's right.
The following is an example of NO gpg check:

Code: Select all

yum local install /home/user/some_downloaded_pkg.rpm
When localinstall is used, yum doesn't check gpg signatures.
Hi hunter86_bg,

Thanks for your extended information!

Kind regards,

User yok36092

Post Reply