# Security patching of ports without the ports tree



## davo (Aug 24, 2010)

Hi folks,

I've got some machines in a DMZ and I really don't want to install the whole ports tree so I can do security patching.

Maybe I've got something wrong but the process I use is:
Run portaudit from cron and monitor the daily security output
When necessary (patching is required) log onto the server and do:

```
portsnap update
portupgrade -a
```

This works fine but it means that I have to keep the whole ports tree on the server and I'm not keen on that.

If I had some more servers to worry about (like say 4 or 5) I'd set up a patch distribution server and do this in a centralised way (I'm sure this is possible) but just for a couple of machines, I can't justify it.

Is there a way to limit the ports tree to only the installed ports so that I can do the patching but don't have to have the whole tree on the server?

ciao
dave


----------



## anomie (Aug 24, 2010)

davo said:
			
		

> If I had some more servers to worry about (like say 4 or 5) I'd set up a patch distribution server and do this in a centralised way (I'm sure this is possible) but just for a couple of machines, I can't justify it.
> 
> Is there a way to limit the ports tree to only the installed ports so that I can do the patching but don't have to have the whole tree on the server?



Probably - depending on the packages you need, but it's going to be a headache and will require lots of trial and error on your part. 

FWIW, I have a patch distribution server (i.e. tinderbox) that I use for only three FreeBSD jails. Well worth the trouble.


----------



## davo (Aug 27, 2010)

Thanks for that.

I'll have a think about building a server to do the patching as to maintain security on a standalone machine it seems you need to install /usr/ports (the whole lot), /usr/src/sys (lsof needs it for instance) and a complete build environment.  This makes me a bit uncomfortable to be honest.

I've noticed that the pkg_add tool retrieves the binary packages from a directory called "Latest".  Is this possibly a precursor to patch procedure like: 

```
pkg_delete somepackage
pkg_add somepackage?
```

or even 
	
	



```
pkg_upgrade somepackage
```
 .. 

For your patch distribution server, do you build packages to distribute to the production servers or do you mount the ports tree on the production servers?

ciao
dave


----------



## anomie (Aug 27, 2010)

davo said:
			
		

> For your patch distribution server, do you build packages to distribute to the production servers or do you mount the ports tree on the production servers?



If I weren't so %#$& lazy, I would get around to sharing a directory containing the packages for the production hosts. Given enough of a nudge (e.g. about a dozen FreeBSD hosts to manage) I would probably become motivated quickly. 

I currently just copy updated packages and their (sometimes considerable) dependencies to each jailed host, and do the pkg_delete / pkg_add dance. It's not such an ordeal once you get comfortable with the steps, and learn to stomach the philosophy of _only_ upgrading to patch security holes (or when a new feature is absolutely required).


----------



## SirDice (Aug 28, 2010)

anomie said:
			
		

> I currently just copy updated packages and their (sometimes considerable) dependencies to each jailed host, and do the pkg_delete / pkg_add dance.


No real need to copy anything.

`# mount -t nullfs /usr/ports /jail/j1/usr/ports`
`# mount -t nullfs /usr/ports /jail/j2/usr/ports`


----------



## anomie (Aug 30, 2010)

Right, for jails, nullfs mounts are a more elegant approach. (I just need to take a few minutes to experiment.)


----------

