I would recommend using a packaging system of some kind to keep control
of which software versions you have installed.
Note: For easier packaging Squid-2.5 supports the DESTDIR variable when
running install.
make DESTDIR=/packages/squid-2.5.STABLE1 install
will install Squid-2.5 using "/packages/squid-2.5.STABLE1" as "root"
path, giving you a tree with only Squid files at their correct
locations.
Regards
Henrik
tor 2003-01-09 klockan 13.37 skrev Mike Cudmore:
> Hi,
>
> as a 1 off on the production system ( which is the same build/OS/arch
> as the dev machine just less features/packages installed)
> I have
>
> Installed squid start up scripts
>
> Raised the file descriptors in the start up scripts using ulimit
> command, to match the build environment.
>
> On the build system/dev create a tar of
>
> /usr/sbin/squid
> /usr/lib/squid/*
> /usr/share/errors/*
> /usr/share/icons/*
> /etc/squid/squid.conf
>
> and ship it to the destination.
>
> stop squid if running
> unpack tar
> run squid -z is need to create directories
> squid
>
> anything else springs to mind?
>
>
>
> Regards
> Mike Cudmore
> GSI & Intranet Connectivity Team
>
> >>> Henrik Nordstrom <hno@marasystems.com> 01/08/03 04:37pm >>>
> ons 2003-01-08 klockan 14.36 skrev Mike Cudmore:
>
> > I understand the need for same os'es and accept that this is
> necessary
> > for the binary that is moved top work properly.
> >
> > The os'es, architecure are and will be the same.
> >
> > I also intend to build multiple squids. i dont want to build
> multiple
> > dev boxes then harden them prior to going into production.
> >
> > Anyone else done this ?
>
> All the time. Our production boxes have a tiny read-only root/system
> filesystem (ca 8MB including kernel). Now way a compiling environment
> fits in there..
>
> It is not at all difficult as long as you ensure that the needed
> shared
> libraries are compatible.
>
> If you need to support multiple different OS revisions then virtual
> minimal OS installations can be used via chroot or similar
> measurements.
> Most package managers allows for manual installation into a virtual
> root
> directory.
>
> But I see no real security issue why not have compilers on production
> boxes.. If you are worried about security (I am) then mostly other
> measurements are needed. The only major reason why not have compilers
> on
> production boxes is to stop your sysadmin friend from trying to
> compile
> stuff on production boxes which do not belong there, only because it
> is
> easier to try it out on the production system instead of the
> development
> system.. The other major reason (which is my case) is if you have a
> need
> to keep the root/system filesystem small.
>
> If you run on any common platform then hackers (including most
> script-kiddies) won't care much if there is a compiler or not once
> they
> hack the box as they most likely already have the needed binaries
> compiled for their needs..
>
> If you run a odd platform or variant where "normal" binaries won't run
> then not having compilers available may be a reasonable security
> measure
> if hackers is what you worry about.
>
> Regards
> Henrik
>
>
> PLEASE NOTE: THE ABOVE MESSAGE WAS RECEIVED FROM THE INTERNET.
>
> On entering the GSI, this email was scanned for viruses by the
> Government Secure Intranet (GSI) virus scanning service supplied
> exclusively by Cable & Wireless in partnership with MessageLabs.
>
> GSI users see http://www.gsi.gov.uk/main/new2002notices.htm for further
> details. In case of problems, please call your organisational IT
> helpdesk.
>
>
> *********************************************************************
> This E-mail and any files transmitted with it are private and
> intended solely for the use of the individual or entity to whom
> they are addressed. If you are not the intended recipient,
> the E-mail and any files have been transmitted to you in error
> and any copying, distribution or other use of the information
> contained in them is strictly prohibited.
>
> Nothing in this E-mail message amounts to a contractual
> or other legal commitment on the part of the Government
> unless confirmed by a communication signed on behalf of
> the Secretary of State.
>
> The Department's computer systems may be monitored
> and communications carried on them recorded, to secure
> the effective operation of the system and for other lawful
> purposes.
> *********************************************************************
Received on Thu Jan 09 2003 - 07:24:53 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:36 MST