Removing dependencies when using yum

Fri 01 March 2013

yellowdog updater modifiedA forthcoming article on the Red Hat Security Blog got me to ask the question: is it possible to have yum remove dependencies when uninstalling packages?  The answer is a somewhat surprising "yes"!  The functionality is turned off by default for a good reason but that's no reason why everyone should have it off.  A little perspective here is probably due...

If a piece of software isn't installed on your system then it can't be used as a vector of attack.  That's a simple thought, really.  If I don't have Apache, for instance, installed then it cannot be used as a means of gaining unauthorized access to my system.  So when removing a package it would be nice to be able to remove the package's dependencies as well so that no extra software is left on the system.  In the past I've had to go back through logs to see what was actually pulled in to know what I could remove.  Now that I know the switch things will be much easier.

Well, it might not actually be that simple.  Giving software a set of logical rules to use to determine whether or not a piece of software can be removed isn't that simple.  Yum's implementation isn't bullet-proof either.  I give the following example:

$ sudo yum remove cqrlog
Resolving Dependencies
--> Running transaction check
---> Package cqrlog.x86_64 0:1.5.2-2.fc18 will be erased
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
---> Marking mysql-server to be removed - no longer needed by cqrlog
---> Marking trustedqsl to be removed - no longer needed by cqrlog
---> Marking mysql to be removed - no longer needed by cqrlog
---> Marking hamlib to be removed - no longer needed by cqrlog
---> Marking perl-DBD-MySQL to be removed - no longer needed by mysql-server
---> Marking wxBase to be removed - no longer needed by trustedqsl
---> Marking tqsllib to be removed - no longer needed by trustedqsl
---> Marking wxGTK to be removed - no longer needed by trustedqsl
Found and removing 8 unneeded dependencies

CQRLog has several dependencies including mysql-server and openssl-devel.  You don't see openssl-devel being targeted for removal because it's in use by another package.  But what about mysql-server? That is a package that could be needed all on it's own.  Had I actually needed mysql-server and hadn't been paying attention that package would have been removed and things could have broken on my system.

So using this functionality in yum should come with some caution.  You must be a diligent systems administrator and watch what you are doing instead of just hitting that 'y' key when asked if this is what you really want to do.

I actually looked for this functionality a while back and now it is found, surprisingly, right under my nose for a while.  A quick read of the man page for yum.conf shows:

clean_requirements_on_remove When removing packages (by removal,
update or obsoletion) go through each package's dependencies. If
any of them are no longer required by any other package then also
mark them to be removed.  Boolean (1, 0, True, False, yes, no)
Defaults to False

Adding this switch to the yum.conf file added the functionality immediately.  Testing has proved positive that the functionality works as advertised as well.  I, for one, will be using this feature on all of my systems that I administer as I dislike having packages just laying around needing updates and not doing anything.  Having packages just laying about is a potential security hazard and this should help reduce the amount of "stuff" one has on their system.

By Sparks, Category: Information Security

Tags: yum / Linux /