Index: openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml,v
diff -u -r1.4 -r1.5
--- openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml	28 Oct 2003 22:07:41 -0000	1.4
+++ openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml	5 Nov 2003 11:48:12 -0000	1.5
@@ -5,7 +5,7 @@
 %myvars;
 ]>
   <appendix id="install-redhat">
-    <title>Install Red Hat 8.0</title>
+    <title>Install Red Hat 8/9</title>
 
     <authorblurb>
       by <ulink url="mailto:joel@aufrecht.org">Joel Aufrecht</ulink>
@@ -19,7 +19,19 @@
     to install a new machine from scratch compared to installing each
     of these packages installed independently.)</para>
 
-    <para>The installation guide assumes you can do the following on
+    <para>The installation guide assumes you have:</para>
+    <itemizedlist>
+      <listitem><para>A PC with hard drive you can reinstall</para>
+      </listitem>
+      <listitem><para>Red Hat 8.0 or 9.0 install discs</para>
+      </listitem>
+      <listitem><para>A CD with the current <ulink
+      url="http://www.redhat.com/apps/support/errata/">Security
+      Patches</ulink> for your version of Red Hat.</para>
+      </listitem>
+    </itemizedlist>
+
+<para>The installation guide assumes that you can do the following on
     your platform:
 	</para>
     
@@ -62,7 +74,7 @@
           consequences.")</para>
       </listitem>
       <listitem>
-        <para>Insert Red Hat 8.0 Disk 1 into the  
+        <para>Insert Red Hat 8.0 or 9.0 Disk 1 into the  
 	  CD-ROM and reboot the computer</para></listitem>
       <listitem><para>At the
           <computeroutput><guilabel>boot:</guilabel></computeroutput>
@@ -148,18 +160,9 @@
 	  computer to support and then click
 	  <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput></para></listitem>
       <listitem><para>Choose your time zone and click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput>.</para></listitem>.
-	<listitem><para>Type in a root
-password, twice.  To
-            improve security, we're going to prevent anyone from
-            connecting to the computer directly as root.  Instead,
-            we'll create a different user, called
-            <computeroutput>remadmin</computeroutput>, used solely to
-            connect to the computer for administration.  Click
-<computeroutput><guibutton><accel>A</accel>dd</guibutton></computeroutput>
-and enter username <userinput>remadmin</userinput> and a password,
-twice, then click <computeroutput><guibutton><accel>O</accel>K</guibutton></computeroutput>.  Then click
-<computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput>.</para>
-</listitem>
+      <listitem><para>Type in a root
+password, twice.</para>
+      </listitem>
 	<listitem><para>On the Package selection page, we're going to
 uncheck a lot of packages that install software we don't need, and add
 packages that have stuff we do need.  You should install everything
@@ -175,6 +178,8 @@
 uncheck <computeroutput><guilabel>Server Configuration Tools</guilabel></computeroutput>,
 uncheck <computeroutput><guilabel>Web Server</guilabel></computeroutput>,
 uncheck <computeroutput><guilabel>Windows File Server</guilabel></computeroutput>,
+check <computeroutput><guilabel>SQL Database
+Server</guilabel></computeroutput> (this installs PostGreSQL,
 check <computeroutput><guilabel>Development Tools</guilabel></computeroutput> (this installs gmake and other build tools),
 uncheck <computeroutput><guilabel>Administration Tools</guilabel></computeroutput>, and
 uncheck <computeroutput><guilabel>Printing Support</guilabel></computeroutput>. </literallayout></para>
@@ -196,6 +201,8 @@
 uncheck <computeroutput><guilabel>pam-devel</guilabel></computeroutput> (I don't remember why, but we don't want this), 
 uncheck <computeroutput><guilabel>portmap</guilabel></computeroutput>, 
 uncheck <computeroutput><guilabel>postfix</guilabel></computeroutput> (this is an MTA, but we're going to install qmail later), 
+check
+<computeroutput><guilabel>postgresql-devel</guilabel></computeroutput>,
 uncheck <computeroutput><guilabel>rsh</guilabel></computeroutput> (rsh is a security hole), 
 uncheck <computeroutput><guilabel>sendmail</guilabel></computeroutput> (sendmail is an insecure MTA; we're going to install qmail instead later),
 check <computeroutput><guilabel>tcl</guilabel></computeroutput> (we need tcl), and 
@@ -232,6 +239,17 @@
 [root@yourserver root]#</screen>
       </listitem>
       <listitem>
+        <para>Install any security patches.  For example, insert your CD with
+        patches, mount it with <computeroutput>mount
+        /dev/cdrom</computeroutput>, then <computeroutput>cd
+        /mnt/cdrom</computeroutput>, then <computeroutput>rpm -UVH
+        *rpm</computeroutput>.  Both Red Hat 8.0 and 9.0 have had both
+        kernel and openssl/openssh root exploits, so you should be
+        upgrading all of that.  Since you are upgrading the kernel,
+        reboot after this step.
+</para>
+      </listitem>
+      <listitem>
         <para>Lock down SSH</para>
         <orderedlist>
           <listitem><para><indexterm>
@@ -246,8 +264,15 @@
     <screen><userinput>emacs /etc/ssh/sshd_config</userinput></screen></para></listitem>
           <listitem><literallayout>Search for the word "root" by typing C-s (that's emacs-speak for control-s) and then <userinput>root</userinput>.   
 Make the following changes:
-<programlisting>#Protocol 2,1</programlisting> to <programlisting>Protocol 2</programlisting> (this prevents any connections via SSH 1, which is insecure)
-<programlisting>#PermitRootLogin yes</programlisting> to <programlisting>PermitRootLogin no</programlisting> (this prevents the root use from logging in via ssh)
+<programlisting>#Protocol 2,1</programlisting> to
+            <programlisting>Protocol 2</programlisting> 
+            (this prevents any connections via SSH 1, which is insecure)
+<programlisting>#PermitRootLogin yes</programlisting> to
+            <programlisting>PermitRootLogin no</programlisting> 
+            (this prevents the root user from logging in remotely via
+            ssh.  If you do this, be sure to create a remote access
+            account, such as "remadmin", which you can use to get ssh
+            before using "su" to become root.)
 <programlisting>#PermitEmptyPasswords no</programlisting> to <programlisting>PermitEmptyPasswords no</programlisting> (this blocks passwordless accounts)
 
  and save and exit by typing C-x C-s C-x C-c</literallayout></listitem>
@@ -266,6 +291,8 @@
 service netfs stop
 chkconfig --del pcmcia
 chkconfig --del netfs</action></screen>
+        <para>If you installed PostGreSQL, do also
+<computeroutput>service postgresql start</computeroutput> and <computeroutput>chkconfig --add postgresql</computeroutput>.</para>
       </listitem>
       <listitem>
         <para>Plug in the network cable.</para>
@@ -287,6 +314,10 @@
 [root@yourserver root]#</screen>
       </listitem>
       <listitem>
+        <para>If you didn't burn a CD of patches and use it, can still
+          download and install the necessary patches.  Here's how to
+          do it for the kernel; you should also check for other
+          critical packages.</para>
         <para>Upgrade the kernel to fix a security hole.  The default
           Red Hat 8.0 system kernel (2.4.18-14, which you can check
           with <userinput>uname -a</userinput>) has several <ulink