Re: [suse-security] Updating packages
Hi. On Sat, 14 Oct 2000, Jurjen Oskam wrote: [snip]
I suppose it's different for each kind of program. Something that's spawned by inetd and only runs for a short time gets updated rapidly: the executable is replaced by the package update and the next time it's spawned by inetd the new executable gets run.
That's a clear case at first sight, but what is with the already connected clients? Will they get disconnected to be forced to use the new Package? I think not.
On the other end of the spectrum you have the kernel update: after installing the RPM from YaST (and SuSEconfig), you need to reboot, of course.
That's also a clear case, but AFAICS not possible to automatically do this.
But how is it with the packages in between? For example, the recent libc update? When does that update take effect? I didn't take any chances and rebooted the machine, but was this necessary?
Yes, running Daemons still use the old library. (Please correct me, if I'm wrong!)
And suppose a proftpd running in daemon mode? After installing a patch, is the running daemon automatically restarted by YaST or SuSEconfig, or is that the admin's work?
It should be in the respective RPM package, since then it works in all cases. I think I've seen such things in some packages (eg inetd, apache). Simply call /etc/rc.d/inetd restart (which is at /sbin/init.d in SuSE, don't ask).
I'd really like some info on this. I always stayed on the safe side and restarted things (or even rebooted with a kernel- or libc-update) manually. But there's nothing in YaST or SuSEconfig that says to reboot or restart a package! So even though you installed that (for example) proftpd patch, an old, vulnerable proftpd is still running, even though YaST and SuSEconfig say the package is successfully updated. In other words: you're still vulnerable, perhaps without realizing it.
To be on the safe side, this should be made whenever possible. But you can't always reboot. So except for kernel or important system libraries it should suffice to restart the service (via init scripts, eg. rcinetd or killall -9 inetd; /usr/sbin/inetd )
Could anybody provide some input on this? When is it necessary to restart a package, or drop to single user mode, or even reboot? Of course, on production servers you'd like to keep downtime to a minimum, so a simple restart of (e.g) proftpd is far more preferable to a complete reboot.
see above
greetings
olli
--
--------------------------------------
Oliver Hensel
On Sat, 14 Oct 2000 14:07:29 +0200 (CEST), Oliver Hensel
I suppose it's different for each kind of program. Something that's spawned by inetd and only runs for a short time gets updated rapidly: the executable is replaced by the package update and the next time it's spawned by inetd the new executable gets run. That's a clear case at first sight, but what is with the already connected clients? Will they get disconnected to be forced to use the new Package? I think not.
So do I, but this was just an example (think daytime or something like that). It wouldn't make much sense to try to disconnect all currently connected clients because the use of the service is very short. Ofcourse this maybe isn't a real world example, it was just to demonstrate the complete range of possible actions after installing a patch: from doing nothing to a complete reboot of the machine.
On the other end of the spectrum you have the kernel update: after installing the RPM from YaST (and SuSEconfig), you need to reboot, of course. That's also a clear case, but AFAICS not possible to automatically do this.
But that wasn't the point of my message: with the current situation it's relatively unclear what the admin should do after installing a patch. It doesn't have to be automated as far as I'm concerned, a requester that tells you what to do after installing the patch would be enough. end -- Jurjen Oskam * carnivore! * http://www.stupendous.org/ for PGP key assassinate nuclear iraq clinton kill bomb USA eta ira cia fbi nsa kill president wall street ruin economy disrupt phonenetwork atomic bomb sarin nerve gas bin laden military -*- DVD Decryption at www.stupendous.org -*-
participants (2)
-
Jurjen Oskam
-
Oliver Hensel