Hi. On Sat, 14 Oct 2000, Jurjen Oskam wrote: [snip]
I suppose it's different for each kind of program. Something that's spawned by inetd and only runs for a short time gets updated rapidly: the executable is replaced by the package update and the next time it's spawned by inetd the new executable gets run.
That's a clear case at first sight, but what is with the already connected clients? Will they get disconnected to be forced to use the new Package? I think not.
On the other end of the spectrum you have the kernel update: after installing the RPM from YaST (and SuSEconfig), you need to reboot, of course.
That's also a clear case, but AFAICS not possible to automatically do this.
But how is it with the packages in between? For example, the recent libc update? When does that update take effect? I didn't take any chances and rebooted the machine, but was this necessary?
Yes, running Daemons still use the old library. (Please correct me, if I'm wrong!)
And suppose a proftpd running in daemon mode? After installing a patch, is the running daemon automatically restarted by YaST or SuSEconfig, or is that the admin's work?
It should be in the respective RPM package, since then it works in all cases. I think I've seen such things in some packages (eg inetd, apache). Simply call /etc/rc.d/inetd restart (which is at /sbin/init.d in SuSE, don't ask).
I'd really like some info on this. I always stayed on the safe side and restarted things (or even rebooted with a kernel- or libc-update) manually. But there's nothing in YaST or SuSEconfig that says to reboot or restart a package! So even though you installed that (for example) proftpd patch, an old, vulnerable proftpd is still running, even though YaST and SuSEconfig say the package is successfully updated. In other words: you're still vulnerable, perhaps without realizing it.
To be on the safe side, this should be made whenever possible. But you can't always reboot. So except for kernel or important system libraries it should suffice to restart the service (via init scripts, eg. rcinetd or killall -9 inetd; /usr/sbin/inetd )
Could anybody provide some input on this? When is it necessary to restart a package, or drop to single user mode, or even reboot? Of course, on production servers you'd like to keep downtime to a minimum, so a simple restart of (e.g) proftpd is far more preferable to a complete reboot.
see above
greetings
olli
--
--------------------------------------
Oliver Hensel