Mailinglist Archive: opensuse-security (471 mails)
| < Previous | Next > |
Re: [suse-security] Updating packages
- From: Oliver Hensel <oliver.hensel@xxxxxxx>
- Date: Sat, 14 Oct 2000 14:07:29 +0200 (CEST)
- Message-id: <20001014122120.56FAC13007@xxxxxxxxxxxxxxxxxxxxxxxxx>
Hi.
On Sat, 14 Oct 2000, Jurjen Oskam wrote:
[snip]
> I suppose it's different for each kind of program. Something that's
> spawned by inetd and only runs for a short time gets updated rapidly:
> the executable is replaced by the package update and the next time
> it's spawned by inetd the new executable gets run.
That's a clear case at first sight, but what is with the already connected
clients? Will they get disconnected to be forced to use the new Package?
I think not.
>
> On the other end of the spectrum you have the kernel update: after
> installing the RPM from YaST (and SuSEconfig), you need to reboot, of
> course.
That's also a clear case, but AFAICS not possible to automatically do
this.
>
>
> But how is it with the packages in between? For example, the recent
> libc update? When does that update take effect? I didn't take any
> chances and rebooted the machine, but was this necessary?
Yes, running Daemons still use the old library. (Please correct me, if I'm
wrong!)
>
> And suppose a proftpd running in daemon mode? After installing a
> patch, is the running daemon automatically restarted by YaST or
> SuSEconfig, or is that the admin's work?
It should be in the respective RPM package, since then it works in all
cases. I think I've seen such things in some packages (eg inetd, apache).
Simply call /etc/rc.d/inetd restart (which is at /sbin/init.d in SuSE,
don't ask).
> I'd really like some info on this. I always stayed on the safe side
> and restarted things (or even rebooted with a kernel- or libc-update)
> manually. But there's nothing in YaST or SuSEconfig that says to
> reboot or restart a package! So even though you installed that (for
> example) proftpd patch, an old, vulnerable proftpd is still running,
> even though YaST and SuSEconfig say the package is successfully
> updated. In other words: you're still vulnerable, perhaps without
> realizing it.
To be on the safe side, this should be made whenever possible. But you
can't always reboot. So except for kernel or important system libraries
it should suffice to restart the service (via init scripts, eg. rcinetd
or killall -9 inetd; /usr/sbin/inetd )
> Could anybody provide some input on this? When is it necessary to
> restart a package, or drop to single user mode, or even reboot? Of
> course, on production servers you'd like to keep downtime to a
> minimum, so a simple restart of (e.g) proftpd is far more preferable
> to a complete reboot.
see above
greetings
olli
--
--------------------------------------
Oliver Hensel <oliver.hensel@xxxxxxx>
<ohensel@xxxxxxxxxxxxxxxxxxx>
http://www.ohensel.de/
Training + Consulting
Unix - Linux - Firewalls - Security
--------------------------------------
On Sat, 14 Oct 2000, Jurjen Oskam wrote:
[snip]
> I suppose it's different for each kind of program. Something that's
> spawned by inetd and only runs for a short time gets updated rapidly:
> the executable is replaced by the package update and the next time
> it's spawned by inetd the new executable gets run.
That's a clear case at first sight, but what is with the already connected
clients? Will they get disconnected to be forced to use the new Package?
I think not.
>
> On the other end of the spectrum you have the kernel update: after
> installing the RPM from YaST (and SuSEconfig), you need to reboot, of
> course.
That's also a clear case, but AFAICS not possible to automatically do
this.
>
>
> But how is it with the packages in between? For example, the recent
> libc update? When does that update take effect? I didn't take any
> chances and rebooted the machine, but was this necessary?
Yes, running Daemons still use the old library. (Please correct me, if I'm
wrong!)
>
> And suppose a proftpd running in daemon mode? After installing a
> patch, is the running daemon automatically restarted by YaST or
> SuSEconfig, or is that the admin's work?
It should be in the respective RPM package, since then it works in all
cases. I think I've seen such things in some packages (eg inetd, apache).
Simply call /etc/rc.d/inetd restart (which is at /sbin/init.d in SuSE,
don't ask).
> I'd really like some info on this. I always stayed on the safe side
> and restarted things (or even rebooted with a kernel- or libc-update)
> manually. But there's nothing in YaST or SuSEconfig that says to
> reboot or restart a package! So even though you installed that (for
> example) proftpd patch, an old, vulnerable proftpd is still running,
> even though YaST and SuSEconfig say the package is successfully
> updated. In other words: you're still vulnerable, perhaps without
> realizing it.
To be on the safe side, this should be made whenever possible. But you
can't always reboot. So except for kernel or important system libraries
it should suffice to restart the service (via init scripts, eg. rcinetd
or killall -9 inetd; /usr/sbin/inetd )
> Could anybody provide some input on this? When is it necessary to
> restart a package, or drop to single user mode, or even reboot? Of
> course, on production servers you'd like to keep downtime to a
> minimum, so a simple restart of (e.g) proftpd is far more preferable
> to a complete reboot.
see above
greetings
olli
--
--------------------------------------
Oliver Hensel <oliver.hensel@xxxxxxx>
<ohensel@xxxxxxxxxxxxxxxxxxx>
http://www.ohensel.de/
Training + Consulting
Unix - Linux - Firewalls - Security
--------------------------------------
| < Previous | Next > |