[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libc6 (security) update does not restart system-services?



Bernd Eckenfels wrote:
> GOTO Masanori wrote:
> > So everytime we have to restart all binaries which use a library
> > involving security-problem.  In additionm this problem affects not
> > only debian packages, but user-built binaries.
> 
> Well, this is why it is most often described in the security advisory.

It seems to me that while there is the reputation "Rebooting is for
adding new hardware" that sometimes rebooting is also for security and
other updates.  I have been training people that Debian does not
*force* a reboot at the time that the update is made but allows the
admin to schedule a reboot at their convenience for critical library
updates such as glibc, use your judgement.  Coming from other system
which force a reboot for almost any update this is seen as a breath of
fresh air.  (No, amazingly I am not talking about MS here, but rather
HPUX which has many gratuitous reboots when swinstall'ing updates.)

> To be shure one can eighter use "init 1" and get back to multi user
> mode,

Basically moving through 'init 1' is almost the same as a reboot.  It
just preserves your uptime stats.  :-)  I would not move through
'init 1' programatically.

> or use tools like "lsof" or my package of "memstat" to find loaded
> and deleeted libraries.

I believe this process to be much to complicated to be used
successfully in the general case.  You would need to match each
running process back to a /etc/init.d restart methodology.  These
frequently do not have a one to one mapping.  You could design a new
methodology to be added to policy which packages with running daemons
would need to register themselves to ensure a proper restart.  So much
work would be needed to make this happen smoothly.

> This is also good to do on a regular interval if you update your systems for
> no security reasons:
> 
> - it will free memory and will make the filesystem get rid of open/deleted
> files, which can cause problems like the inability to remount ro or messages
> like "setting dtime of deleted inode" on fsck.

Except for the uptime wars (2 years 2 weeks!, between power outs here)
I generally reboot servers monthly.  This has the added benefit that
it also ensures that the servers will boot cleanly and an admin has
not broken something with a manual tweak.

Bob

Attachment: pgpXzW2tpHGcf.pgp
Description: PGP signature


Reply to: