[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

How do people remount /usr read-only after apt-get?

On a couple of Woody systems I put together recently I followed advice I'd seen that recommended mounting /usr as read-only. I haven't seen a security patch yet that has left me able to remount /usr read-only, which is quite annoying. I've configured a Dpkg Post-Invoke step to remount /usr ro. It never works. Today I found that using lsof to identify the processes, I could restart them and release their hold on the /usr partition.

1) How do people normally deal with this situation? Is it a manual process or can it be automated?

2) This makes me wonder why we don't restart affected processes after applying security patches. For instance, today's OpenSSL patch seemed to affect ssh and bind. Well, I had to restart them as part of remount /usr ro. Presumably those processes were still using a vulnerable version of the library. Ssh was doubly annoying as I had to log out and log back in ;)

Reply to: