How do people remount /usr read-only after apt-get?

To: debian-user <debian-user@lists.debian.org>
Subject: How do people remount /usr read-only after apt-get?
From: Malcolm Ferguson <Malcolm_Ferguson@yahoo.com>
Date: Wed, 01 Oct 2003 11:38:35 -0400
Message-id: <[🔎] 3F7AF4FB.20907@yahoo.com>

On a couple of Woody systems I put together recently I followed adviceI'd seen that recommended mounting /usr as read-only. I haven't seen asecurity patch yet that has left me able to remount /usr read-only,which is quite annoying. I've configured a Dpkg Post-Invoke step toremount /usr ro. It never works. Today I found that using lsof toidentify the processes, I could restart them and release their hold onthe /usr partition.

1) How do people normally deal with this situation? Is it a manualprocess or can it be automated?

2) This makes me wonder why we don't restart affected processes afterapplying security patches. For instance, today's OpenSSL patch seemedto affect ssh and bind. Well, I had to restart them as part of remount/usr ro. Presumably those processes were still using a vulnerableversion of the library. Ssh was doubly annoying as I had to log out andlog back in ;)

Reply to:

Prev by Date: Re: Debian for Joe Average
Next by Date: spell checking with emacs-wiki
Previous by thread: Re: Diff btw GeForce4 and RIVA TNT2?
Next by thread: Re: How do people remount /usr read-only after apt-get?
Index(es):
- Date
- Thread