Re: How do people remount /usr read-only after apt-get?
Malcolm Ferguson wrote: [snip] 2) This makes me wonder why we don't restart affected processes after applying security patches. For instance, today's OpenSSL patch seemed to affect ssh and bind. Well, I had to restart them as part of remount /usr ro. Presumably those processes were still using a vulnerable version of the library. Ssh was doubly annoying as I had to log out and log back in ;) Every Debian update I've installed like this has had text saying You will need to restart all services that depend on this library. I've never had to log out and in to restart sshd. I don't know if my connection is passed from one process to the next, or if the old process hangs on until I log out, but I've restarted it (and cycled my interfaces down and up) while connected many times (which I think is very nice!) -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
How do people remount /usr read-only after apt-get?
On a couple of Woody systems I put together recently I followed advice I'd seen that recommended mounting /usr as read-only. I haven't seen a security patch yet that has left me able to remount /usr read-only, which is quite annoying. I've configured a Dpkg Post-Invoke step to remount /usr ro. It never works. Today I found that using lsof to identify the processes, I could restart them and release their hold on the /usr partition. 1) How do people normally deal with this situation? Is it a manual process or can it be automated? 2) This makes me wonder why we don't restart affected processes after applying security patches. For instance, today's OpenSSL patch seemed to affect ssh and bind. Well, I had to restart them as part of remount /usr ro. Presumably those processes were still using a vulnerable version of the library. Ssh was doubly annoying as I had to log out and log back in ;) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
