Hi Javier,
sorry for not replying your mail before. I would have created a patch if
I felt qualified, but I don't.
On Wed, May 04, 2005 at 11:56:45AM +0200, Javier Fern�ndez-Sanguino Pe�a wrote:
> > with respect to security updates, please document that running programs
> > linked to security-fixed libraries need be restarted.
>
> Yes, I had this in my TODO. As this is a common FAQ I have bumped it up in
> the list of TODOs.
That's cool, thanks!
[ snipped links to updated manual ]
> Hope you like it.
Thanks for providing the links.
First one minor thing. You give this command line to check for such
libraries:
# lsof | grep dpkg- | awk '{print $1, $8}' | sort +0
According to the info manual, "sort +0" is an obsolete,
non-POSIX-compliant syntax; it is not even mentioned in the man page.
Please use -k instead.
BTW, you didn't copy it from Andreas Barth in the "Reboot in postinst"
thread, didn't you? :-)
> > In section 4.9.2 ("Setting /usr read-only"), there is already a
> > short note about processes still accessing upgraded/unlinked binaries.
> > Perhaps this could be merged.
>
> I have not merged that as I believe it's a different thing altogether.
Quoting your previous mail:
> Actually, the /usr read-only setup has issues which are not related to
> binaries upgrade so the review needs to be done with fuser ('fuser -muv
> /usr' in sarge/sid)
Could you please elaborate? AFAICS it's pretty much the same problem:
files get upgraded and thus unlinked. In the case of read-only /usr, the
pending deletion prevents remounting the filesystem ro again. The
situation (at the low level) and the cure are identical, only the point
of view -- security vs. DPkg::Post-Invoke breakage -- is different.
Wrong?
This leads me to another question. The section regarding the ro /usr
in the Securing Debian manual recommends "lsof +L1" to detect unlinked
files. Now Henrique de Moraes Holschuh noted in [1] that this is not
reliable:
> On Fri, 21 Jan 2005, David Schmitt wrote:
> > I always use "lsof +L1" to view all open, unlinked files. This should
> > include
> > old versions of libraries.
>
> Not always. Try also a lsof -n | grep dpkg-new.
This is remarkable, especially since checkrestart uses "lsof +L1" as
well. How could this method fail?
Finally, do you plan to push the updated manual for sarge?
Regards,
Nikolaus
[1] http://lists.debian.org/debian-devel/2005/01/msg01226.html
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
