Re: libc6 (security) update does not restart system-services?
On Mon, 21 Apr 2003 13:41:33 +0900 GOTO Masanori [EMAIL PROTECTED] wrote: So everytime we have to restart all binaries which use a library involving security-problem. In additionm this problem affects not only debian packages, but user-built binaries. I also think it's nice idea that DSA describes the need to restart services. Whom should I contact for this to happen with upcoming DSA's? Thanks, Max -- The first time any man's freedom is trodden on, we're all damaged. Cpt. Picard, The Drumhead, StarTrek TNG http://homex.subnet.at/~max/
Re: libc6 (security) update does not restart system-services?
At Sun, 20 Apr 2003 08:55:11 +0200, Markus Amersdorfer wrote: On Sat, 19 Apr 2003 18:04:01 +0200 Bernd Eckenfels [EMAIL PROTECTED] wrote: On Sun, Apr 20, 2003 at 12:05:49AM +0900, GOTO Masanori wrote: So everytime we have to restart all binaries which use a library involving security-problem. In additionm this problem affects not only debian packages, but user-built binaries. Well, this is why it is most often described in the security advisory. To be shure one can eighter use init 1 and get back to multi user mode, or use tools like lsof or my package of memstat to find loaded and deleeted libraries. I couldn't find any information about restarting programs and services (no matter what way) in DSA-282 (the corresponding DSA for the libc-update). Though I think it's a good idea to place such information in the DSA, I also think it's nice idea that DSA describes the need to restart services. I'd suppose an small notice this message in the postinst script (as described in my other mail) would be good as this information will reach those not reading the DSAs too. Hmm. This problem is applied not only glibc specific, but also all libraries. So I would like to take a generic approach if such a notice this message should be appeared. Regards, -- gotom
Re: libc6 (security) update does not restart system-services?
At Sat, 19 Apr 2003 10:52:51 -0600, Bob Proulx wrote: [1 text/plain; us-ascii (quoted-printable)] Bernd Eckenfels wrote: or use tools like lsof or my package of memstat to find loaded and deleeted libraries. I believe this process to be much to complicated to be used successfully in the general case. You would need to match each running process back to a /etc/init.d restart methodology. These frequently do not have a one to one mapping. You could design a new methodology to be added to policy which packages with running daemons would need to register themselves to ensure a proper restart. So much work would be needed to make this happen smoothly. Well, it's hard to display package name. However lsof | grep dpkg-new | awk '{print $1, $8}' | sort +0 make a list which describes what binary uses old libraries replaced by dpkg. To show more user friendly, it needs to remember that what library files are replaced, though. This is also good to do on a regular interval if you update your systems for no security reasons: - it will free memory and will make the filesystem get rid of open/deleted files, which can cause problems like the inability to remount ro or messages like setting dtime of deleted inode on fsck. Except for the uptime wars (2 years 2 weeks!, between power outs here) I generally reboot servers monthly. This has the added benefit that it also ensures that the servers will boot cleanly and an admin has not broken something with a manual tweak. Well, this kind of precaution is better than to leave machines alone... Regards, -- gotom
Re: libc6 (security) update does not restart system-services?
GOTO Masanori wrote: Well, it's hard to display package name. However lsof | grep dpkg-new | awk '{print $1, $8}' | sort +0 make a list which describes what binary uses old libraries replaced by dpkg. To show more user friendly, it needs to remember that what library files are replaced, though. I think I see where you are going. Something like this for libc? lsof | awk '$9 ~ /^\/lib\/libc-.*.so/{print$1, $9}' And then warn the admin with a notice about those running programs? But there are usually quite a few of them bound to libc. Of the difficult ones to restart automatically almost certainly every user shell and every ssh session would be attached. Those would need to be killed which cannot be done automatically. Bob pgpxXmTZ5FXCE.pgp Description: PGP signature
Re: libc6 (security) update does not restart system-services?
On Sun, Apr 20, 2003 at 11:14:41PM -0600, Bob Proulx wrote: GOTO Masanori wrote: Well, it's hard to display package name. However lsof | grep dpkg-new | awk '{print $1, $8}' | sort +0 make a list which describes what binary uses old libraries replaced by dpkg. To show more user friendly, it needs to remember that what library files are replaced, though. I think I see where you are going. Something like this for libc? lsof | awk '$9 ~ /^\/lib\/libc-.*.so/{print$1, $9}' And then warn the admin with a notice about those running programs? Funny, while I was on vacation I coded a check for the Tiger security tool to do just this, it's called 'check_finddeleted' [1] and will point you to processes (normal ones and daemons) that are using deleted files. It is based on an excellent article by Brian Hatch at http://www.hackinglinuxexposed.com/articles/20020507.html. Definitely, a must read :-) Regards Javi [1] http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/scripts/check_finddeleted?rev=1.1content-type=text/vnd.viewcvs-markup pgpTAvco749aR.pgp Description: PGP signature
Re: libc6 (security) update does not restart system-services?
On Sun, 20 Apr 2003 00:05:49 +0900 GOTO Masanori [EMAIL PROTECTED] wrote: Woody comes with libc6 2.2.5-11.5, so the section about restarting services is never reached. This leaves the machine vulnerable as all services use the old library until restarted. Shouldn't the services be restarted when installing a new libc-version? What reasons would there be not to restart services? But my concern is that running programs such as system services use the old libraries instead of the new one as long as they continue running, don't they? If they do the security bug is still exploitable though the new libraries are already installed on the system. Yes, right, good point. This is not only glibc issue; this problem affects all library packages. Yupp... I have to warn all users who believe that we needs only apt-get upgrade, yeah, that's all folks! concept. It's not true for this library upgrade issue. From our glibc upgrade experience, it's difficult to restart packages which have specific problem automatically... The simple method to detect old libraries are to use lsof, so debian package system can warn for users there are old libraries which has security problem, so you should restart these binaries. I don't know there is good way to fix this problem. As Bob pointed out in his message, searching for running programs using the old libraries using lsof and restarting the corresponding services _automatically_ is currently hardly possible. IMHO the best practice would be to check if a any version of glibc (or more generally the library-package just being installed) is installed already and is to be replaced by the new one. If any running programs are found, prompt the user an info-message to make sure to restart programs/services in order to benefit from the changes. This would actually only be necessary with either a security update or with major version changes (such as libc 2.1 - 2.2). While the latter is already dealt with by the postinst script, it would be necessary to know if the update is a simple new version's here-update or if it's a security-related one... That's probabely hard to decide for Testing and Unstable, I assume, but it is not for the Stable-tree where generally no updated versions (other than security-related) are to be installed. So at least for Woody, the warning message would be appropriate, I think. If everything _is_ designed not to restart the services, I suppose telling the users to take care of that theirselves would be a good idea for example using a simple echo in the post-install script(or similar). The restarting message is not sufficient for you? Of course, but the message is only shown if the services _are_ to be restarted (which is only when doing a major version update). Services are not restarted by the security update though I think they should be (as stated above). I think you confuse two issue. One is generic problem as I write above (memory resident libraries issue). Another is glibc NSS start problem as I write below. Or did you point the messages which are not appeared in libc6.postinst when you upgraded from 2.2 to 2.3 ? I was writing 'bout the echo-messages in Woody's glibc-version which inform the user about restarting services in case of upgrading from 2.1 to 2.2, so I suppose this is a similar case as 2.2 - 2.3. Anyway, I did not think of glibc NSS start problems ... As I've already mentioned, I actually don't know enough about the inside-workings of glibc and the corresponding techniques. I actually just thought about the memory resident libraries issue, yes. OK, now start to say about glibc NSS start problem. The reason why glibc needs to restart all NSS authentication services was written in my (a bit long) mail: http://lists.debian.org/debian-glibc/2003/debian-glibc-200303/msg00276.html The problem is dlopen(). Thanks for your explanation and the link. I'll check it out as soon as some spare time drops by... but this might take a while. :) Thanks too for clearing things up for me (still) definitely being more of a user than a developer. Cheers, Max -- The first time any man's freedom is trodden on, we're all damaged. Cpt. Picard, The Drumhead, StarTrek TNG http://homex.subnet.at/~max/
Re: libc6 (security) update does not restart system-services?
On Sat, 19 Apr 2003 18:04:01 +0200 Bernd Eckenfels [EMAIL PROTECTED] wrote: On Sun, Apr 20, 2003 at 12:05:49AM +0900, GOTO Masanori wrote: So everytime we have to restart all binaries which use a library involving security-problem. In additionm this problem affects not only debian packages, but user-built binaries. Well, this is why it is most often described in the security advisory. To be shure one can eighter use init 1 and get back to multi user mode, or use tools like lsof or my package of memstat to find loaded and deleeted libraries. I couldn't find any information about restarting programs and services (no matter what way) in DSA-282 (the corresponding DSA for the libc-update). Though I think it's a good idea to place such information in the DSA, I'd suppose an small notice this message in the postinst script (as described in my other mail) would be good as this information will reach those not reading the DSAs too. Cheers Max -- The first time any man's freedom is trodden on, we're all damaged. Cpt. Picard, The Drumhead, StarTrek TNG http://homex.subnet.at/~max/
Re: libc6 (security) update does not restart system-services?
At Fri, 18 Apr 2003 17:24:17 +0200, Markus Amersdorfer wrote: On Fri, 18 Apr 2003 13:06:07 +0900 GOTO Masanori [EMAIL PROTECTED] wrote: - /var/lib/dpkg/info/libc6.postinst checks for $1 == configure (which is the case when updating, isn't it?). If true it afterwards checks if $2 is lower than 2.1.95-1 (I assume this corresponds to the previously installed version) and _only if this the case_ it restarts most of the services. Woody comes with libc6 2.2.5-11.5, so the section about restarting services is never reached. This leaves the machine vulnerable as all services use the old library until restarted. Shouldn't the services be restarted when installing a new libc-version? What reasons would there be not to restart services? Restarting services is needed only once: upgrading from 2.2.x to 2.3.x. The reason is simple. NSS (Name Service Switch) is much changed, and it becomes incompatible between 2.2 and 2.3. So if you use woody server, not sarge, then you have no need to restart services. If you use libc6 2.2.x, it's not related. So restarting services is necessary when upgrading from 2.2.x to 2.3.x to make sure everything works fine (as e.g. the example of xdm you mention below). When staying with basically the same version and simply doing a security-update, there are no compatability-problems, of course, so everything keeps running smoothly. But my concern is that running programs such as system services use the old libraries instead of the new one as long as they continue running, don't they? If they do the security bug is still exploitable though the new libraries are already installed on the system. Yes, right, good point. This is not only glibc issue; this problem affects all library packages. The old libraries are remove-pending state on the file system, and reside in applications. So everytime we have to restart all binaries which use a library involving security-problem. In additionm this problem affects not only debian packages, but user-built binaries. I have to warn all users who believe that we needs only apt-get upgrade, yeah, that's all folks! concept. It's not true for this library upgrade issue. From our glibc upgrade experience, it's difficult to restart packages which have specific problem automatically... The simple method to detect old libraries are to use lsof, so debian package system can warn for users there are old libraries which has security problem, so you should restart these binaries. I don't know there is good way to fix this problem. If everything _is_ designed not to restart the services, I suppose telling the users to take care of that theirselves would be a good idea for example using a simple echo in the post-install script (or similar). The restarting message is not sufficient for you? Of course, but the message is only shown if the services _are_ to be restarted (which is only when doing a major version update). Services are not restarted by the security update though I think they should be (as stated above). If I'm wrong, please correct me. :) I think you confuse two issue. One is generic problem as I write above (memory resident libraries issue). Another is glibc NSS start problem as I write below. Or did you point the messages which are not appeared in libc6.postinst when you upgraded from 2.2 to 2.3 ? BTW, I plan to dupload 2.3.1-17 that has preinst message to choose libc6 upgrade or not. It's needed because for example xdm cannot authenticate after installing libc6, but we cannot restart xdm with postinst automatically (user's X11 session is destroyed). I add messages in next 2.3.1-17 as they have to restart xdm with their hand. If you have requests about restarting messages, please tell me. Though I don't know enough about the detailed processes running inside the library packages: Sounds great. :) Perhaps it's possible to delay installation of the libraries until the next reboot? The user would have the chance to have the libraries installed instantly (which would break xdm), automatically at the next reboot (is that what you meant above?) or not at all at the moment (though I currently can't think of a good reason why to do that). You said about generic problem (memory resident libraries issue), and I don't think it should be. Delay installation everytime requires system reboot. But some users know it needs only application restart. In addition, it's only applied in upgrade between the same library version. If this delayed installation is introduced for glibc, then upgrade from woody to sarge breaks all binaries. Sarge packages depends on glibc 2.3.x, and it can't run under woody's glibc 2.2.5 environment. If you run sarge/sid /bin/ls under woody glibc 2.2.5, then you get error: /bin/ls: /lib/libc.so.6: version `GLIBC_2.3' not found (required by /bin/ls) OK, now start to say about glibc NSS
Re: libc6 (security) update does not restart system-services?
On Sun, Apr 20, 2003 at 12:05:49AM +0900, GOTO Masanori wrote: So everytime we have to restart all binaries which use a library involving security-problem. In additionm this problem affects not only debian packages, but user-built binaries. Well, this is why it is most often described in the security advisory. To be shure one can eighter use init 1 and get back to multi user mode, or use tools like lsof or my package of memstat to find loaded and deleeted libraries. This is also good to do on a regular interval if you update your systems for no security reasons: - it will free memory and will make the filesystem get rid of open/deleted files, which can cause problems like the inability to remount ro or messages like setting dtime of deleted inode on fsck. Greetings Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD [EMAIL PROTECTED] +497257930613 BE5-RIPE (OO) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Re: libc6 (security) update does not restart system-services?
Bernd Eckenfels wrote: GOTO Masanori wrote: So everytime we have to restart all binaries which use a library involving security-problem. In additionm this problem affects not only debian packages, but user-built binaries. Well, this is why it is most often described in the security advisory. It seems to me that while there is the reputation Rebooting is for adding new hardware that sometimes rebooting is also for security and other updates. I have been training people that Debian does not *force* a reboot at the time that the update is made but allows the admin to schedule a reboot at their convenience for critical library updates such as glibc, use your judgement. Coming from other system which force a reboot for almost any update this is seen as a breath of fresh air. (No, amazingly I am not talking about MS here, but rather HPUX which has many gratuitous reboots when swinstall'ing updates.) To be shure one can eighter use init 1 and get back to multi user mode, Basically moving through 'init 1' is almost the same as a reboot. It just preserves your uptime stats. :-) I would not move through 'init 1' programatically. or use tools like lsof or my package of memstat to find loaded and deleeted libraries. I believe this process to be much to complicated to be used successfully in the general case. You would need to match each running process back to a /etc/init.d restart methodology. These frequently do not have a one to one mapping. You could design a new methodology to be added to policy which packages with running daemons would need to register themselves to ensure a proper restart. So much work would be needed to make this happen smoothly. This is also good to do on a regular interval if you update your systems for no security reasons: - it will free memory and will make the filesystem get rid of open/deleted files, which can cause problems like the inability to remount ro or messages like setting dtime of deleted inode on fsck. Except for the uptime wars (2 years 2 weeks!, between power outs here) I generally reboot servers monthly. This has the added benefit that it also ensures that the servers will boot cleanly and an admin has not broken something with a manual tweak. Bob pgpSFjTrHWZtw.pgp Description: PGP signature
Re: libc6 (security) update does not restart system-services?
At Thu, 17 Apr 2003 23:28:02 +0200, Markus Amersdorfer wrote: I've recently upgraded my Woody-Servers according to the latest libc6 security update (DSA-282), and it seems that services were _not_ reloaded by the post-install-script!? More detailed information: When investigating the situation, I found out the following (if I read everything right, please correct me if I'm wrong): - dselect [U]pdate calls dpkg --install new-package. - Debian-Policy chapter 6 says that thus the new package's postinst script is run with configure as the first command-line-argument. - /var/lib/dpkg/info/libc6.postinst checks for $1 == configure (which is the case when updating, isn't it?). If true it afterwards checks if $2 is lower than 2.1.95-1 (I assume this corresponds to the previously installed version) and _only if this the case_ it restarts most of the services. Woody comes with libc6 2.2.5-11.5, so the section about restarting services is never reached. This leaves the machine vulnerable as all services use the old library until restarted. Shouldn't the services be restarted when installing a new libc-version? What reasons would there be not to restart services? Restarting services is needed only once: upgrading from 2.2.x to 2.3.x. The reason is simple. NSS (Name Service Switch) is much changed, and it becomes incompatible between 2.2 and 2.3. So if you use woody server, not sarge, then you have no need to restart services. If you use libc6 2.2.x, it's not related. If everything _is_ designed not to restart the services, I suppose telling the users to take care of that theirselves would be a good idea for example using a simple echo in the post-install script (or similar). The restarting message is not sufficient for you? BTW, I plan to dupload 2.3.1-17 that has preinst message to choose libc6 upgrade or not. It's needed because for example xdm cannot authenticate after installing libc6, but we cannot restart xdm with postinst automatically (user's X11 session is destroyed). I add messages in next 2.3.1-17 as they have to restart xdm with their hand. If you have requests about restarting messages, please tell me. Regards, -- gotom
Re: libc6 (security) update does not restart system-services?
On Fri, 18 Apr 2003 13:06:07 +0900 GOTO Masanori [EMAIL PROTECTED] wrote: Hi! I've recently upgraded my Woody-Servers according to the latest libc6 security update (DSA-282), and it seems that services were _not_ reloaded by the post-install-script!? [...] - /var/lib/dpkg/info/libc6.postinst checks for $1 == configure (which is the case when updating, isn't it?). If true it afterwards checks if $2 is lower than 2.1.95-1 (I assume this corresponds to the previously installed version) and _only if this the case_ it restarts most of the services. Woody comes with libc6 2.2.5-11.5, so the section about restarting services is never reached. This leaves the machine vulnerable as all services use the old library until restarted. Shouldn't the services be restarted when installing a new libc-version? What reasons would there be not to restart services? Restarting services is needed only once: upgrading from 2.2.x to 2.3.x. The reason is simple. NSS (Name Service Switch) is much changed, and it becomes incompatible between 2.2 and 2.3. So if you use woody server, not sarge, then you have no need to restart services. If you use libc6 2.2.x, it's not related. So restarting services is necessary when upgrading from 2.2.x to 2.3.x to make sure everything works fine (as e.g. the example of xdm you mention below). When staying with basically the same version and simply doing a security-update, there are no compatability-problems, of course, so everything keeps running smoothly. But my concern is that running programs such as system services use the old libraries instead of the new one as long as they continue running, don't they? If they do the security bug is still exploitable though the new libraries are already installed on the system. If everything _is_ designed not to restart the services, I suppose telling the users to take care of that theirselves would be a good idea for example using a simple echo in the post-install script (or similar). The restarting message is not sufficient for you? Of course, but the message is only shown if the services _are_ to be restarted (which is only when doing a major version update). Services are not restarted by the security update though I think they should be (as stated above). If I'm wrong, please correct me. :) BTW, I plan to dupload 2.3.1-17 that has preinst message to choose libc6 upgrade or not. It's needed because for example xdm cannot authenticate after installing libc6, but we cannot restart xdm with postinst automatically (user's X11 session is destroyed). I add messages in next 2.3.1-17 as they have to restart xdm with their hand. If you have requests about restarting messages, please tell me. Though I don't know enough about the detailed processes running inside the library packages: Sounds great. :) Perhaps it's possible to delay installation of the libraries until the next reboot? The user would have the chance to have the libraries installed instantly (which would break xdm), automatically at the next reboot (is that what you meant above?) or not at all at the moment (though I currently can't think of a good reason why to do that). Cheers, Max -- The first time any man's freedom is trodden on, we're all damaged. Cpt. Picard, The Drumhead, StarTrek TNG http://homex.subnet.at/~max/
libc6 (security) update does not restart system-services?
Hi! I've recently upgraded my Woody-Servers according to the latest libc6 security update (DSA-282), and it seems that services were _not_ reloaded by the post-install-script!? More detailed information: When investigating the situation, I found out the following (if I read everything right, please correct me if I'm wrong): - dselect [U]pdate calls dpkg --install new-package. - Debian-Policy chapter 6 says that thus the new package's postinst script is run with configure as the first command-line-argument. - /var/lib/dpkg/info/libc6.postinst checks for $1 == configure (which is the case when updating, isn't it?). If true it afterwards checks if $2 is lower than 2.1.95-1 (I assume this corresponds to the previously installed version) and _only if this the case_ it restarts most of the services. Woody comes with libc6 2.2.5-11.5, so the section about restarting services is never reached. This leaves the machine vulnerable as all services use the old library until restarted. Shouldn't the services be restarted when installing a new libc-version? What reasons would there be not to restart services? If everything _is_ designed not to restart the services, I suppose telling the users to take care of that theirselves would be a good idea for example using a simple echo in the post-install script (or similar). Thx in advance, Max -- The first time any man's freedom is trodden on, we're all damaged. Cpt. Picard, The Drumhead, StarTrek TNG http://homex.subnet.at/~max/