Re: Checking for services to be restarted on a default Debian installation
On Tue, Sep 2, 2014 at 2:48 AM, Thijs Kinkhorst wrote: I think it would help the security of the average Debian system if some tool to restart services after package upgrades was installed by default. There's checkrestart from debian-goodies, but since Jessie also the a bit more modern needrestart in its own package. I've been running the latter on a few systems for a while now and am satisfied with how it works. In jessie there is also whatmaps. The results from checkrestart seem to be different to needrestart in many cases, since the latter ignores some services that are problematic/impossible to restart (like gdm/dbus or any programs running in user sessions). My questions to this list: - Do people agree that this would be something that's good to have in a default installation? Are there drawbacks? Yes please. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6GRzn2_a3+8TQiKjdby6UHCepjW1L-=mptnstzcu7t...@mail.gmail.com
Re: Checking for services to be restarted on a default Debian installation
Le 07/09/2014 02:07, Paul Wise a écrit : On Tue, Sep 2, 2014 at 2:48 AM, Thijs Kinkhorst wrote: In jessie there is also whatmaps. The results from checkrestart seem to be different to needrestart in many cases, since the latter ignores some services that are problematic/impossible to restart (like gdm/dbus or any programs running in user sessions). It doesn’t seem to work as expected: it defaults to restart gdm3 where I stand. My questions to this list: - Do people agree that this would be something that's good to have in a default installation? Are there drawbacks? Not restarting by default the DM seems to be nice thing to have. How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). Regards David signature.asc Description: OpenPGP digital signature
Re: Checking for services to be restarted on a default Debian installation
On Sun, Sep 7, 2014 at 9:30 PM, David Prévot wrote: It doesn’t seem to work as expected: it defaults to restart gdm3 where I stand. Could you file a bug about that? The default needrestart blacklist contains /usr/sbin/gdm3 so that shouldn't happen. Not restarting by default the DM seems to be nice thing to have. Seems like a bug in the DMs to me, OpenSSH manages to be able to be restarted without killing user sessions. How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). Not sure what you mean by 'in the background' but there is an option to automatically restart services, the default is to ask (via debconf) for each service, defaulting each package to restart. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6gpqfkya5soyheqeciq4b6ioho5xebea7ehjyejvms...@mail.gmail.com
Re: Checking for services to be restarted on a default Debian installation
On 7 September 2014 15:30:22 CEST, David Prévot taf...@debian.org wrote: Le 07/09/2014 02:07, Paul Wise a écrit : On Tue, Sep 2, 2014 at 2:48 AM, Thijs Kinkhorst wrote: My questions to this list: - Do people agree that this would be something that's good to have in a default installation? Are there drawbacks? Not restarting by default the DM seems to be nice thing to have. How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). As a long time user and system administrator I agree that notification and *optional* automatic restarts have a place in the default install (with appropriate notes in the changelog for Jessie, obviously!). For a server, there should be some easy to adjust setting, choosing between automatic restarts and simply notifying of restart of x, y, z needed due to upgrade b and c (with comment from changelog: is this a security issue?). Do we have a framework for persistent gui notifications on the desktop? Eg: next time someone in the sudo group logs in; show request for system restart/kexec and/or subsystem restarts? I know Ubuntu has a default software center thing for that -- is there something like it in tasksel-desktop? (I generally run a lean xmonad-only setup - a notification in my xmobar would be nice, though) On a server I'm generally happy with an email to root - but do we have somewhere we could put notifications? Eg: service names in /var/run/restart-pending or something along those lines? The idea being that apt/dpgk/checkrestart could append package names here, and a do-pending-restarts-script could remove them (probably better just to run checkrestarts again and verify start time/loaded libraries vs latest installed version and update the needs-restart queue as appropriate?). The more I think about, the better I like the idea of having a text-file as a job queue of pending restarts, and a script that checks running processes for open dlls that updates such a file (can be put in cron for generatoøing gui alerts w fallback to console alerts on systems w/o xorg). Alerting for restarts amounts to checking for the presence of such a file and re-running the checkrestart script to regenerate it, or remove it if all needed restarts are done (seperate file for kernel, or use service name kexec? For servers it might nice to notify on updated inintrd/grub.cfg as there is no *guarantee* the system will boot after such changes -- until they've been verified by a successful reboot). Thoughts? Is this overboard for getting into Jessie? Best regards, Eirik -- Via phone - please excuse quoting and spelling -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/6ce482b6-9de9-4c7f-9c59-1178dc87d...@email.android.com
Re: Checking for services to be restarted on a default Debian installation
Le 07/09/2014 10:54, Paul Wise a écrit : On Sun, Sep 7, 2014 at 9:30 PM, David Prévot wrote: How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). Not sure what you mean by 'in the background' I meant if a tool that take care of upgrading automatically packages in the background (e.g., unattended-upgrades) is installed and running. but there is an option to automatically restart services, the default is to ask (via debconf) for each service, defaulting each package to restart. That’s another annoying thing: even if it looks like a debconf screen, it doesn’t seem to offer it’s advantages, and doesn’t seem translated nor translatable (which is a must according to policy 3.9.1). That package seems pretty young, not much used (comparing its popcon with the unattended-upgrades’ one), and even if its goal is valuable, I’m not convinced that pushing it into the default install less than two months before the freeze is really a good idea. Maybe the maintainers could have shed some light, but maybe they’re not even aware of this thread. Regards David signature.asc Description: OpenPGP digital signature
Re: Checking for services to be restarted on a default Debian installation
On 08.09.2014 07:33, David Prévot wrote: Le 07/09/2014 10:54, Paul Wise a écrit : On Sun, Sep 7, 2014 at 9:30 PM, David Prévot wrote: How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). Not sure what you mean by 'in the background' I meant if a tool that take care of upgrading automatically packages in the background (e.g., unattended-upgrades) is installed and running. You can use cron-apt, unattended-upgrades and made your own. I like this unattended-upgrades. -- Riku but there is an option to automatically restart services, the default is to ask (via debconf) for each service, defaulting each package to restart. That’s another annoying thing: even if it looks like a debconf screen, it doesn’t seem to offer it’s advantages, and doesn’t seem translated nor translatable (which is a must according to policy 3.9.1). That package seems pretty young, not much used (comparing its popcon with the unattended-upgrades’ one), and even if its goal is valuable, I’m not convinced that pushing it into the default install less than two months before the freeze is really a good idea. Maybe the maintainers could have shed some light, but maybe they’re not even aware of this thread. Regards David -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/540d41e1.3090...@vallit.fi
External check
CVE-2014-3578: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/540bff7b.pyfalgh73wyujmug%atomo64+st...@gmail.com