Re: Checking for services to be restarted on a default Debian installation
On 09/08/2014 06:33 AM, David Prévot wrote: Le 07/09/2014 10:54, Paul Wise a écrit : On Sun, Sep 7, 2014 at 9:30 PM, David Prévot wrote: How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). Not sure what you mean by 'in the background' I meant if a tool that take care of upgrading automatically packages in the background (e.g., unattended-upgrades) is installed and running. needrestart is scriptable... could be called by some hook in the background restarting any service (but it won't do it by default). but there is an option to automatically restart services, the default is to ask (via debconf) for each service, defaulting each package to restart. That’s another annoying thing: even if it looks like a debconf screen, it doesn’t seem to offer it’s advantages, and doesn’t seem translated nor translatable (which is a must according to policy 3.9.1). That The debconf stuff is upstream and IMHO *not* a 3.9.1 Prompting in maintainer scripts issue (but I'm willing to fix your bug report #761068 anyway :-). package seems pretty young, not much used (comparing its popcon with the unattended-upgrades’ one), and even if its goal is valuable, I’m not convinced that pushing it into the default install less than two months before the freeze is really a good idea. ACK Needrestart won't tell you which processes are using orphanded libraries - this is completely hidden from the user. It will only bother restarting corresponding services... and the package is shipped with a ignore list for services which are known to break something while restarting (i.e. NetworkManager, DMs, dbus, dhclient, ...). Unexperienced users should be OK with that minimally invasive approach. Regards, Thomas -- supp...@ibh.de Tel. +49 351 477 77 30 www.ibh.de Fax +49 351 477 77 39 --- Dipl.-Ing. Thomas Liske Netzwerk- und System-Design IBH IT-Service GmbH Amtsgericht Dresden Gostritzer Str. 67a HRB 13626 D-01217 Dresden GF: Prof. Dr. Thomas Horn Germany VAT DE182302907 --- Ihr Partner für: LAN, WAN IP-Quality, Security, VoIP, SAN, Backup, USV --- professioneller IT-Service - kompetent und zuverlässig --- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5410987b.9040...@ibh.de
Re: Checking for services to be restarted on a default Debian installation
[ Still replying on security since that’s where the thread started, but feel free to follow up on private maintainer’s list since it becomes off topic for security. ] Hi Thomas, Le 10/09/2014 14:29, Thomas Liske a écrit : The debconf stuff is upstream and IMHO *not* a 3.9.1 Prompting in maintainer scripts issue (but I'm willing to fix your bug report #761068 anyway :-). Great to: - see one of the maintainers is following this thread; - you’re willing to follow up on a BTS request, even if it’s not conform to what it says ;). Feel free to keep in the loop (for translation call coordination, or even i18n help if needed) if you wish to. Regards David signature.asc Description: OpenPGP digital signature
Re: Checking for services to be restarted on a default Debian installation
On Tue, Sep 2, 2014 at 2:48 AM, Thijs Kinkhorst wrote: I think it would help the security of the average Debian system if some tool to restart services after package upgrades was installed by default. There's checkrestart from debian-goodies, but since Jessie also the a bit more modern needrestart in its own package. I've been running the latter on a few systems for a while now and am satisfied with how it works. In jessie there is also whatmaps. The results from checkrestart seem to be different to needrestart in many cases, since the latter ignores some services that are problematic/impossible to restart (like gdm/dbus or any programs running in user sessions). My questions to this list: - Do people agree that this would be something that's good to have in a default installation? Are there drawbacks? Yes please. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6GRzn2_a3+8TQiKjdby6UHCepjW1L-=mptnstzcu7t...@mail.gmail.com
Re: Checking for services to be restarted on a default Debian installation
Le 07/09/2014 02:07, Paul Wise a écrit : On Tue, Sep 2, 2014 at 2:48 AM, Thijs Kinkhorst wrote: In jessie there is also whatmaps. The results from checkrestart seem to be different to needrestart in many cases, since the latter ignores some services that are problematic/impossible to restart (like gdm/dbus or any programs running in user sessions). It doesn’t seem to work as expected: it defaults to restart gdm3 where I stand. My questions to this list: - Do people agree that this would be something that's good to have in a default installation? Are there drawbacks? Not restarting by default the DM seems to be nice thing to have. How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). Regards David signature.asc Description: OpenPGP digital signature
Re: Checking for services to be restarted on a default Debian installation
On Sun, Sep 7, 2014 at 9:30 PM, David Prévot wrote: It doesn’t seem to work as expected: it defaults to restart gdm3 where I stand. Could you file a bug about that? The default needrestart blacklist contains /usr/sbin/gdm3 so that shouldn't happen. Not restarting by default the DM seems to be nice thing to have. Seems like a bug in the DMs to me, OpenSSH manages to be able to be restarted without killing user sessions. How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). Not sure what you mean by 'in the background' but there is an option to automatically restart services, the default is to ask (via debconf) for each service, defaulting each package to restart. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6gpqfkya5soyheqeciq4b6ioho5xebea7ehjyejvms...@mail.gmail.com
Re: Checking for services to be restarted on a default Debian installation
On 7 September 2014 15:30:22 CEST, David Prévot taf...@debian.org wrote: Le 07/09/2014 02:07, Paul Wise a écrit : On Tue, Sep 2, 2014 at 2:48 AM, Thijs Kinkhorst wrote: My questions to this list: - Do people agree that this would be something that's good to have in a default installation? Are there drawbacks? Not restarting by default the DM seems to be nice thing to have. How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). As a long time user and system administrator I agree that notification and *optional* automatic restarts have a place in the default install (with appropriate notes in the changelog for Jessie, obviously!). For a server, there should be some easy to adjust setting, choosing between automatic restarts and simply notifying of restart of x, y, z needed due to upgrade b and c (with comment from changelog: is this a security issue?). Do we have a framework for persistent gui notifications on the desktop? Eg: next time someone in the sudo group logs in; show request for system restart/kexec and/or subsystem restarts? I know Ubuntu has a default software center thing for that -- is there something like it in tasksel-desktop? (I generally run a lean xmonad-only setup - a notification in my xmobar would be nice, though) On a server I'm generally happy with an email to root - but do we have somewhere we could put notifications? Eg: service names in /var/run/restart-pending or something along those lines? The idea being that apt/dpgk/checkrestart could append package names here, and a do-pending-restarts-script could remove them (probably better just to run checkrestarts again and verify start time/loaded libraries vs latest installed version and update the needs-restart queue as appropriate?). The more I think about, the better I like the idea of having a text-file as a job queue of pending restarts, and a script that checks running processes for open dlls that updates such a file (can be put in cron for generatoøing gui alerts w fallback to console alerts on systems w/o xorg). Alerting for restarts amounts to checking for the presence of such a file and re-running the checkrestart script to regenerate it, or remove it if all needed restarts are done (seperate file for kernel, or use service name kexec? For servers it might nice to notify on updated inintrd/grub.cfg as there is no *guarantee* the system will boot after such changes -- until they've been verified by a successful reboot). Thoughts? Is this overboard for getting into Jessie? Best regards, Eirik -- Via phone - please excuse quoting and spelling -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/6ce482b6-9de9-4c7f-9c59-1178dc87d...@email.android.com
Re: Checking for services to be restarted on a default Debian installation
Le 07/09/2014 10:54, Paul Wise a écrit : On Sun, Sep 7, 2014 at 9:30 PM, David Prévot wrote: How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). Not sure what you mean by 'in the background' I meant if a tool that take care of upgrading automatically packages in the background (e.g., unattended-upgrades) is installed and running. but there is an option to automatically restart services, the default is to ask (via debconf) for each service, defaulting each package to restart. That’s another annoying thing: even if it looks like a debconf screen, it doesn’t seem to offer it’s advantages, and doesn’t seem translated nor translatable (which is a must according to policy 3.9.1). That package seems pretty young, not much used (comparing its popcon with the unattended-upgrades’ one), and even if its goal is valuable, I’m not convinced that pushing it into the default install less than two months before the freeze is really a good idea. Maybe the maintainers could have shed some light, but maybe they’re not even aware of this thread. Regards David signature.asc Description: OpenPGP digital signature
Re: Checking for services to be restarted on a default Debian installation
On 08.09.2014 07:33, David Prévot wrote: Le 07/09/2014 10:54, Paul Wise a écrit : On Sun, Sep 7, 2014 at 9:30 PM, David Prévot wrote: How does it work if the upgrade run in the background? Will all needed service be restarted without asking? (If so, the gdm3 restart issue may be a blocker). Not sure what you mean by 'in the background' I meant if a tool that take care of upgrading automatically packages in the background (e.g., unattended-upgrades) is installed and running. You can use cron-apt, unattended-upgrades and made your own. I like this unattended-upgrades. -- Riku but there is an option to automatically restart services, the default is to ask (via debconf) for each service, defaulting each package to restart. That’s another annoying thing: even if it looks like a debconf screen, it doesn’t seem to offer it’s advantages, and doesn’t seem translated nor translatable (which is a must according to policy 3.9.1). That package seems pretty young, not much used (comparing its popcon with the unattended-upgrades’ one), and even if its goal is valuable, I’m not convinced that pushing it into the default install less than two months before the freeze is really a good idea. Maybe the maintainers could have shed some light, but maybe they’re not even aware of this thread. Regards David -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/540d41e1.3090...@vallit.fi
Re: Checking for services to be restarted on a default Debian installation
* [Mon, Sep 01, 2014 at 08:48:25PM +0200] Thijs Kinkhorst: [needrestart] - Do people agree that this would be something that's good to have in a default installation? Are there drawbacks? I like needrestart and I added it to my standard toolbox since its admission in Debian (well, it took some versions for being really usable with a readline front-end), so I second this proposal. Please however note that it is not a replacement for checkrestart or a plain lsof, as it doesn't care for programs that don't have an init script. Maybe for such programs needrestart should warn and advice that a manual intervention is required, in the same way it currently does for kernel upgrades ? Ciao, Gian Piero. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140903081758.gb4...@butterfly.fdc.rm-rf.it
Re: Checking for services to be restarted on a default Debian installation
On Tue, Sep 02, 2014 at 01:41:05PM -0700, Jameson Graef Rollins wrote: This package is Priority: optional, and therefore not installed by default. What about just making it important or required? On my system it pulled in more than 20MB of dependencies. That's a lot to push onto every debian system. Mike Stone -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/eec95f46-336a-11e4-9da6-00163eeb5...@msgid.mathom.us
Re: Checking for services to be restarted on a default Debian installation
On Wed, September 3, 2014 15:05, Michael Stone wrote: On Tue, Sep 02, 2014 at 01:41:05PM -0700, Jameson Graef Rollins wrote: This package is Priority: optional, and therefore not installed by default. What about just making it important or required? On my system it pulled in more than 20MB of dependencies. That's a lot to push onto every debian system. Hmm, yes. The sole culprit of this is libclass-methodmaker-perl, which is a dependency of libterm-progressbar-perl. I'm not enough of a perl wizard to understand why a progressbar would need 20 MB of perl module to work, and whether this is fixable. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/d4296ef9a54ea809b6095c2ddd503a85.squir...@aphrodite.kinkhorst.nl
Re: Checking for services to be restarted on a default Debian installation
On Wed, Sep 03 2014, Michael Stone mst...@debian.org wrote: On Tue, Sep 02, 2014 at 01:41:05PM -0700, Jameson Graef Rollins wrote: This package is Priority: optional, and therefore not installed by default. What about just making it important or required? On my system it pulled in more than 20MB of dependencies. That's a lot to push onto every debian system. Is 20MB really a lot? That seems like essentially nothing to me nowadays. I'm in the middle of a 2.2GB upgrade right now. jamie. pgpt8QUSPqj2A.pgp Description: PGP signature
Re: Checking for services to be restarted on a default Debian installation
On Wed, 3 Sep 2014, Jameson Graef Rollins wrote: On Wed, Sep 03 2014, Michael Stone mst...@debian.org wrote: On Tue, Sep 02, 2014 at 01:41:05PM -0700, Jameson Graef Rollins wrote: This package is Priority: optional, and therefore not installed by default. What about just making it important or required? On my system it pulled in more than 20MB of dependencies. That's a lot to push onto every debian system. Is 20MB really a lot? That seems like essentially nothing to me nowadays. I'm in the middle of a 2.2GB upgrade right now. jamie. I just installed alpine as my plain text email client and that fits in less than 8MB of dependencies altogether. The checkrestart utility weighing 20MB can probably be fixed. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.DEB.2.02.1409031516330.16927@wadih4
Re: Checking for services to be restarted on a default Debian installation
On Wed, Sep 03, 2014 at 11:34:46AM -0700, Jameson Graef Rollins wrote: Is 20MB really a lot? That seems like essentially nothing to me nowadays. I'm in the middle of a 2.2GB upgrade right now. It sure is for people doing minimal installations in a number of contexts. Yeah, it's nothing compared to gnome. It is a pretty significant fraction of debian's current minimum footprint. Mike Stone -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/9ee25b2c-33a6-11e4-a3dc-00163eeb5...@msgid.mathom.us
Re: Checking for services to be restarted on a default Debian installation
On mar., 2014-09-02 at 00:11 +0300, Mikko Rapeli wrote: As a workaround I, and hopefully most users, know about debian-goodies and checkrestart, and figure out on their own if a reboot is necessary. It's quite certain that about nobody know about debian-goodies or checkrestart. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: Checking for services to be restarted on a default Debian installation
Hi, Le 02/09/2014 04:05, Yves-Alexis Perez a écrit : It's quite certain that about nobody know about debian-goodies or checkrestart. The Securing Debian Manual recommends it, so hopefully you’re wrong. https://www.debian.org/doc/manuals/securing-debian-howto/ch4#s-lib-security-update Regards David signature.asc Description: OpenPGP digital signature
Re: Checking for services to be restarted on a default Debian installation
On Tue, Sep 02 2014, David Prévot taf...@debian.org wrote: Le 02/09/2014 04:05, Yves-Alexis Perez a écrit : It's quite certain that about nobody know about debian-goodies or checkrestart. The Securing Debian Manual recommends it, so hopefully you’re wrong. https://www.debian.org/doc/manuals/securing-debian-howto/ch4#s-lib-security-update I agree that certainly most people do not know about it. And it's almost certain that most casual users do not. I'm a long time Debian user and I didn't know about it. I think the original point raised in this thread is a good one. There should be a more unified and automated way for the system to know that restart are needed in order for security fixes take affect. Admins should have to manually run obscure scripts to check things like that. jamie. pgpnj2ZVXVKH_.pgp Description: PGP signature
Re: Checking for services to be restarted on a default Debian installation
On 02/09/2014 18:04, Jameson Graef Rollins wrote: On Tue, Sep 02 2014, David Prévot taf...@debian.org wrote: Admins should have to manually run obscure scripts to check things like that. s/should have/should not have/ -- Jack. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54060130.1010...@jackpot.uk.net
Re: Checking for services to be restarted on a default Debian installation
On Tue, Sep 02 2014, Jack j...@jackpot.uk.net wrote: On 02/09/2014 18:04, Jameson Graef Rollins wrote: On Tue, Sep 02 2014, David Prévot taf...@debian.org wrote: Admins should have to manually run obscure scripts to check things like that. s/should have/should not have/ Yes, thank you for the correction. I definitely meant that they should *not* have to manually run obscure scripts... jamie. pgpuBgJ8m4yyu.pgp Description: PGP signature
Re: Checking for services to be restarted on a default Debian installation
The needrestart package from jessie with package defaults appears to run automatically and suggest, but not automatically perform, necessary service restarts. On 09/02/2014 11:56 AM, Jameson Graef Rollins wrote: On Tue, Sep 02 2014, Jack j...@jackpot.uk.net wrote: On 02/09/2014 18:04, Jameson Graef Rollins wrote: On Tue, Sep 02 2014, David Prévot taf...@debian.org wrote: Admins should have to manually run obscure scripts to check things like that. s/should have/should not have/ Yes, thank you for the correction. I definitely meant that they should *not* have to manually run obscure scripts... jamie. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54061965.7090...@comcast.net
Re: Checking for services to be restarted on a default Debian installation
On Tue, Sep 02 2014, Tom Dial tdd...@comcast.net wrote: The needrestart package from jessie with package defaults appears to run automatically and suggest, but not automatically perform, necessary service restarts. This package is Priority: optional, and therefore not installed by default. What about just making it important or required? jamie. pgprQZW4xsnGy.pgp Description: PGP signature
Re: Checking for services to be restarted on a default Debian installation
Thijs Kinkhorst th...@debian.org (2014-09-01): My questions to this list: - Do people agree that this would be something that's good to have in a default installation? Are there drawbacks? Having to know about debian-goodies always looked awkward to me. A dedicated, easy to identify package looks like a nice idea to me. - If agreed, how would we approach this? I have to admit that I do not know who decides what is part of a default install or where this is implemented. (Hopefully the following isn't too far from reality, just had a very quick look.) That would be the standard task, defined in tasksel (tasks/standard) with “Packages: standard”, which pulls packages with that priority; FWIW that task is a bit special since it's not defined as a task-$foo package. Mraw, KiBi. signature.asc Description: Digital signature
Re: Checking for services to be restarted on a default Debian installation
Long ago I started one thread about making security updates effective, so... On Mon, Sep 01, 2014 at 08:48:25PM +0200, Thijs Kinkhorst wrote: My questions to this list: - Do people agree that this would be something that's good to have in a default installation? Are there drawbacks? Well, one drawback is having to trust a system running potentially vulnerable software. As Debian user I'd like to get the information on how to make updates effective also from the trusted developers and security update folks. Would be nice for DSA's to say After updating the packages You need to restart the computer, or an optimization like need to re-login, restart browser etc, and maybe even the possibility to automatically do this, or at least prompt the user. This is what Ubuntu has managed to do, AFAIK. https://www.debian.org/security/2014/dsa-3012 We recommend that you upgrade your eglibc packages. Updating eglibc packages is hardly enough to fix the problem. As a workaround I, and hopefully most users, know about debian-goodies and checkrestart, and figure out on their own if a reboot is necessary. -Mikko -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140901211144.gl9...@lakka.kapsi.fi