Re: [Full-disclosure] Security Updates Without Rebooting
On 11/8/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [...] Note that rpm will only do that if the person who packaged the updated RPM specified a 'postinstall' scriptlet requesting it. So RPM *can* restart a daemon, but it's a function of the package, not of rpm. [...] Sorry for the late posting... it's an RPM specification that RPM package installation should perform completely unattended. Restarting a daemon is possible in the postinstall script but it seems a task which should be asked to the sysadmin to be performed or not (like APT and DEB packages did - but they are NOT assumed to be performed unattended). Cheers -- Marco Ermini Dubium sapientiae initium. (Descartes) [EMAIL PROTECTED] # mount -t life -o ro /dev/dna /genetic/research (This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Updates Without Rebooting
On Mon, Nov 07, 2005 at 10:42:11PM +, Carlos Silva aka|Danger_Man| wrote: Hello all, Can someone explain how to apply security patches on the system without rebooting the machine? I guess that I cant patch the kernel without compiling and rebooting the machine, so the only way is with iptables and keeping the daemons fresh? Regards, Carlos Silva, If we are talking some *nix, just stop the vulnerable daemon, update, and start it again. Not very difficult... Patching the kernel while running is be possible, but hardly practical - unless you are very, very good. I've never seen it done, but it does happen in rootkits and is said to be possible in many cases. (What seems, to me, to be more practical is just to build a modular Linux kernel and update only the vulnerable module with the most minimal patch you can find - however, this only works with very modular kernels, OpenBSD wouldn't be helped much by this. Then again, patching the OpenBSD kernel isn't required too often...) Joachim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Security Updates Without Rebooting
Hello all, Can someone explain how to apply security patches on the system without rebooting the machine? I guess that I cant patch the kernel without compiling and rebooting the machine, so the only way is with iptables and keeping the daemons fresh? Regards, Carlos Silva, http://osiris.csilva.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Updates Without Rebooting
Hey, Can someone explain how to apply security patches on the system without rebooting the machine? I guess that I cant patch the kernel without compiling and rebooting the machine, so the only way is with iptables and keeping the daemons fresh? Well, if you have a customised kernel you'll probably find that your need to reboot with a new kernel becomes fairly low (Kernel level exploits are fairly rare, especially remote ones). If you've upgraded services probably the easiest way to ensure they're loaded with the latest version would be to drop the system to single user mode then bring it back up to multiuser mode (ala, init 2, init 3). Stuart ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Updates Without Rebooting
On Tue, 08 Nov 2005 09:03:32 +1000, Stuart Low said: Well, if you have a customised kernel you'll probably find that your need to reboot with a new kernel becomes fairly low (Kernel level exploits are fairly rare, especially remote ones). If you've upgraded services probably the easiest way to ensure they're loaded with the latest version would be to drop the system to single user mode then bring it back up to multiuser mode (ala, init 2, init 3). Or, if you're able to identify I only applied an Apache patch, you may very well be able to only restart that one service. For RedHat/Fedora systems, you'd do this with 'service httpd restart' (or replace httpd with the name of the /etc/init.d script that starts/stops the service in question). For other systems, you should be able to find a similar stop then restart for the specific daemon in question. pgpx9pCQNMb3W.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Updates Without Rebooting
Carlos Silva aka |Danger_Man| wrote: Can someone explain how to apply security patches on the system without rebooting the machine? If you are interested in Windows patches (I apologise for the market-speak): http://www.determina.com/solutions/liveshield.html On Linux you can just restart the patched service of course. Most package managers (i.e. dpkg and rpm) will do it for you after the update. Alexander Sotirov ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Updates Without Rebooting
On Mon, 07 Nov 2005 18:05:11 PST, Alexander Sotirov said: On Linux you can just restart the patched service of course. Most package managers (i.e. dpkg and rpm) will do it for you after the update. Note that rpm will only do that if the person who packaged the updated RPM specified a 'postinstall' scriptlet requesting it. So RPM *can* restart a daemon, but it's a function of the package, not of rpm. pgpkcDtW7yVgY.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/