Re: Library security updates

2015-01-28 Thread John Lauro 
 
  If it doesn't protect us is there practicable way to make sure we
  are
  genuinely protected short of rebooting the whole system every time
  there
  is a security update?
 
 Depending on what the update is. If you want to be 100% certain,
 reboot.
 If you don't want to reboot, you can hunt through what programs use
 certain libraries using ld - however the effort taken to do this is
 much
 more than a reboot - and probably takes longer.
 


It actually isn't that hard to track down.
[root@colo-a2vm t2]# lsof -n | grep gcc
hpiod  2649 root  DEL   REG  252,0  
4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea
mysqld 2851mysql  DEL   REG  252,0  
4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea
libvirtd   3121 root  DEL   REG  252,0  
4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea
yum-updat  3343 root  DEL   REG  252,0  
4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea
smartd 3469 root  DEL   REG  252,0  
4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea
automount  6482 root  DEL   REG  252,0  
4718600 /lib64/libgcc_s-4.1.2-20080825.so.1.#prelink#.dvRyeN
httpd 11089 root  mem   REG  252,0 58400
4718834 /lib64/libgcc_s-4.1.2-20080825.so.1
php   11639  ioi  mem   REG  252,0 58400
4718834 /lib64/libgcc_s-4.1.2-20080825.so.1
php   24239  ioi  mem   REG  252,0 58400
4718834 /lib64/libgcc_s-4.1.2-20080825.so.1
httpd 27057   daemon  mem   REG  252,0 58400
4718834 /lib64/libgcc_s-4.1.2-20080825.so.1
httpd 27058   daemon  mem   REG  252,0 58400
4718834 /lib64/libgcc_s-4.1.2-20080825.so.1


You can tell the processes that were not restarted as they show DEL instead of 
mem...

Re: Library security updates

2015-01-28 Thread Steve Traylen 

On 01/28/2015 10:48 AM, Steven Haigh wrote:

And indeed, if yum updates a daemon due to security fixes does the
daemon restart?

By default, package updates won't restart running programs. This is a
manual step.



glibc is special.

When glibc is updated it executes from %post

/usr/sbin/glibc_post_upgrade.x86_64

which severely lacks documentation, best I could find

is it runs

telinit u; service sshd condrestart


It definitely does restart crond I'm sure since a few years back it wend 
bad and crond failed across the whole plant.


Not sure I actually trust the above to actually restart everything.

Re: Library security updates

2015-01-28 Thread Steven Haigh 
On 28/01/2015 8:35 PM, John Rowe wrote:
 I'm sure many people will have seen the recent security update on
 gethostbyname(), etc. Apparently exim can be vulnerable to this.

Yes it is.

 This raises the question: does updating a library package actually
 protect systems from the vulnerability or do daemons continue to use the
 (insecure) version of the library call they linked at start up?

The program (exim in this case) uses a function in the library. It will
continue to use the library that was present when the program started
until you restart the program.

 And indeed, if yum updates a daemon due to security fixes does the
 daemon restart?

By default, package updates won't restart running programs. This is a
manual step.

 If it doesn't protect us is there practicable way to make sure we are
 genuinely protected short of rebooting the whole system every time there
 is a security update?

Depending on what the update is. If you want to be 100% certain, reboot.
If you don't want to reboot, you can hunt through what programs use
certain libraries using ld - however the effort taken to do this is much
more than a reboot - and probably takes longer.

-- 
Steven Haigh

Email: net...@crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897



signature.asc
Description: OpenPGP digital signature

Library security updates

2015-01-28 Thread John Rowe 
I'm sure many people will have seen the recent security update on
gethostbyname(), etc. Apparently exim can be vulnerable to this.

This raises the question: does updating a library package actually
protect systems from the vulnerability or do daemons continue to use the
(insecure) version of the library call they linked at start up?

And indeed, if yum updates a daemon due to security fixes does the
daemon restart?

If it doesn't protect us is there practicable way to make sure we are
genuinely protected short of rebooting the whole system every time there
is a security update?

John

Re: Library security updates

2015-01-28 Thread David Sommerseth 
On 28/01/15 10:35, John Rowe wrote:

 And indeed, if yum updates a daemon due to security fixes does the
 daemon restart?

Yes and no.  It mostly depends on what kind of package has been updated.
 Some packages triggers restart of daemons, some does not.  Generally
speaking, packages such as httpd, postfix, openssh-server and such
usually restarts the service when the package is updated.

But for library packages it may be mixed.  Some times daemons are
restarted, but it usually depends on helper scripts (which glibc does
have).  But having that said, it doesn't mean all daemons are restarted.

 If it doesn't protect us is there practicable way to make sure we are
 genuinely protected short of rebooting the whole system every time there
 is a security update?

I generally treat core system libraries (such as glibc) on the same line
as kernel updates.  So I try to do a reboot as soon as possible.
Depending on the severity of the system library update and the time
until I can schedule a reboot defines if I do a restart of critical
daemons.  Generally I only restart daemons using the network, but I have
very few boxes where users log into with shell access.

All non-restarted processes will use the old library until it is
restarted.  This is why a reboot is helpful when core system libraries
are updated, it reassures you that all processes use the latest code.
And having a reboot every now and then is also good sys-admin practice,
to ensure the setup/configuration is always persistent - for the times
if an abrupt reboot happens.


-- 
kind regards,

David Sommerseth

Re: Library security updates

2015-01-28 Thread John Lauro 
Actually, looking at what files were updated, that should probably be
lsof -n | grep -e libc-

(Probably not a lot of difference in the programs listed, but...)

- Original Message -
 From: John Lauro john.la...@covenanteyes.com
 To: Steven Haigh net...@crc.id.au
 Cc: scientific-linux-users@fnal.gov
 Sent: Wednesday, January 28, 2015 9:13:08 AM
 Subject: Re: Library security updates
 
  
   If it doesn't protect us is there practicable way to make sure we
   are
   genuinely protected short of rebooting the whole system every
   time
   there
   is a security update?
  
  Depending on what the update is. If you want to be 100% certain,
  reboot.
  If you don't want to reboot, you can hunt through what programs use
  certain libraries using ld - however the effort taken to do this is
  much
  more than a reboot - and probably takes longer.
  
 
 
 It actually isn't that hard to track down.
 [root@colo-a2vm t2]# lsof -n | grep gcc
 hpiod  2649 root  DEL   REG  252,0
  4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea
 mysqld 2851mysql  DEL   REG  252,0
  4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea
 libvirtd   3121 root  DEL   REG  252,0
  4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea
 yum-updat  3343 root  DEL   REG  252,0
  4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea
 smartd 3469 root  DEL   REG  252,0
  4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea
 automount  6482 root  DEL   REG  252,0
  4718600
 /lib64/libgcc_s-4.1.2-20080825.so.1.#prelink#.dvRyeN
 httpd 11089 root  mem   REG  252,0
 584004718834 /lib64/libgcc_s-4.1.2-20080825.so.1
 php   11639  ioi  mem   REG  252,0
 584004718834 /lib64/libgcc_s-4.1.2-20080825.so.1
 php   24239  ioi  mem   REG  252,0
 584004718834 /lib64/libgcc_s-4.1.2-20080825.so.1
 httpd 27057   daemon  mem   REG  252,0
 584004718834 /lib64/libgcc_s-4.1.2-20080825.so.1
 httpd 27058   daemon  mem   REG  252,0
 584004718834 /lib64/libgcc_s-4.1.2-20080825.so.1
 
 
 You can tell the processes that were not restarted as they show DEL
 instead of mem...