Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
restart flag suggestion
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
hakoni
n00b
n00b


Joined: 07 Jul 2004
Posts: 4
Location: Trondheim - Norway

PostPosted: Fri Jan 28, 2005 11:45 pm    Post subject: restart flag suggestion Reply with quote

Hi, an idea just submerged. If I update an ebuild, based on a security-fix, and it is still running (e.g. mysql) wouldn't it be nice to have a restart flag (a.la etc-update detection)?

When using a tool like glsa-check, installing the fix, but glsa-check would not report a vulnerability if the old service is still running, but the build is upgraded...?

This check would potentially be dependent on /proc or lsof or something, to be able to determine if the binary is running at upgrade time, or glsa-check could be fixed to check if the binary has run for longer than the mod-time of the binary itself? thus, detecting that a fix has been installed, but the service needs to be restarted?

Good or bad idea?

regards, Håkon.
Back to top
View user's profile Send private message
southsider
Guru
Guru


Joined: 05 Jul 2004
Posts: 358

PostPosted: Sat Jan 29, 2005 11:59 pm    Post subject: Reply with quote

That's a great idea. Top.
Back to top
View user's profile Send private message
soramame
n00b
n00b


Joined: 07 Nov 2004
Posts: 35
Location: /brazil/sp/sao carlos

PostPosted: Tue Feb 01, 2005 2:44 am    Post subject: nice idea Reply with quote

Nice idea. But wouldn't it bloat stuff a lot? When you do a glsa update, YOU could just restart the service. Easy, uhn? 8)
_________________
bruno nery, i.e., solo soramame

you won't suceed unless you try.
Back to top
View user's profile Send private message
hakoni
n00b
n00b


Joined: 07 Jul 2004
Posts: 4
Location: Trondheim - Norway

PostPosted: Tue Feb 01, 2005 8:00 am    Post subject: Re: nice idea Reply with quote

soramame wrote:
Nice idea. But wouldn't it bloat stuff a lot? When you do a glsa update, YOU could just restart the service. Easy, uhn? 8)


Yeah, offcourse, when running glsa-checks and updates, most would have their mind fixed for security and restart needed services.

But when someone makes an emerge update world, a lot of messages flashes by, I wouldn't put the check in the emerge process, but when the user then runs glsa-check later, after a critical service has been updated, there could be a check in glsa that somehow tries to verify that the running process is the current binary on disk... like "Warning: mysql has been updated, but not restarted, the running version is vulnerable to glsa-xx", I wouldn't mind more bloat in glsa-check, if that will help me keeping my systems secure.

I'm not sure if this is possible however, and there is some cases where this would be hard to detect, like updated libraries, etc...
Back to top
View user's profile Send private message
Koon
Retired Dev
Retired Dev


Joined: 10 Dec 2002
Posts: 518

PostPosted: Mon Feb 07, 2005 12:48 pm    Post subject: Reply with quote

See http://bugs.gentoo.org/show_bug.cgi?id=75156

- Koon / Gentoo Linux Security
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum