View previous topic :: View next topic |
Author |
Message |
hakoni n00b
Joined: 07 Jul 2004 Posts: 4 Location: Trondheim - Norway
|
Posted: Fri Jan 28, 2005 11:45 pm Post subject: restart flag suggestion |
|
|
Hi, an idea just submerged. If I update an ebuild, based on a security-fix, and it is still running (e.g. mysql) wouldn't it be nice to have a restart flag (a.la etc-update detection)?
When using a tool like glsa-check, installing the fix, but glsa-check would not report a vulnerability if the old service is still running, but the build is upgraded...?
This check would potentially be dependent on /proc or lsof or something, to be able to determine if the binary is running at upgrade time, or glsa-check could be fixed to check if the binary has run for longer than the mod-time of the binary itself? thus, detecting that a fix has been installed, but the service needs to be restarted?
Good or bad idea?
regards, Håkon. |
|
Back to top |
|
|
southsider Guru
Joined: 05 Jul 2004 Posts: 358
|
Posted: Sat Jan 29, 2005 11:59 pm Post subject: |
|
|
That's a great idea. Top. |
|
Back to top |
|
|
soramame n00b
Joined: 07 Nov 2004 Posts: 35 Location: /brazil/sp/sao carlos
|
Posted: Tue Feb 01, 2005 2:44 am Post subject: nice idea |
|
|
Nice idea. But wouldn't it bloat stuff a lot? When you do a glsa update, YOU could just restart the service. Easy, uhn? _________________ bruno nery, i.e., solo soramame
you won't suceed unless you try. |
|
Back to top |
|
|
hakoni n00b
Joined: 07 Jul 2004 Posts: 4 Location: Trondheim - Norway
|
Posted: Tue Feb 01, 2005 8:00 am Post subject: Re: nice idea |
|
|
soramame wrote: | Nice idea. But wouldn't it bloat stuff a lot? When you do a glsa update, YOU could just restart the service. Easy, uhn? |
Yeah, offcourse, when running glsa-checks and updates, most would have their mind fixed for security and restart needed services.
But when someone makes an emerge update world, a lot of messages flashes by, I wouldn't put the check in the emerge process, but when the user then runs glsa-check later, after a critical service has been updated, there could be a check in glsa that somehow tries to verify that the running process is the current binary on disk... like "Warning: mysql has been updated, but not restarted, the running version is vulnerable to glsa-xx", I wouldn't mind more bloat in glsa-check, if that will help me keeping my systems secure.
I'm not sure if this is possible however, and there is some cases where this would be hard to detect, like updated libraries, etc... |
|
Back to top |
|
|
Koon Retired Dev
Joined: 10 Dec 2002 Posts: 518
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|