lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Nov  8 20:01:16 2005
From: tonid at hakin9.org (Tomasz Nidecki)
Subject: Re: Security Updates Without Rebooting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Tuesday, November 8, 2005, 2:48:28 AM, Valdis wrote:

> Or, if you're able to identify "I only applied an Apache patch", you may very
> well be able to only restart that one service.  For RedHat/Fedora systems,
> you'd do this with 'service httpd restart' (or replace httpd with the name
> of the /etc/init.d script that starts/stops the service in question). For
> other systems, you should be able to find a similar "stop then restart" for
> the specific daemon in question.

Well, if I could make a small suggestion, I never use the /etc/rc.d or
/etc/init.d scripts on my servers. I have long ago switched to
daemontools - http://cr.yp.to/daemontools.html [there are similar
solutions for those who don't like daemontools, eg. a very similar one
called runit - http://smarden.org/runit/]. There are a couple of
security and ease-of-use reasons to do that:

* a service such as daemontools or runit will make sure your service
is running even if something causes it to fail temporarily, as it
monitors the service every second and restarts it if necessary

* for every service monitored all I need to do to restart it after
a security update is "svc -t /service/servicename".

Obviously, RPMs will not restart such services, so this is a drawback,
but I find this a very good, platform-independent [eg. some
distributions use the SysV scripts, some use other solutions] method
to control services that also makes sure for me that the service is
always running.

The drawback is the fact that not all services can be run in the
foreground [this is required for daemontools/runit] and that writing
your own run scripts might sometimes be difficult [but the runit page
contains a bunch of ready-made run scripts for most popular services].

- --
Tomasz Nidecki, Sekr. Redakcji / Managing Editor
hakin9 magazine            http://www.hakin9.org
mailto:tonid@...in9.org      jid:tonid@...id.net

Do you know what "hacker" means?
http://www.catb.org/~esr/faqs/hacker-howto.html

Czy wiesz, co znaczy slowo "haker"?
http://www.jtz.org.pl/Inne/hacker-howto-pl.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAQ3Cp10R7PdagQ735AQHllwP/Z1WjjO/dD2T8KWGJy6h1vJ4p3YTVfImE
G3iXFv2mI9yrQA2TngNQsmZVvSTAhTxFRf3B9mctWZnbYbc80WA7qObt3OhzViB4
TXm/DeiJRsfIZz7+N2aUZmfZckIaRbiKpe/Gpi31bT8/qbLFYvN2vj0pxxdWOvhS
B5njPTCWG7I=
=5G0b
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ