[ Pobierz całość w formacie PDF ]

Packages that do not pass GPG verfications should not be installed, as they may have been altered by
a third party.
After verifying the GPG key and downloading all the packages associated with the errata report, install
the packages as root at a shell prompt.
3.1.4. Installing Signed Packages
Installation for most packages can be done safely (except kernel packages) by issuing the following
command:
rpm -Uvh /tmp/updates/*.rpm
For kernel packages use the following command:
rpm -ivh /tmp/updates/
Replace in the previous example with the name of the kernel RPM.
Once the machine has been safely rebooted using the new kernel, the old kernel may be removed using
the following command:
rpm -e
Replace in the previous example with the name of the older kernel RPM.
Note
It is not a requirement that the old kernel be removed. The default boot loader, GRUB, allows for
multiple kernels to be installed, then chosen from a menu at boot time.
26
Chapter 3. Security Updates
Important
Before installing any security errata, be sure to read any special instructions contained in the
errata report and execute them accordingly. Refer to Section 3.1.5,  Applying the Changes for
general instructions about applying the changes made by an errata update.
3.1.5. Applying the Changes
After downloading and installing security errata via Red Hat Network or the Red Hat errata website, it is
important to halt usage of the older software and begin using the new software. How this is done
depends on the type of software that has been updated. The following list itemizes the general
categories of software and provides instructions for using the updated versions after a package
upgrade.
Note
In general, rebooting the system is the surest way to ensure that the latest version of a software
package is used; however, this option is not always available to the system administrator.
Applications
User-space applications are any programs which can be initiated by a system user. Typically,
such applications are used only when a user, script, or automated task utility launches them
and they do not persist for long periods of time.
Once such a user-space application is updated, halt any instances of the application on the
system and launch the program again to use the updated version.
Kernel
The kernel is the core software component for the Red Hat Enterprise Linux operating system.
It manages access to memory, the processor, and peripherals as well as schedules all tasks.
Because of its central role, the kernel cannot be restarted without also stopping the computer.
Therefore, an updated version of the kernel cannot be used until the system is rebooted.
Shared Libraries
Shared libraries are units of code, such as glibc, which are used by a number of applications
and services. Applications utilizing a shared library typically load the shared code when the
application is initialized, so any applications using the updated library must be halted and
relaunched.
To determine which running applications link against a particular library, use the lsof
command as in the following example:
lsof /usr/lib/libwrap.so*
This command returns a list of all the running programs which use TCP wrappers for host
access control. Therefore, any program listed must be halted and relaunched if the
tcp_wrappers package is updated.
27
Red Hat Enterprise Linux 4 Security Guide
SysV Services
SysV services are persistent server programs launched during the boot process. Examples of
SysV services include sshd, vsftpd, and xinetd.
Because these programs usually persist in memory as long as the machine is booted, each
updated SysV service must be halted and relaunched after the package is upgraded. This can
be done using the Services Configuration Tool or by logging into a root shell prompt and
issuing the /sbin/service command as in the following example:
/sbin/service restart
In the previous example, replace with the name of the service, such as sshd.
Refer to the chapter titled Controlling Access to Services in the System Administrators Guide for
more information regarding the Services Configuration Tool.
xinetd Services
Services controlled by the xinetd super service only run when a there is an active connection.
Examples of services controlled by xinetd include Telnet, IMAP, and POP3.
Because new instances of these services are launched by xinetd each time a new request is
received, connections that occur after an upgrade are handled by the updated software.
However, if there are active connections at the time the xinetd controlled service is upgraded,
they are serviced by the older version of the software. [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • zboralski.keep.pl