Package: harden-doc
Severity: normal
Tags: patch
Hi,
Attached patch updates the manual to mention the more featureful 'needrestart'
tool in the section on library restarts, and removes the lsof line since
there's better alternatives (install checkrestart or needrestart; we don't
need to confuse the user with another but less effective method to achieve
the same thing).
Wheb applied it would also close #415529.
Cheers,
Thijs
Index: en/after-install.sgml
===================================================================
--- en/after-install.sgml (revision 10555)
+++ en/after-install.sgml (working copy)
@@ -108,13 +108,14 @@
before an upgrade might still be using the old libraries before the upgrade
<footnote>Even though the libraries have been removed from the filesystem the inodes
will not be cleared up until no program has an open file descriptor pointing
-to them.</footnote>. In order to detect which daemons might need to be restarted
-you can use the <prgn>checkrestart</prgn> program (available in the
-<package>debian-goodies</package> package) or use this one liner<footnote><p>Depending on your lsof version you might need to use $8 instead of $9</p></footnote> (as root):
+to them.</footnote>.
-<example>
-# lsof | grep <the_upgraded_library> | awk '{print $1, $9}' | uniq | sort -k 1
-</example>
+<p>From Debian <em>Jessie</em> and up, you can install the
+<package>needrestart</package> package, which will run automatically after each
+APT upgrade and prompt you to restart services that are affected by the
+just-installed updates. In earlier releases, you can run the
+<prgn>checkrestart</prgn> program (available in the
+<package>debian-goodies</package> package) manually after your APT upgrade.
<P>Some packages (like <package>libc6</package>) will do this check in the postinst
phase for a limited set of services specially since an upgrade of essential libraries
@@ -129,11 +130,11 @@
<p>Excercise caution when dealing with security upgrades if you are doing them
over a remote connection like ssh. A suggested procedure for a security
-upgrade that involves a service restart is to restart the SSH daemon and then, inmediately,
+upgrade that involves a service restart is to restart the SSH daemon and then, immediately,
attempt a new ssh connection without breaking the previous one. If the connection
fails, revert the upgrade and investigate the issue.
+</sect1>
-</sect1>
<sect1 id="kernel-security-update">Security update of the kernel
<P>First, make sure your kernel is being managed through the packaging
