Even with protected_hardlinks enabled you can still achieve pretty much the same effect with an open file descriptor via /proc/$PID/fd – the files in that directory appear as symlinks, but their behavior is really more akin to that of hardlinks (or dup(2)-ing an already-open file descriptor).
So if you really want to be sure nothing’s still got a way to execute an suid binary that’s been unlinked, a reboot might be the only way to be certain. (You could try to enumerate open file descriptors system-wide and kill processes that had potentially risky ones, but that seems prone to race conditions you could still lose.)
[Edit: hmm, I suppose perhaps truncating or overwriting the binary before unlinking it could also solve the problem without a reboot.]
Even with
protected_hardlinksenabled you can still achieve pretty much the same effect with an open file descriptor via/proc/$PID/fd– the files in that directory appear as symlinks, but their behavior is really more akin to that of hardlinks (ordup(2)-ing an already-open file descriptor).So if you really want to be sure nothing’s still got a way to execute an suid binary that’s been unlinked, a reboot might be the only way to be certain. (You could try to enumerate open file descriptors system-wide and kill processes that had potentially risky ones, but that seems prone to race conditions you could still lose.)
[Edit: hmm, I suppose perhaps truncating or overwriting the binary before unlinking it could also solve the problem without a reboot.]