severity 771348 normal tags 771348 - security thanks On 11/28/2014 07:06 PM, Christoph Anton Mitterer wrote:
Since this may start services which are only to be run under specific situations, e.g. when only in a secure network, or when VPN is running because they may grant system access e.g. without authentication... (take ssh which can be configured to allow password less access to root) I'm marking this severity=critical and tags=security.
needrestart does not automaticly restart any services by default. I don't see any security issues if the user selects to restart a service (although the service was not running before). Sorry, but your example sounds hypothetical to me.
You could add a entry to override_rc to prevent ssh to be restarted accidentally.
HTH, Thomas
Maybe the whole things applies to non-SSH as well, since a while I'm always seeing two entries for GDM, one gdm3.service and gdm3 alone.
>
-- Package-specific info: needrestart output: Running kernel seems to be up-to-date. Services to be restarted: service dbus restart -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages needrestart depends on: ii dpkg 1.17.22 ii libmodule-find-perl 0.12-1 ii libmodule-scandeps-perl 1.16-1 ii libproc-processtable-perl 0.51-1 ii libsort-naturally-perl 1.03-1 ii libterm-readkey-perl 2.32-1+b1 ii perl 5.20.1-3 needrestart recommends no packages. needrestart suggests no packages. -- Configuration Files: /etc/needrestart/needrestart.conf changed: $nrconf{defno} = 1; $nrconf{blacklist} = [ # ignore sudo (not a daemon) q(^/usr/bin/sudo(\.dpkg-new)?$), # ignore DHCP clients q(^/sbin/(dhclient|dhcpcd5|pump|udhcpc)(\.dpkg-new)?$), ]; $nrconf{override_rc} = { # DBus q(^dbus) => 0, # display managers q(^gdm) => 0, q(^kdm) => 0, q(^nodm) => 0, q(^wdm) => 0, q(^xdm) => 0, q(^lightdm) => 0, # networking stuff q(^network-manager) => 0, q(^NetworkManager) => 0, q(^openvpn) => 0, q(^quagga) => 0, q(^tinc) => 0, # gettys q(^getty@.+\.service) => 0, # misc q(^zfs-fuse) => 0, q(^mythtv-backend) => 0, }; if(-d q(/etc/needrestart/conf.d)) { foreach my $fn (sort </etc/needrestart/conf.d/*.conf>) { print STDERR "$LOGPREF eval $fn\n" if($nrconf{verbose}); eval do { local(@ARGV, $/) = $fn; <>}; die "Error parsing $fn: $@" if($@); } } -- no debconf information
-- :: WWW: http://fiasko-nw.net/~thomas/ :: ::: Jabber: xmpp:tho...@jabber.fiasko-nw.net ::: :: flickr: http://www.flickr.com/photos/laugufe/ :: -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org