Bug#771348: needrestart: starts not running services

Fri, 28 Nov 2014 14:33:43 -0800 

severity 771348 normal
tags 771348 - security
thanks

On 11/28/2014 07:06 PM, Christoph Anton Mitterer wrote:

Since this may start services which are only to be run under specific
situations, e.g. when only in a secure network, or when VPN is running
because they may grant system access e.g. without authentication...
(take ssh which can be configured to allow password less access to root)
I'm marking this severity=critical and tags=security.



needrestart does not automaticly restart any services by default. I 
don't see any security issues if the user selects to restart a service 
(although the service was not running before). Sorry, but your example 
sounds hypothetical to me.



You could add a entry to override_rc to prevent ssh to be restarted 
accidentally.



HTH,
Thomas


Maybe the whole things applies to non-SSH as well, since a while I'm always
seeing two entries for GDM, one gdm3.service and gdm3 alone.

>

-- Package-specific info:
needrestart output:
Running kernel seems to be up-to-date.
Services to be restarted:
service dbus restart



-- System Information:
Debian Release: jessie/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages needrestart depends on:
ii  dpkg                       1.17.22
ii  libmodule-find-perl        0.12-1
ii  libmodule-scandeps-perl    1.16-1
ii  libproc-processtable-perl  0.51-1
ii  libsort-naturally-perl     1.03-1
ii  libterm-readkey-perl       2.32-1+b1
ii  perl                       5.20.1-3

needrestart recommends no packages.

needrestart suggests no packages.

-- Configuration Files:
/etc/needrestart/needrestart.conf changed:
$nrconf{defno} = 1;
$nrconf{blacklist} = [
     # ignore sudo (not a daemon)
     q(^/usr/bin/sudo(\.dpkg-new)?$),
     # ignore DHCP clients
     q(^/sbin/(dhclient|dhcpcd5|pump|udhcpc)(\.dpkg-new)?$),
];
$nrconf{override_rc} = {
     # DBus
     q(^dbus) => 0,
     # display managers
     q(^gdm) => 0,
     q(^kdm) => 0,
     q(^nodm) => 0,
     q(^wdm) => 0,
     q(^xdm) => 0,
     q(^lightdm) => 0,
     # networking stuff
     q(^network-manager) => 0,
     q(^NetworkManager) => 0,
     q(^openvpn) => 0,
     q(^quagga) => 0,
     q(^tinc) => 0,
     # gettys
     q(^getty@.+\.service) => 0,
     # misc
     q(^zfs-fuse) => 0,
     q(^mythtv-backend) => 0,
};
if(-d q(/etc/needrestart/conf.d)) {
       foreach my $fn (sort </etc/needrestart/conf.d/*.conf>) {
              print STDERR "$LOGPREF eval $fn\n" if($nrconf{verbose});
              eval do { local(@ARGV, $/) = $fn; <>};
              die "Error parsing $fn: $@" if($@);
       }
}


-- no debconf information




--

    ::  WWW:                         http://fiasko-nw.net/~thomas/  ::
   :::  Jabber:                   xmpp:tho...@jabber.fiasko-nw.net  :::
    ::  flickr:              http://www.flickr.com/photos/laugufe/  ::


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org























					Reply via email to