Bug#771348: needrestart: starts not running services

2014-11-28 Thread Christoph Anton Mitterer 
Package: needrestart
Version: 1.2-5
Severity: critical
Tags: security



Hi.

Apparently needrestart has some bug, which causes it to
start not running services.



I have e.g.:

$ ps ax | grep ssh
 2927 pts/4S+ 0:00 ssh kronecker
 2939 ?Ss 0:00 ssh: 
/home/calestyo/.ssh/control-mux/heisenberg_r...@kronecker.example.org:22 [mux]
 3026 pts/3S+ 0:00 ssh klenze
 4257 ?Ss 0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch 
--exit-with-session cinnamon-session-cinnamon
17048 pts/5S+ 0:00 grep --color=auto ssh

= as you can see, no sshd is running



Then I run:

# needrestart -v
[Core] Using UI 'NeedRestart::UI::stdio'...
[main] detected systemd
[main] #1749 uses obsolete /lib/x86_64-linux-gnu/libpng12.so.0.50.0
[main] #1749 is not a child
[main] #1879 uses obsolete /lib/x86_64-linux-gnu/liblzma.so.5.0.0
[main] #1879 is not a child
[main] #1910 uses obsolete /lib/x86_64-linux-gnu/liblzma.so.5.0.0
[main] #1910 is not a child
[Core] #1933 is a NeedRestart::Interp::Python
[main] #1977 uses obsolete /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
[main] #1977 is not a child
[main] #2009 uses obsolete /lib/x86_64-linux-gnu/security/pam_systemd.so
[main] #2009 is a child of #1982
[main] #2062 uses obsolete binary /usr/bin/python2.7
[main] #2062 is not a child
[main] #2540 uses obsolete /lib/x86_64-linux-gnu/liblzma.so.5.0.0
[main] #2540 is not a child
[main] #2608 uses obsolete /lib/x86_64-linux-gnu/libpng12.so.0.50.0
[main] #2608 is a child of #2540
[main] #2620 uses obsolete /usr/lib/x86_64-linux-gnu/libidn.so.11.6.12
[main] #2620 is not a child
[main] #2621 uses obsolete /usr/lib/x86_64-linux-gnu/libidn.so.11.6.12
[main] #2621 is a child of #2620
[main] #2649 uses obsolete /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
[main] #2649 is not a child
[main] #2763 uses obsolete /usr/lib/x86_64-linux-gnu/libidn.so.11.6.12
[main] #2763 is not a child
[main] #2764 uses obsolete /usr/lib/x86_64-linux-gnu/libidn.so.11.6.12
[main] #2764 is a child of #2763
[main] #2782 uses obsolete /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
[main] #2782 is not a child
[main] #2927 uses obsolete /lib/x86_64-linux-gnu/libkeyutils.so.1.5
[main] #2927 is a child of #2897
[main] #2939 uses obsolete /lib/x86_64-linux-gnu/libkeyutils.so.1.5
[main] #2939 is not a child
[main] #3026 uses obsolete /lib/x86_64-linux-gnu/libkeyutils.so.1.5
[main] #3026 is a child of #2806
[main] #4208 uses obsolete /lib/x86_64-linux-gnu/security/pam_systemd.so
[main] #4208 is a child of #2540
[main] #4217 uses obsolete /lib/x86_64-linux-gnu/libz.so.1.2.8
[main] #4217 is not a child
[main] #4220 uses obsolete /lib/x86_64-linux-gnu/libudev.so.1.5.0
[main] #4220 is a child of #4208
[main] #4261 uses obsolete /lib/x86_64-linux-gnu/liblzma.so.5.0.0
[main] #4261 is not a child
[main] #4270 uses obsolete /lib/x86_64-linux-gnu/libz.so.1.2.8
[main] #4270 is not a child
[main] #4278 uses obsolete /lib/x86_64-linux-gnu/libkeyutils.so.1.5
[main] #4278 is a child of #4220
[main] #4294 uses obsolete /lib/x86_64-linux-gnu/libudev.so.1.5.0
[main] #4294 is not a child
[main] #4296 uses obsolete /lib/x86_64-linux-gnu/libpng12.so.0.50.0
[main] #4296 is not a child
[main] #4300 uses obsolete /lib/x86_64-linux-gnu/libudev.so.1.5.0
[main] #4300 is not a child
[main] #4315 uses obsolete /lib/x86_64-linux-gnu/libpng12.so.0.50.0
[main] #4315 is not a child
[main] #4328 uses obsolete /lib/x86_64-linux-gnu/libpng12.so.0.50.0
[main] #4328 is not a child
[main] #4332 uses obsolete /lib/x86_64-linux-gnu/libpng12.so.0.50.0
[main] #4332 is not a child
[main] #4336 uses obsolete /lib/x86_64-linux-gnu/libpng12.so.0.50.0
[main] #4336 is not a child
[main] #4341 uses obsolete /lib/x86_64-linux-gnu/libpng12.so.0.50.0
[main] #4341 is not a child
[main] #4344 uses obsolete binary /usr/bin/python2.7
[main] #4344 is a child of #4220
[main] #4348 uses obsolete /lib/x86_64-linux-gnu/libkeyutils.so.1.5
[main] #4348 is not a child
[main] #4353 uses obsolete /usr/lib/x86_64-linux-gnu/libgudev-1.0.so.0.2.0
[main] #4353 is a child of #4344
[main] #4359 uses obsolete /lib/x86_64-linux-gnu/libudev.so.1.5.0
[main] #4359 is a child of #4220
[main] #4360 uses obsolete /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
[main] #4360 is a child of #4220
[main] #4362 uses obsolete /lib/x86_64-linux-gnu/libudev.so.1.5.0
[main] #4362 is a child of #4220
[main] #4363 uses obsolete /lib/x86_64-linux-gnu/libudev.so.1.5.0
[main] #4363 is a child of #4361
[main] #4364 uses obsolete /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
[main] #4364 is a child of #4220
[main] #4374 uses obsolete /lib/x86_64-linux-gnu/libz.so.1.2.8
[main] #4374 is not a child
[main] #4383 uses obsolete /lib/x86_64-linux-gnu/libz.so.1.2.8
[main] #4383 is not a child
[main] #4390 uses obsolete /lib/x86_64-linux-gnu/libudev.so.1.5.0
[main] #4390 is not a child
[main] #4406 uses obsolete /lib/x86_64-linux-gnu/libpng12.so.0.50.0
[main] #4406 is not a child
[main] #4472 uses obsolete

Bug#771348: needrestart: starts not running services

2014-11-28 Thread Thomas Liske 

severity 771348 normal
tags 771348 - security
thanks

On 11/28/2014 07:06 PM, Christoph Anton Mitterer wrote:

Since this may start services which are only to be run under specific
situations, e.g. when only in a secure network, or when VPN is running
because they may grant system access e.g. without authentication...
(take ssh which can be configured to allow password less access to root)
I'm marking this severity=critical and tags=security.


needrestart does not automaticly restart any services by default. I 
don't see any security issues if the user selects to restart a service 
(although the service was not running before). Sorry, but your example 
sounds hypothetical to me.


You could add a entry to override_rc to prevent ssh to be restarted 
accidentally.



HTH,
Thomas


Maybe the whole things applies to non-SSH as well, since a while I'm always
seeing two entries for GDM, one gdm3.service and gdm3 alone.



-- Package-specific info:
needrestart output:
Running kernel seems to be up-to-date.
Services to be restarted:
service dbus restart



-- System Information:
Debian Release: jessie/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages needrestart depends on:
ii  dpkg   1.17.22
ii  libmodule-find-perl0.12-1
ii  libmodule-scandeps-perl1.16-1
ii  libproc-processtable-perl  0.51-1
ii  libsort-naturally-perl 1.03-1
ii  libterm-readkey-perl   2.32-1+b1
ii  perl   5.20.1-3

needrestart recommends no packages.

needrestart suggests no packages.

-- Configuration Files:
/etc/needrestart/needrestart.conf changed:
$nrconf{defno} = 1;
$nrconf{blacklist} = [
 # ignore sudo (not a daemon)
 q(^/usr/bin/sudo(\.dpkg-new)?$),
 # ignore DHCP clients
 q(^/sbin/(dhclient|dhcpcd5|pump|udhcpc)(\.dpkg-new)?$),
];
$nrconf{override_rc} = {
 # DBus
 q(^dbus) = 0,
 # display managers
 q(^gdm) = 0,
 q(^kdm) = 0,
 q(^nodm) = 0,
 q(^wdm) = 0,
 q(^xdm) = 0,
 q(^lightdm) = 0,
 # networking stuff
 q(^network-manager) = 0,
 q(^NetworkManager) = 0,
 q(^openvpn) = 0,
 q(^quagga) = 0,
 q(^tinc) = 0,
 # gettys
 q(^getty@.+\.service) = 0,
 # misc
 q(^zfs-fuse) = 0,
 q(^mythtv-backend) = 0,
};
if(-d q(/etc/needrestart/conf.d)) {
   foreach my $fn (sort /etc/needrestart/conf.d/*.conf) {
  print STDERR $LOGPREF eval $fn\n if($nrconf{verbose});
  eval do { local(@ARGV, $/) = $fn; };
  die Error parsing $fn: $@ if($@);
   }
}


-- no debconf information




--

::  WWW: http://fiasko-nw.net/~thomas/  ::
   :::  Jabber:   xmpp:tho...@jabber.fiasko-nw.net  :::
::  flickr:  http://www.flickr.com/photos/laugufe/  ::


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org