ID: 324PHID: PHID-TASK-rujr2jrlfkgxu2qicco2Author: HulaHoopStatus at Migration Time: openPriority at Migration Time: Normal
I propose to add the needrestart pkg :
New in this release is the needrestart package. When installed, it will perform a check after each APT upgrade session. If any services running on the system require a restart to take advantage of changes in the upgraded packages then it offers to perform these restarts. It is recommended to install needrestart to ensure that security updates in libraries are propagated to running services.
2015-05-24 04:50:31 UTC
Good point.
Somewhat documented in the deepness of expand buttons updating documentation:Security Guide - Whonix
Somewhat related to T135.
Have you actually tried this? I worry about the usability of this thing. It mentions that a lot services need to be restarted. A few of them are checked by default, other such as kdm not. Now, if a user who is trying hard to be secure checks kdm, then kdm is shut down. Together with the Konsole that was running apt-get. All other open windows, all unsaved work would be lost. Surely a nice tool for slightly advanced users, but installed by default? Maybe it can be configured to prevent such a mess.
2015-05-24 15:00:01 UTC
2015-05-24 17:06:48 UTC
See this screneshot.
{F71}
When users think they doing something good and check all these boxes, it will kill kdm, their Konsole session, apt-get that was run by the Konsole session as well as all unsaved work.
2015-05-24 18:42:36 UTC
2015-05-26 16:54:26 UTC
Not talking about manual invocation here. It automatically runs with that option during apt-get dist-upgrade. Maybe it’s possible to configure this, but then this would require shipping a configuration file. Either as part of the usability-misc package or a separate packages.
Apparmor issue:
May 26 16:03:45 host kernel: [ 7239.228434] audit: type=1400 audit(1432656225.140:100): apparmor="DENIED" operation="open" profile="/usr/bin/whonixcheck" name="/etc/dpkg/dpkg.cfg.d/needrestart" pid=13517 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Needs more work. Therefore moving to Whonix 12.
2015-07-29 17:53:57 UTC
Testing the following config… /etc/needrestart/conf.d/50_user.conf
$nrconf{restart} = 'l';
Therefore it doesn’t run interactively anymore. Prevents users selecting services such as kdm and thereby shooting their own feet.
Then the extraneous output when running ‘apt-get dist-upgrade’ is the following.
Scanning processes...
Scanning candidates...
Scanning kernel images...
Failed to retrieve available kernel versions.
Services to be restarted:
Skipping dbus.service...
systemctl restart polkitd.service
Is this output any helpful to users? Let’s go through it line by line.
Failed to retrieve available kernel versions. - Probably a Qubes specific issue. May or may not be possible to fix this. But for let’s ignore this, since I have greater worries that needrestart actually worsens usability.Skipping dbus.service... - I see it coming. Users become concerned, asking in the forums, it said “Skipping dbus.service...”, am I hacked? (What this really means, I guess is something like “dbus is on a list of packages, that are not pre-selected for automatic restart recommendation”.)systemctl restart polkitd.service - Alright. Users would either ignore this or know that this is convenient for them to copy and paste this.
Unless this can be configured better, I think by default, for most users, with the current advice to reboot after upgrading is better. (Not installing needrestart by default.) (For advanced users there can be a hint about needrestart in documentation.)
2015-07-29 19:18:08 UTC
2015-07-29 19:31:14 UTC
2015-07-29 19:33:19 UTC
! In T324#6148, @HulaHoop wrote:
Most people will have no idea what these messages mean to even bother asking if they are hacked.
I think not. Users know these messages. So we have a genuine disagreement here.
Most people will have no idea what these messages mean to even bother asking if they are hacked.
A different answer:
Using a package manager GUI will hide all the information.
Judging by the current rate of progress, I find this unrealistic and I am not convinced we are getting there anytime soon.
There might still be a way to hide this output either with a needrestart option “a” or in apt-get itself. needrestart manual page:
l
Is what I was using above. The issues described:
i
Problematic UI as mentioned here:
a
Restarting without asking is too intrusive and causing all kind of trouble. Nothing we should set by default.
2015-07-29 19:43:20 UTC
2015-07-29 20:15:04 UTC
OK I reread what the package does and a compromise would be to make a wrapper for it that hides the output that could trigger support threads and only say: Some packages that were updated need a system restart for the changes to take effect. Restart? Yes/No
we could have the details logged by needrestart to a logfile that advanced users can optionally check out.
2015-07-29 21:00:29 UTC
2015-07-30 12:15:48 UTC
I guess checkrestart is too dated?
A wrapper could work. Disabling the hooks that come with needrestart. Adding new hooks. Having the wrapper run needrestart with hidden output. And showing a simplified message to users as appropriate.
apt-file list needrestart
Another TODO: contacting the author. Giving feedback. Asking if such a wrapper is necessary at all of if there is a simpler solution.
Another related thing:Debian -- Error
2015-07-30 13:57:52 UTC
It also has a batch mode.
sudo needrestart -b
NEEDRESTART-VER: 1.2
NEEDRESTART-KCUR: 3.18.17-5.pvops.qubes.x86_64
NEEDRESTART-KSTA: 0
NEEDRESTART-SVC: dbus.service
NEEDRESTART-SVC: polkitd.service
Failed to retrieve available kernel versions. - Probably a Qubes specific issue. May or may not be possible to fix this.
That could be fixed. /etc/needrestart/conf.d/50_qubes.conf
$nrconf{kernelhints} = '0';
sudo needrestart -l -b
NEEDRESTART-VER: 1.2
NEEDRESTART-SVC: dbus.service
NEEDRESTART-SVC: polkitd.service
2015-07-30 14:11:32 UTC
2015-09-29 18:32:54 UTC
2015-09-29 18:33:09 UTC
2015-11-20 14:57:04 UTC
2015-11-20 15:40:03 UTC
2016-04-02 19:27:31 UTC
2016-04-25 19:58:00 UTC
2016-05-09 19:01:29 UTC
2017-01-18 09:34:31 UTC
2019-06-29 10:13:44 UTC
needrestart works good enough for it to be implemented as a test in #whonixcheck (--verbose?).
sudo needrestart -r l -b
NEEDRESTART-VER: 3.4
NEEDRESTART-KCUR: 4.19.43-1.pvops.qubes.x86_64
NEEDRESTART-KEXP: 4.19.0-5-amd64
NEEDRESTART-KSTA: 3
See needrestart/README.batch.md at master · liske/needrestart · GitHub for meaning of NEEDRESTART-KSTA.
Output NEEDRESTART-KSTA cannot be interpreted directly yet in Qubes-Whonix but a temporary auto-generated config file as per T324#6180 could do.
What is a good way to detect that users are using VM kernel in Qubes? @marmarek If uname -r outputs 4.19.43-1.pvops.qubes.x86_64 i.e. matches *pvops* it means that no VM kernel is being used?
2019-06-29 10:55:32 UTC
Patrick
November 22, 2024, 10:01am
2
Unfortunately, needrestart had quite some privilege escalation (LPE) attack surface.
Patrick
November 22, 2024, 10:09am
3
Quote Securing Debian Manual, 4.2. Execute a security update
, you can install the needrestart package, which will run automatically after each APT upgrade and prompt you to restart services that are affected by the just-installed updates.