I ran a clean release upgrade but now am seeing this:
$ systemcheck
sudo: error while loading shared libraries: libsudo_util.so.0: cannot open shared object file: No such file or directory
$ sudo whoami
root
What is a clean release upgrade?
Which virtualizer?
Please check your systemcheck version:
dpkg -l | grep systemcheck
I apologize about the ambiguity. I mean that I ran all Release Upgrade steps without generating any errors (including sanity checks). The system seems virtually intact…
$ dpkg -l | grep systemcheck
ii systemcheck 3:25.8-1 all Anonymity and security check
VirtualBox 7.0
I cannot reproduce this.
This could be because of prior manual changes to AppArmor profiles? I suspect the AppArmor profile in /etc/apparmor.d is outdated.
To check if configuration files are up-to-date and how to reset these to vendor defaults, see:
Configuration Files - Kicksecure chapter Reset Configuration Files to Vendor Default in Kicksecure wiki
(Whonix is based on Kicksecure.)
I wasn’t sure if you wanted me to post my findings in my thread or here so I’m posting in both and will delete the other after a reply.
Ran:
dpkg -l | greo systemcheck
Output:
ii systemcheck 3.25.8-1
All Anonymity and security check
Ran the following:
sudo debsums -ce
Output:
/etc/apt/sources.list.d/debian.list
I opened up the debian.list file and everything other than the following was # out.
deb tor+https://deb.debian.org/debian bookworm main contrib non-free
deb tor+https://deb.debian.org/debian bookworm-updates main contrib non-free
deb tor+https://deb.debian.org/debian-security bookworm-security main
contrib non-free
deb tor+https://deb.debian.org/debian bookworm-backports main contrib
non-free
deb tor+https://fasttrack.debian.net/debian bookworm-fasttrack main
contrib non-free
Does
cat /etc/apt/sources.list.d/derivative.list | grep --invert-match "#"
show both lines starting with deb and having:
kicksecure.comwhonix.org
repository lines?
Please compare https://raw.githubusercontent.com/Kicksecure/systemcheck/master/etc/apparmor.d/usr.bin.systemcheck with your local file /etc/apparmor.d/usr.bin.systemcheck. Is it exactly the same? Check using meld or something.
Hi Patrick. After running the cat command this is the output:
deb [signed-by=/usr/share/keyring/derivative.asc] tor+https://deb.whonix.org bookworm main contrib non-free
Sudo nano `/etc/apparmor.d/usr.bin.systemcheck
Output file is different to the link you provided:
the copyright shows 2012 - 2022 and then after this line:
usr/bin/systemcheck flags=(attach_disconnected) {
All the includes have # in front of them and there is only 5 includes the first capability shows capability sys_ptrace, the rest of the contents also appear different compared to the link you provided.
I then installed virtual box on a different machine and checked the file, the file show the same content as the link you provided.
Therefore the KVM file appears to be an old and outdated.
You’re missing the Kicksecure repository. Since Whonix 17, both, Whonix and Kicksecure repositories need to be enabled in Whonix. To enable:
sudo repository-dist --enable --repository stable
Then please re-check that file.
(Whonix is based on Kicksecure.)
It’s a upgrade migration bug that you’re missing that repository and that the release-upgrade script did not advice on that beforehand.
This issue is unspecific to KVM / VIrtualBox / Qubes. These are all using the same repositories. [1]
[1] (Except Qubes-Whonix having the Qubes repository enabled by default but that’s not important and besides the pont.)
Ran the command:
sudo repository-dist --enable --repository stable
Afterwards I ran upgrade-nonroot. (on both GW and WS)
New files installed and systemcheck now working. I have been using my setup without this fix for about a week is there any way I was compromised?
There’s no indication for that.
1 Like
Thanks Patrick everything appears to be in working order now.
For me, running sudo debsums -ce results in:
/etc/apt/sources.list.d/debian.list
/etc/apparmor.d/local/usr.bin.thunderbird
$ cat /etc/apt/sources.list.d/derivative.list | grep --invert-match "#"
deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main contrib non-free
$ sudo cat /etc/apparmor.d/local/usr.bin.thunderbird
$
(empty file)
$ sudo apt-get-reset thunderbird
...
Unpacking thunderbird (1:102.15.1-1~deb12u1) over (1:102.15.1-1~deb12u1) ...
Setting up thunderbird (1:102.15.1-1~deb12u1) ...
Skipping profile in /etc/apparmor.d/disable: usr.bin.thunderbird
...
Not sure how to proceed with the Thunderbird matter.
You do not have the Kicksecure repository. Can be enabled as per:
systemcheck sudo: error while loading shared libraries: libsudo_util.so.0: cannot open shared object file: No such file or directory - #8 by Patrick
Yes, I saw that and remediated it, thank you. I can’t say that I recall disabling Thunderbird’s AppArmor profile. Does anything need to be done about this?
Or, after invoking both:
$ sudo repository-dist --enable --repository stable --transport onion
$ sudo apt-get-reset thunderbird
Despite the message from apt-get-reset that:
Skipping profile in /etc/apparmor.d/disable: usr.bin.thunderbird
and from debsums -ce that:
/etc/apt/sources.list.d/debian.list
/etc/apparmor.d/local/usr.bin.thunderbird
after executing the prior commands, can I just go ahead and run upgrade-nonroot and expect that systemcheck will be in working order?
Yes.
If you are using Thunderbird.
sudo aa-enforce /etc/apparmor.d/usr.bin.thunderbird
After the “full” release-upgrade with both repositories enabled.
1 Like