After a security update of a library one needs to restart all programs that make use of this library in order for the security update to become effective. whatmaps takes a package name and looks (on Linux systems) in /proc/pid/maps for processes that map shared objects contained in a certain package. It then looks for the corresponding processes to find the services that need to be restarted.

It supports more complex scenarious like package A needing a restart of package B or blacklisting services on a global or per package basis by (for now) internal lists and dicts.

It currently supports Debian and Fedora but might also work well on other Debian or RPM based distributions. The current release is 0.0.3.

Installation

Since it's a single script you can either use the script right away or call:

python setup.py

to install it. You can also build a Debian package from the 'debian/master' branch.

Pre-built packages

Debian Packages for Wheezy can be found here.

Usage

Simply pass the names of the packages that had shared objects updated:

whatmaps <pkg1> <pkg2>

The example output looks like:

# whatmaps libssl0.9.8
WARNING: No service script found in 'krb5-auth-dialog' for '['/usr/bin/krb5-auth-dialog']' - restart manually
WARNING: No service script found in 'openssh-client' for '['/usr/bin/ssh-agent']' - restart manually
WARNING: No service script found in 'vim-gnome' for '['/usr/bin/vim.gnome']' - restart manually
WARNING: No service script found in 'isc-dhcp-client' for '['/sbin/dhclient']' - restart manually
WARNING: No service script found in 'wpasupplicant' for '['/sbin/wpa_supplicant']' - restart manually
Services that possibly need to be restarted:
postfix
libvirt-bin
ntpd

Note that the processes whatmaps warns about above are packages without any init scripts (e.g. started by a desktop session). They need to be restarted manually at the moment. The services found by whatmaps can be restarted using the --restart option:

whatmaps --restart <pkg1> <pkg2>

Apt Integration

To enable automatic restarts during security updates on Debian based systems set:

Whatmaps::Enable-Restart "1";

in /etc/apt/apt.conf.d/20services.

Source Code

The source code is available via:

git clone https://git.sigxcpu.org/cgit/whatmaps

and can be browsed here.

Notes

Checkrestart in the debian-goodies package detects processes that need to be restarted by checking if a file was deleted but is still in use by using lsof. You might want to try this one since it is well tested in Debian since 2003. The idea behind whatmaps is to do the lookup on a per package basis so we can let apt decide if it's a security upgrade (based on the origin) and only restart the service in this case.

TODO

  • More reliable mapping between processes and init scripts
  • Better support for daemons in interpreted languages like xend or calendarserver, so far we only detect that /usr/bin/python2.X is affected.
  • Check Desktop files (suspend/resume makes them long running) and notify users about affected processes in their session
  • Try to runtime inspect python/perl/java for loaded modules using lsof or PTRACE_PEEKDATA
  • Apt integration
  • Better Fedora support
  • Support for other init systems (filerc, upstart) besides SysV-RC and systemd
  • DNF/Yum integration

Author

whatmaps was written by Guido Günther.

Mailing List

whatmaps has it's own mailing list for general discussion and patches.

License

whatmaps is free software and licensed under the GPL Version 3.