batch mode yields different kernel results as root versus user

[galentx]

I'm using needrestart in batch mode in a script which runs in user space. It returns an indication that a restart is needed, but when run as root, it does not. It seems like it should either (1) report the same results whether run as root or not, or (2) report some kind of error to a non-root user if root is required to achieve accurate results.

$ sudo needrestart -k -b
NEEDRESTART-VER: 3.1
NEEDRESTART-KCUR: 4.15.0-188-generic
NEEDRESTART-KEXP: 4.15.0-188-generic
NEEDRESTART-KSTA: 1
$ needrestart -k -b 2>
NEEDRESTART-VER: 3.1
NEEDRESTART-KCUR: 4.15.0-188-generic
NEEDRESTART-KEXP: 4.15.0-188-generic
NEEDRESTART-KSTA: 2
$ needrestart --version

needrestart 3.1 - Restart daemons after library updates.

Authors:
  Thomas Liske <thomas@fiasko-nw.net>

Copyright Holder:
  2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]

Upstream:
  https://github.com/liske/needrestart

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:        18.04
Codename:       bionic
ubuntu@ubuntu-hamakua:~$

The system has been rebooted several times while this condition persists. If I am misusing the tool, I would be grateful for redirection to using it correctly. I'll also happily attempt diagnostics on the subject system with direction.

-Galen

[liske]

You are using a old version of needrestart, can you check if it also happens with a more recent release of needrestart?

I was not able to reproduce this issue on Debian stable (needrestart 3.5).

[galentx]

Yes, I noticed that Ubuntu 18.04 (Bionic) packages are stuck on 3.1. Let me research a bit into how to install the latest release in my environment and I'll test it.

In the meantime, I think I have determined that the difference between root and user results is due to /boot/vmlinuz* having 0600 permissions. The script vmlinuz-get-version attempts to extract the internal version number from the file and fails, but doesn't appear to properly account for the access failure. I think another script must also check the kernel files because a hack I tried to gracefully return an error from vmlinuz-get-version reduced the number of errors reported by needrestart -b -v -k but there were still two kernel file access errors and NEEDRESTART-KSTA was still 2 in user mode.

I'll follow up once I can install and test a more recent version

[galentx]

I was able to straightforwardly update to 3.5 by pulling from ubuntu jammy. I get the same results: user mode indicates that a kernel difference exists whereas root mode does not. The issue appears to be that the kernel files in /boot are not readable by non-root users.

It may take a little more work to install 3.6.

~$ needrestart -b -k -v
[main] eval /etc/needrestart/needrestart.conf
[main] needrestart v3.5
[main] running in user mode
[main] systemd detected
[main] vm detected
NEEDRESTART-VER: 3.5
[main] inside container or vm, skipping microcode checks
[Kernel] Linux: kernel release 4.15.0-191-generic, kernel version #202-Ubuntu SMP Thu Aug 4 01:49:29 UTC 2022
Failed to load NeedRestart::Kernel::kFreeBSD: [Kernel/kFreeBSD] Not running on GNU/kFreeBSD!
[Kernel/Linux] Could not open linux image (/boot/vmlinuz-4.15.0-191-generic): Permission denied
+ mktemp
+ tmp=/tmp/tmp.u1mVeMxsqA
+ trap rm -f /tmp/tmp.u1mVeMxsqA 0
+ get_version /boot/vmlinuz-4.15.0-191-generic
+ grep -aom 1 Linux version [0123456789].* /boot/vmlinuz-4.15.0-191-generic
grep: /boot/vmlinuz-4.15.0-191-generic: Permission denied
+ which gunzip
+ try_decompress \037\213\010 xy gunzip
/usr/lib/needrestart/vmlinuz-get-version: 32: /usr/lib/needrestart/vmlinuz-get-version: cannot open /boot/vmlinuz-4.15.0-191-generic: Permission denied
+ tr \037\213\010\nxy \nxy=
+ grep -abo ^xy
+ which unxz
+ try_decompress \3757zXZ\000 abcde unxz
/usr/lib/needrestart/vmlinuz-get-version: 32: /usr/lib/needrestart/vmlinuz-get-version: cannot open /boot/vmlinuz-4.15.0-191-generic: Permission denied
+ tr \3757zXZ\000\nabcde \nabcde=
+ grep -abo ^abcde
+ which bunzip2
+ try_decompress BZh xy bunzip2
+ /usr/lib/needrestart/vmlinuz-get-version: 32: /usr/lib/needrestart/vmlinuz-get-version: cannot open /boot/vmlinuz-4.15.0-191-generic: Permission denied
+ tr BZh\nxy \nxy=
grep -abo ^xy
+ which unlzma
+ try_decompress \135\0\0\0 xxx unlzma
/usr/lib/needrestart/vmlinuz-get-version: 32: /usr/lib/needrestart/vmlinuz-get-version: cannot open /boot/vmlinuz-4.15.0-191-generic: Permission denied
+ tr \135\0\0\0\nxxx \nxxx=
+ grep -abo ^xxx
+ which lzop
+ rm -f /tmp/tmp.u1mVeMxsqA
[Kernel/Linux] version from filename: 4.15.0-191-generic
[Kernel/Linux] /boot/vmlinuz-4.15.0-191-generic => 4.15.0-191-generic [4.15.0-191-generic]
[Kernel/Linux] Could not open linux image (/boot/vmlinuz-4.15.0-189-generic): Permission denied
+ mktemp
+ tmp=/tmp/tmp.dnxxc9pJ74
+ trap rm -f /tmp/tmp.dnxxc9pJ74 0
+ get_version /boot/vmlinuz-4.15.0-189-generic
+ grep -aom 1 Linux version [0123456789].* /boot/vmlinuz-4.15.0-189-generic
grep: /boot/vmlinuz-4.15.0-189-generic: Permission denied
+ which gunzip
+ try_decompress \037\213\010 xy gunzip
/usr/lib/needrestart/vmlinuz-get-version: 32: /usr/lib/needrestart/vmlinuz-get-version: cannot open /boot/vmlinuz-4.15.0-189-generic: Permission denied
+ tr \037\213\010\nxy \nxy=
+ grep -abo ^xy
+ which unxz
+ try_decompress \3757zXZ\000 abcde unxz
/usr/lib/needrestart/vmlinuz-get-version: 32: /usr/lib/needrestart/vmlinuz-get-version: cannot open /boot/vmlinuz-4.15.0-189-generic: Permission denied
+ tr \3757zXZ\000\nabcde \nabcde=
+ grep -abo ^abcde
+ which bunzip2
+ try_decompress BZh xy bunzip2
/usr/lib/needrestart/vmlinuz-get-version: 32: /usr/lib/needrestart/vmlinuz-get-version: cannot open /boot/vmlinuz-4.15.0-189-generic: Permission denied
+ tr BZh\nxy \nxy=
+ grep -abo ^xy
+ which unlzma
+ try_decompress \135\0\0\0 xxx unlzma
/usr/lib/needrestart/vmlinuz-get-version: 32: /usr/lib/needrestart/vmlinuz-get-version: cannot open /boot/vmlinuz-4.15.0-189-generic: Permission denied
+ tr \135\0\0\0\nxxx \nxxx=
+ grep -abo ^xxx
+ which lzop
+ rm -f /tmp/tmp.dnxxc9pJ74
[Kernel/Linux] version from filename: 4.15.0-189-generic
[Kernel/Linux] /boot/vmlinuz-4.15.0-189-generic => 4.15.0-189-generic [4.15.0-189-generic]
[Kernel/Linux] Expected linux version: 4.15.0-191-generic
NEEDRESTART-KCUR: 4.15.0-191-generic
NEEDRESTART-KEXP: 4.15.0-191-generic
NEEDRESTART-KSTA: 2

~$ sudo needrestart -b -k -v
[main] eval /etc/needrestart/needrestart.conf
[main] needrestart v3.5
[main] running in root mode
[main] systemd detected
[main] vm detected
NEEDRESTART-VER: 3.5
[main] inside container or vm, skipping microcode checks
[Kernel] Linux: kernel release 4.15.0-191-generic, kernel version #202-Ubuntu SMP Thu Aug 4 01:49:29 UTC 2022
Failed to load NeedRestart::Kernel::kFreeBSD: [Kernel/kFreeBSD] Not running on GNU/kFreeBSD!
[Kernel/Linux] /boot/vmlinuz-4.15.0-191-generic => 4.15.0-191-generic (buildd@lcy02-amd64-032) #202-Ubuntu SMP Thu Aug 4 01:49:29 UTC 2022 [4.15.0-191-generic]*
[Kernel/Linux] /boot/vmlinuz-4.15.0-189-generic => 4.15.0-189-generic (buildd@lcy02-amd64-039) #200-Ubuntu SMP Wed Jun 22 19:53:37 UTC 2022 [4.15.0-189-generic]
[Kernel/Linux] Expected linux version: 4.15.0-191-generic
NEEDRESTART-KCUR: 4.15.0-191-generic
NEEDRESTART-KEXP: 4.15.0-191-generic
NEEDRESTART-KSTA: 1

~$ ls -la /boot/vmlinuz*
-rw------- 1 root root 8474272 Jun 22 13:30 /boot/vmlinuz-4.15.0-189-generic
-rw------- 1 root root 8470176 Aug  3 20:24 /boot/vmlinuz-4.15.0-191-generic
~$

[liske]

You have those Permission denied errors accessing the kernel images so needrestart cannot detect the image's version string. So this seems to not being a bug in needrestart.

[galentx]

I think it is a bug that it reports an erroneous answer rather than returning an error.