View file File name : ubuntu-security-status Content :#!/usr/bin/python3 import apt import argparse import distro_info import json import os import sys import gettext import shutil import subprocess from UpdateManager.Core.utils import get_dist from datetime import datetime from textwrap import wrap from urllib.error import URLError, HTTPError from urllib.request import urlopen # TODO make DEBUG an environmental variable DEBUG = False UA_STATUS_FILE = "/var/lib/ubuntu-advantage/status.json" class PatchStats: """Tracks overall patch status The relationship between archives enabled and whether a patch is eligible for receiving updates is non-trivial. We track here all the important buckets a package can be in: - Whether it is set to expire with no ESM coverage - Whether it is in an archive covered by ESM - Whether it received LTS patches - whether it received ESM patches We also track the total packages covered and uncovered, and for the uncovered packages, we track where they originate from. The Ubuntu main archive receives patches for 5 years. Canonical-owned archives (excluding partner) receive patches for 10 years. patches for 10 years. """ def __init__(self): # TODO no-update FIPS is never patched self.pkgs_uncovered_fips = set() # list of package names available in ESM self.pkgs_updated_in_esmi = set() self.pkgs_updated_in_esma = set() self.pkgs_mr = set() self.pkgs_um = set() self.pkgs_unavailable = set() self.pkgs_thirdparty = set() # the bin of unknowns self.pkgs_uncategorized = set() def print_debug(s): if DEBUG: print(s) def whats_in_esm(url): pkgs = set() # return a set of package names in an esm archive try: response = urlopen(url) except (URLError, HTTPError): print_debug('failed to load: %s' % url) return pkgs try: content = response.read().decode('utf-8') except IOError: print('failed to read data at: %s' % url) sys.exit(1) for line in content.split('\n'): if not line.startswith('Package:'): continue else: pkg = line.split(': ')[1] pkgs.add(pkg) return pkgs def get_ua_status(): """Return dict of active ua status information from ubuntu-advantage-tools Prefer to obtain status information from cache on disk to avoid costly roundtrips to contracts.canonical.com to check on available services. Fallback to call ua status --format=json. If there are errors running: ua status --format=json or if the status on disk is unparseable, return an empty dict. """ if os.path.exists(UA_STATUS_FILE): with open(UA_STATUS_FILE, "r") as stream: status = stream.read() else: try: status = subprocess.check_output( ['ua', 'status', '--format=json'] ).decode() except subprocess.CalledProcessError as e: print_debug('failed to run ua status: %s' % e) return {} try: return json.loads(status) except json.decoder.JSONDecodeError as e: print_debug('failed to parse JSON from ua status output: %s' % e) return {} def is_ua_service_enabled(service_name: str) -> bool: """Check to see if named esm service is enabled. :return: True if UA status reports service as enabled. """ status = get_ua_status() for service in status.get("services", []): if service["name"] == service_name: # Machines unattached to UA will not provide service 'status' key. return service.get("status") == "enabled" return False def trim_archive(archive): return archive.split("-")[-1] def trim_site(host): # *.ec2.archive.ubuntu.com -> archive.ubuntu.com if host.endswith("archive.ubuntu.com"): return "archive.ubuntu.com" return host def mirror_list(): m_file = '/usr/share/ubuntu-release-upgrader/mirrors.cfg' if not os.path.exists(m_file): print("Official mirror list not found.") with open(m_file) as f: items = [x.strip() for x in f] mirrors = [s.split('//')[1].split('/')[0] for s in items if not s.startswith("#") and not s == ""] # ddebs.ubuntu.com isn't in mirrors.cfg for every release mirrors.append('ddebs.ubuntu.com') return mirrors def origins_for(ver: apt.package.Version) -> str: s = [] for origin in ver.origins: if not origin.site: # When the package is installed, site is empty, archive/component # are "now/now" continue site = trim_site(origin.site) s.append("%s %s/%s" % (site, origin.archive, origin.component)) return ",".join(s) def print_wrapped(str): print("\n".join(wrap(str, break_on_hyphens=False))) def print_thirdparty_count(): print(gettext.dngettext("update-manager", "%s package is from a third party", "%s packages are from third parties", len(pkgstats.pkgs_thirdparty)) % "{:>{width}}".format(len(pkgstats.pkgs_thirdparty), width=width)) def print_unavailable_count(): print(gettext.dngettext("update-manager", "%s package is no longer available for " "download", "%s packages are no longer available for " "download", len(pkgstats.pkgs_unavailable)) % "{:>{width}}".format(len(pkgstats.pkgs_unavailable), width=width)) def parse_options(): '''Parse command line arguments. Return parser ''' parser = argparse.ArgumentParser( description='Return information about security support for packages') parser.add_argument('--thirdparty', action='store_true') parser.add_argument('--unavailable', action='store_true') return parser if __name__ == "__main__": # Prefer redirecting to 'pro security-status' if it exists if shutil.which("/usr/bin/pro"): print("This command has been replaced with 'pro security-status'.") subprocess.run(["/usr/bin/pro", "security-status"]) sys.exit(0) # gettext APP = "update-manager" DIR = "/usr/share/locale" gettext.bindtextdomain(APP, DIR) gettext.textdomain(APP) parser = parse_options() args = parser.parse_args() esm_site = "esm.ubuntu.com" try: dpkg = subprocess.check_output(['dpkg', '--print-architecture']) arch = dpkg.decode().strip() except subprocess.CalledProcessError: print("failed getting dpkg architecture") sys.exit(1) cache = apt.Cache() pkgstats = PatchStats() codename = get_dist() di = distro_info.UbuntuDistroInfo() lts = di.is_lts(codename) release_expired = True if codename in di.supported(): release_expired = False # distro-info-data in Ubuntu 16.04 LTS does not have eol-esm data if codename != 'xenial': eol_data = [(r.eol, r.eol_esm) for r in di._releases if r.series == codename][0] elif codename == 'xenial': eol_data = (datetime.strptime('2021-04-21', '%Y-%m-%d'), datetime.strptime('2024-04-21', '%Y-%m-%d')) eol = eol_data[0] eol_esm = eol_data[1] all_origins = set() origins_by_package = {} official_mirrors = mirror_list() # N.B. only the security pocket is checked because this tool displays # information about security updates esm_url = \ 'https://%s/%s/ubuntu/dists/%s-%s-%s/main/binary-%s/Packages' pkgs_in_esma = whats_in_esm(esm_url % (esm_site, 'apps', codename, 'apps', 'security', arch)) pkgs_in_esmi = whats_in_esm(esm_url % (esm_site, 'infra', codename, 'infra', 'security', arch)) for pkg in cache: pkgname = pkg.name downloadable = True if not pkg.is_installed: continue if not pkg.candidate or not pkg.candidate.downloadable: downloadable = False pkg_sites = [] origins_by_package[pkgname] = set() for ver in pkg.versions: # Loop through origins and store all of them. The idea here is that # we don't care where the installed package comes from, provided # there is at least one repository we identify as being # security-assured under either LTS or ESM. for origin in ver.origins: # TODO: in order to handle FIPS and other archives which have # root-level path names, we'll need to loop over ver.uris # instead if not origin.site: continue site = trim_site(origin.site) archive = origin.archive component = origin.component origin = origin.origin official_mirror = False thirdparty = True # thirdparty providers like dl.google.com don't set "Origin" if origin != "Ubuntu": thirdparty = False if site in official_mirrors: site = "official_mirror" if "MY_MIRROR" in os.environ: if site in os.environ["MY_MIRROR"]: site = "official_mirror" t = (site, archive, component, thirdparty) if not site: continue all_origins.add(t) origins_by_package[pkgname].add(t) if DEBUG: pkg_sites.append("%s %s/%s" % (site, archive, component)) print_debug("available versions for %s" % pkgname) print_debug(",".join(pkg_sites)) # This tracks suites we care about. Sadly, it appears that the way apt # stores origins truncates away the path that comes after the # domainname in the site portion, or maybe I am just clueless, but # there's no way to tell FIPS apart from ESM, for instance. # See 00REPOS.txt for examples # 2020-03-18 ver.filename has the path so why is that no good? # TODO Need to handle: # MAAS, lxd, juju PPAs # other PPAs # other repos # TODO handle partner.c.c # main and restricted from release, -updates, -proposed, or -security # pockets suite_main = ("official_mirror", codename, "main", True) suite_main_updates = ("official_mirror", codename + "-updates", "main", True) suite_main_security = ("official_mirror", codename + "-security", "main", True) suite_main_proposed = ("official_mirror", codename + "-proposed", "main", True) suite_restricted = ("official_mirror", codename, "restricted", True) suite_restricted_updates = ("official_mirror", codename + "-updates", "restricted", True) suite_restricted_security = ("official_mirror", codename + "-security", "restricted", True) suite_restricted_proposed = ("official_mirror", codename + "-proposed", "restricted", True) # universe and multiverse from release, -updates, -proposed, or -security # pockets suite_universe = ("official_mirror", codename, "universe", True) suite_universe_updates = ("official_mirror", codename + "-updates", "universe", True) suite_universe_security = ("official_mirror", codename + "-security", "universe", True) suite_universe_proposed = ("official_mirror", codename + "-proposed", "universe", True) suite_multiverse = ("official_mirror", codename, "multiverse", True) suite_multiverse_updates = ("official_mirror", codename + "-updates", "multiverse", True) suite_multiverse_security = ("official_mirror", codename + "-security", "multiverse", True) suite_multiverse_proposed = ("official_mirror", codename + "-proposed", "multiverse", True) # packages from the esm respositories # N.B. Origin: Ubuntu is not set for esm suite_esm_main = (esm_site, "%s-infra-updates" % codename, "main") suite_esm_main_security = (esm_site, "%s-infra-security" % codename, "main") suite_esm_universe = (esm_site, "%s-apps-updates" % codename, "main") suite_esm_universe_security = (esm_site, "%s-apps-security" % codename, "main") esm_infra_enabled = is_ua_service_enabled("esm-infra") esm_apps_enabled = is_ua_service_enabled("esm-apps") ua_attached = get_ua_status().get("attached", False) # Now do the final loop through for pkg in cache: if not pkg.is_installed: continue if not pkg.candidate or not pkg.candidate.downloadable: pkgstats.pkgs_unavailable.add(pkg.name) continue pkgname = pkg.name pkg_origins = origins_by_package[pkgname] # This set of is_* booleans tracks specific situations we care about in # the logic below; for instance, if the package has a main origin, or # if the esm repos are enabled. # Some packages get added in -updates and don't exist in the release # pocket e.g. ubuntu-advantage-tools and libdrm-updates. To be safe all # pockets are allowed. is_mr_pkg_origin = (suite_main in pkg_origins) or \ (suite_main_updates in pkg_origins) or \ (suite_main_security in pkg_origins) or \ (suite_main_proposed in pkg_origins) or \ (suite_restricted in pkg_origins) or \ (suite_restricted_updates in pkg_origins) or \ (suite_restricted_security in pkg_origins) or \ (suite_restricted_proposed in pkg_origins) is_um_pkg_origin = (suite_universe in pkg_origins) or \ (suite_universe_updates in pkg_origins) or \ (suite_universe_security in pkg_origins) or \ (suite_universe_proposed in pkg_origins) or \ (suite_multiverse in pkg_origins) or \ (suite_multiverse_updates in pkg_origins) or \ (suite_multiverse_security in pkg_origins) or \ (suite_multiverse_proposed in pkg_origins) is_esm_infra_pkg_origin = (suite_esm_main in pkg_origins) or \ (suite_esm_main_security in pkg_origins) is_esm_apps_pkg_origin = (suite_esm_universe in pkg_origins) or \ (suite_esm_universe_security in pkg_origins) # A third party one won't appear in any of the above origins if not is_mr_pkg_origin and not is_um_pkg_origin \ and not is_esm_infra_pkg_origin and not is_esm_apps_pkg_origin: pkgstats.pkgs_thirdparty.add(pkgname) if False: # TODO package has ESM fips origin # TODO package has ESM fips-updates origin: OK # If user has enabled FIPS, but not updates, BAD, but need some # thought on how to display it, as it can't be patched at all pass elif is_mr_pkg_origin: pkgstats.pkgs_mr.add(pkgname) elif is_um_pkg_origin: pkgstats.pkgs_um.add(pkgname) else: # TODO print information about packages in this category if in # debugging mode pkgstats.pkgs_uncategorized.add(pkgname) # Check to see if the package is available in esm-infra or esm-apps # and add it to the right pkgstats category # NB: apps is ordered first for testing the hello package which is both # in esmi and esma if pkgname in pkgs_in_esma: pkgstats.pkgs_updated_in_esma.add(pkgname) elif pkgname in pkgs_in_esmi: pkgstats.pkgs_updated_in_esmi.add(pkgname) total_packages = (len(pkgstats.pkgs_mr) + len(pkgstats.pkgs_um) + len(pkgstats.pkgs_thirdparty) + len(pkgstats.pkgs_unavailable)) width = len(str(total_packages)) print("%s packages installed, of which:" % "{:>{width}}".format(total_packages, width=width)) # filters first as they provide less information if args.thirdparty: if pkgstats.pkgs_thirdparty: pkgs_thirdparty = sorted(p for p in pkgstats.pkgs_thirdparty) print_thirdparty_count() print_wrapped(' '.join(pkgs_thirdparty)) msg = ("Packages from third parties are not provided by the " "official Ubuntu archive, for example packages from " "Personal Package Archives in Launchpad.") print("") print_wrapped(msg) print("") print_wrapped("Run 'apt-cache policy %s' to learn more about " "that package." % pkgs_thirdparty[0]) sys.exit(0) else: print_wrapped("You have no packages installed from a third party.") sys.exit(0) if args.unavailable: if pkgstats.pkgs_unavailable: pkgs_unavailable = sorted(p for p in pkgstats.pkgs_unavailable) print_unavailable_count() print_wrapped(' '.join(pkgs_unavailable)) msg = ("Packages that are not available for download " "may be left over from a previous release of " "Ubuntu, may have been installed directly from " "a .deb file, or are from a source which has " "been disabled.") print("") print_wrapped(msg) print("") print_wrapped("Run 'apt-cache show %s' to learn more about " "that package." % pkgs_unavailable[0]) sys.exit(0) else: print_wrapped("You have no packages installed that are no longer " "available.") sys.exit(0) # Only show LTS patches and expiration notices if the release is not # yet expired; showing LTS patches would give a false sense of # security. if not release_expired: print("%s receive package updates%s until %d/%d" % ("{:>{width}}".format(len(pkgstats.pkgs_mr), width=width), " with LTS" if lts else "", eol.month, eol.year)) elif release_expired and lts: receive_text = "could receive" if esm_infra_enabled: if len(pkgstats.pkgs_mr) == 1: receive_text = "is receiving" else: receive_text = "are receiving" print("%s %s security updates with ESM Infra " "until %d/%d" % ("{:>{width}}".format(len(pkgstats.pkgs_mr), width=width), receive_text, eol_esm.month, eol_esm.year)) if lts and pkgstats.pkgs_um and is_ua_service_enabled("esm-apps"): if len(pkgstats.pkgs_um) == 1: receive_text = "is receiving" else: receive_text = "are receiving" print("%s %s security updates with ESM Apps " "until %d/%d" % ("{:>{width}}".format(len(pkgstats.pkgs_um), width=width), receive_text, eol_esm.month, eol_esm.year)) if pkgstats.pkgs_thirdparty: print_thirdparty_count() if pkgstats.pkgs_unavailable: print_unavailable_count() # print the detail messages after the count of packages if pkgstats.pkgs_thirdparty: msg = ("Packages from third parties are not provided by the " "official Ubuntu archive, for example packages from " "Personal Package Archives in Launchpad.") print("") print_wrapped(msg) action = ("For more information on the packages, run " "'ubuntu-security-status --thirdparty'.") print_wrapped(action) if pkgstats.pkgs_unavailable: msg = ("Packages that are not available for download " "may be left over from a previous release of " "Ubuntu, may have been installed directly from " "a .deb file, or are from a source which has " "been disabled.") print("") print_wrapped(msg) action = ("For more information on the packages, run " "'ubuntu-security-status --unavailable'.") print_wrapped(action) # print the ESM calls to action last if lts and not esm_infra_enabled: if release_expired and pkgstats.pkgs_mr: pkgs_updated_in_esmi = pkgstats.pkgs_updated_in_esmi print("") msg = gettext.dngettext( "update-manager", "Enable Extended Security " "Maintenance (ESM Infra) to " "get %i security update (so far) ", "Enable Extended Security " "Maintenance (ESM Infra) to " "get %i security updates (so far) ", len(pkgs_updated_in_esmi)) % len(pkgs_updated_in_esmi) msg += gettext.dngettext( "update-manager", "and enable coverage of %i " "package.", "and enable coverage of %i " "packages.", len(pkgstats.pkgs_mr)) % len(pkgstats.pkgs_mr) print_wrapped(msg) if ua_attached: print("\nEnable ESM Infra with: ua enable esm-infra") if lts and not ua_attached: print("\nThis machine is not attached to an Ubuntu Advantage " "subscription.\nSee https://ubuntu.com/advantage")