Thank you for your interest in improving the default experience in
Ubuntu.
We do understand that not everyone wants their machines to be talking to
the Ubuntu servers, which is why there are several ways to disable this
functionality.
- on a per-machine basis, you can set ENABLED=0.
- on a site-wide basis, you can firewall motd.ubuntu.com.
There is a factual inaccuracy in your report, which is to say that this
feature can be used to track login activity on machines. The update-
motd script in question contains the following check:
# If we're not forcing an update, and we have a cached motd-news file,
# then just print it and exit as quickly as possible, for login performance.
# Note that systemd should keep this cache file up to date, asynchronously
if [ "$FORCED" != "1" ]; then
if [ -r $CACHE ]; then
echo
safe_print $CACHE
else
: > $CACHE
fi
exit 0
fi
Thus, aside from a possible execution at first login, systems will only
contact motd.ubuntu.com twice per day with no correlation with user
logins.
It is also the case that Ubuntu systems already talk to Ubuntu servers
daily by default, as apt will check twice daily for updates from
archive.ubuntu.com and security.ubuntu.com, so the behavior of this
update-motd script in base-files is consistent with the existing
experience.
Finally, you've raised the concern that this script exposes information
about the system that could be used to exploit said system.
Canonical takes the security of Ubuntu users very seriously. This is
why, by default, security updates are applied to all Ubuntu systems
daily in 18.04. This is why we offer a kernel livepatch service that
enables users of Ubuntu 18.04 to fix high and critical kernel
vulnerabilities outside of scheduled maintenance windows.
If motd.ubuntu.com were ever to leak information to an attacker about
what machines on the Internet were vulnerable to a particular attack,
the root problem there would not be that information was shared with
motd.ubuntu.com; the root problem would be that Ubuntu machines
connected to the Internet had not had necessary security updates applied
to them. Because on the Internet at large, attackers do not wait for a
service like motd.ubuntu.com to tell them which machines are vulnerable
before exploiting them.
On the other hand, motd.ubuntu.com is a very important source of
information for US about what versions of Ubuntu are in use in the wild
- information that can be used, among other things, to identify problems
with the rollout of kernel security updates to our users.
So while it's understandable that some users will not want this
behavior, I believe that it is defensible as default behavior in Ubuntu.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1832074
Title:
base-files '/etc/update-motd.d/50-motd-news' reports system use to
Ubuntu
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1832074/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
