I recommend the following action points to restore a bit of trust in Ubuntu Product after the introduction of motd-news by Dustin Kirkland (Ex- VP Product at Canonical)
- Run all motd scripts including motd-news AND curl as non privileged account -- not as root - Move motd-news functionality from base-files to a removable package called motd-news - Set ENABLED to 0 by default on all Ubuntu Distos or at least ask the user consent (during install and later with cloud-init) - Remove private information from User-Agent (uptime, kernel version, curl version, type of cloud) and stop using HTTPS Header such User-Agent as proxy to exfiltrate sensible infos from Ubuntu - Make the code behind https://motd.ubuntu.com auditable, signed and open source - Check the logs of https://motd.ubuntu.com if it has been compromised the last 3 years if it is the case report it so people can reinstall their Ubuntu Server, Desktop, Laptop to restore trust Currently Ubuntu users are trapped as they can only disable motd-news but not uninstall it and any software update of base-files could bring back the security issue. Anyone who has access to motd.ubuntu.com (or via DNS + MITM) could in theory execute code on any Ubuntu if a serious vulnerability in curl has been found or if the user did not update curl. Running curl as root, reporting the curl version and the kernel version give all the information needed to implemented a persistent backdoor in any Ubuntu worldwide. sudo apt-get purge base-files WARNING: The following essential packages will be removed. This should NOT be done unless you know exactly what you are doing! base-files bash 0 upgraded, 0 newly installed, 5 to remove and 26 not upgraded. After this operation, 4,525 kB disk space will be freed. You are about to do something potentially harmful. To continue type in the phrase 'Yes, do as I say!' ?] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
