Public bug reported:
System information::
root@here $ lsb_release -rd
Description: Ubuntu 18.04.2 LTS
Release: 18.04
root@here$ dpkg -l base-files | tail -1
ii base-files 10.1ubuntu2.4 amd64 Debian base system miscellaneous
files
What I expect to happen::
Logins to my machine should not be communicated to anyone else, and
should not provide anyone else of information about my machine.
What does happen::
Logins to my machine report that a login occurred, and provide details
about the installed system, to Ubuntu.
Report::
I've just upgraded fromt Trusty to Bionic, and found that on login I get
a message telling me something about Ubuntu's Kubernetes. I don't want
advertising presented to me when I log in to MY system, so I began to
investigate where this is happening - assuming that /etc/update-
motd.d/10-help-text or 00-header had been updated during the upgrade and
recreated with this content.
Instead, I discover that there is another script that has been added -
/etc/update-motd.d/50-motd-news - which adds this junk text to the
login. Not only that, but the script comminucates with Ubuntu, to fetch
that information. Not only that, but it provides information about the
system that is running as part of the request.
During the upgrade, I was not asked about whether it was ok for the
system to call home every time I login (or every 12 hours, whichever is
sooner, but at least a minute after you boot), and it absolutely would
not be my expectation that this be the default. When I log in to my
machine, I do not expect that the event would be reported to any off-
site system, and I suspect that most other users would be surprised if
not horrified to find that the fact that a system is in use was being
reported to Ubuntu.
The service can be disabled by changing a setting in /etc/defaults/motd-
news from ENABLED=1 to ENABLED=0, but this almost certainly should be
defaulting to 0 - tracking disabled by default, not tracking enabled by
default.
For example, on my system this provides a user agent containing:
```
curl/7.58.0-2ubuntu3.7 Ubuntu/18.04.2/LTS GNU/Linux/4.15.0-50-generic/x86_64
Intel(R)/Xeon(R)/CPU/X5675/@/3.07GHz uptime/580915.35/4598709.84
```
This means that every time the user logs in (or after 12 hours from the
prior log in, whichever is longer) Ubuntu receives:
* The IP address of a system that is in use (which might be behind NAT, but
it's still a report).
* The Distribution version details.
* The Kernel version details
* The CPU type
* The uptime
Knowing where a machine is, that it is active, exactly what type of
system it is an how often it is restarted, would be an awesome dataset
for any attacker to obtain - ideally (for them) it tells them the
location of systems that are alive, how they might be attacked - from
the distribution version, the kernel and the CPU information, you can
determine a set of vulnerabilities to attack - and the uptime, which
will indicate how likely the system is to be patched.
The only thing that might be worse might be to include a cookie-jar on
the curl command, which would allow tracking of individual systems,
rather than aggregating them behind NAT using the IP (although it's
still possible that the data reported in the user agent may be able to
make that information individually usable). That said, the root user
could (unintentionally) enable a cookie jar in their .curlrc and thus
enable individual system tracking without realising.
Whilst there may be legitimate reasons for reporting this information
(say for reporting to the user that their system has updates available
or that the system is vulnerable!), an advertising tool which reports
the system's information regularly back to home does not seem
appropriate for a 'base-files' package.
The surprise at having my logins recorded on a remote site pales in
comparison to the horror of recording a database of systems that might
be abused.
The Privacy and potential Security concerns of this feature hugely
outweigh any perceived benefit to the user, and I believe that the right
course of action is to remove this script entirely from the
distribution. At the very least the script's operation should default to
being disabled.
** Affects: base-files (Ubuntu)
Importance: Undecided
Status: New
** Tags: privacy
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1832074
Title:
base-files '/etc/update-motd.d/50-motd-news' reports system use to
Ubuntu
Status in base-files package in Ubuntu:
New
Bug description:
System information::
root@here $ lsb_release -rd
Description: Ubuntu 18.04.2 LTS
Release: 18.04
root@here$ dpkg -l base-files | tail -1
ii base-files 10.1ubuntu2.4 amd64 Debian base system
miscellaneous files
What I expect to happen::
Logins to my machine should not be communicated to anyone else, and
should not provide anyone else of information about my machine.
What does happen::
Logins to my machine report that a login occurred, and provide details
about the installed system, to Ubuntu.
Report::
I've just upgraded fromt Trusty to Bionic, and found that on login I
get a message telling me something about Ubuntu's Kubernetes. I don't
want advertising presented to me when I log in to MY system, so I
began to investigate where this is happening - assuming that /etc
/update-motd.d/10-help-text or 00-header had been updated during the
upgrade and recreated with this content.
Instead, I discover that there is another script that has been added -
/etc/update-motd.d/50-motd-news - which adds this junk text to the
login. Not only that, but the script comminucates with Ubuntu, to
fetch that information. Not only that, but it provides information
about the system that is running as part of the request.
During the upgrade, I was not asked about whether it was ok for the
system to call home every time I login (or every 12 hours, whichever
is sooner, but at least a minute after you boot), and it absolutely
would not be my expectation that this be the default. When I log in to
my machine, I do not expect that the event would be reported to any
off-site system, and I suspect that most other users would be
surprised if not horrified to find that the fact that a system is in
use was being reported to Ubuntu.
The service can be disabled by changing a setting in /etc/defaults
/motd-news from ENABLED=1 to ENABLED=0, but this almost certainly
should be defaulting to 0 - tracking disabled by default, not tracking
enabled by default.
For example, on my system this provides a user agent containing:
```
curl/7.58.0-2ubuntu3.7 Ubuntu/18.04.2/LTS GNU/Linux/4.15.0-50-generic/x86_64
Intel(R)/Xeon(R)/CPU/X5675/@/3.07GHz uptime/580915.35/4598709.84
```
This means that every time the user logs in (or after 12 hours from
the prior log in, whichever is longer) Ubuntu receives:
* The IP address of a system that is in use (which might be behind NAT, but
it's still a report).
* The Distribution version details.
* The Kernel version details
* The CPU type
* The uptime
Knowing where a machine is, that it is active, exactly what type of
system it is an how often it is restarted, would be an awesome dataset
for any attacker to obtain - ideally (for them) it tells them the
location of systems that are alive, how they might be attacked - from
the distribution version, the kernel and the CPU information, you can
determine a set of vulnerabilities to attack - and the uptime, which
will indicate how likely the system is to be patched.
The only thing that might be worse might be to include a cookie-jar on
the curl command, which would allow tracking of individual systems,
rather than aggregating them behind NAT using the IP (although it's
still possible that the data reported in the user agent may be able to
make that information individually usable). That said, the root user
could (unintentionally) enable a cookie jar in their .curlrc and thus
enable individual system tracking without realising.
Whilst there may be legitimate reasons for reporting this information
(say for reporting to the user that their system has updates available
or that the system is vulnerable!), an advertising tool which reports
the system's information regularly back to home does not seem
appropriate for a 'base-files' package.
The surprise at having my logins recorded on a remote site pales in
comparison to the horror of recording a database of systems that might
be abused.
The Privacy and potential Security concerns of this feature hugely
outweigh any perceived benefit to the user, and I believe that the
right course of action is to remove this script entirely from the
distribution. At the very least the script's operation should default
to being disabled.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1832074/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
