add a motd script for news

Bug #1637800 reported by Dustin Kirkland  on 2016-10-30
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
base-files (Ubuntu)
Undecided
Unassigned
Xenial
Low
Steve Langasek

Bug Description

Add a new update-motd script for printing news and/or important notices.

== SRU ==

[IMPACT]
We should add important security messages or other news to the MOTD.

[TEST CASE]
Login to the system and ensure that the "news" section of the motd is displayed. Note that you might need to force trigger an update by running 'sudo update-motd'.

[REGRESSION POTENTIAL]
No reasonable regression potential. The script simply prints 2 lines of text to the MOTD.

Dustin Kirkland  (kirkland) wrote :
Changed in base-files (Ubuntu):
status: New → Invalid
Changed in base-files (Ubuntu Xenial):
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Dustin Kirkland  (kirkland)
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-files - 9.6ubuntu7

---------------
base-files (9.6ubuntu7) zesty; urgency=medium

  * etc/default/motd-news, update-motd.d/50-news: LP: #1637800
    - add an update-motd script, that dynamically retrieves a
      message-of-the-day from a news service, defaults to
      https://motd.ubuntu.com
    - fail quietly, gracefully, and quickly

 -- Dustin Kirkland <email address hidden> Fri, 11 Nov 2016 09:54:28 -0600

Changed in base-files (Ubuntu):
status: Invalid → Fix Released
Adam Conrad (adconrad) wrote :

"- fail quietly, gracefully, and quickly"

I'm not sure how a 2-second delay on login for people who firewall off outside access can be qualified as "quickly".

I'm also skeptical in general here about this being a thing that should be happening by default.

Dimitri John Ledkov (xnox) wrote :

Please use .timer systemd unit to asynchronously fetch these news on boot, and periodically thereafter (there is support for both stanzas), do so safely from https, have templated news, and cache them, at the end include the cached news into motd.

Dustin Kirkland  (kirkland) wrote :

@xnox:

Totally agreed on https. I just uploaded that fix to zesty, defaulting to https://motd.ubuntu.com (which exists now, it didn't at the time), and enforcing that all URLs should start with https://.

The .timer systemd unit + caching + periodic refresh is interesting, indeed. I'll look into a rewrite of update-motd to do it this way. What minimum version of systemd would I need for it to work this way?

Dustin Kirkland  (kirkland) wrote :

Okay, reworked as a systemd timer. Tested here in a zesty LXD container, working well.

Unit 193 (unit193) wrote :

Why is this in base-files? You might seriously want to reconsider adding a phone-home script to a package that can't be removed considering what happened back a couple years with the amazon lens. Especially with a user agent that unique.

Kamilion (kamilion) wrote :

```
read up idle < /proc/uptime
uptime="uptime/$up/$idle"
USER_AGENT="curl/$curl_ver $lsb $platform $cpu $uptime"
```

Uh, okay, I can understand the curl version, the platform and the cputype; but the uptime of my nodes is nobody's business but my own.

The platform and CPU type are exposed by normal browser user agent strings anyway, I'm not really concerned if someone knows I'm amd64 or arm64; there will be other ways to discover that.... but my uptime?! really? REALLY?

And I wouldn't have minded as much if there was a comment describing why uptime was even being included ("This data is used to improve the graphs publically available at https://errors.ubuntu.com/") and some kind of documentation somewhere that this was occurring.

Kamilion (kamilion) wrote :

jeez, and i nearly missed
```
cpu="$(grep -m1 "^model name" /proc/cpuinfo | sed -e "s/.*: //" -e "s:\s\+:/:g")"
```

So not just uptime, but you get
"Intel(R) Xeon(R) CPU E31230 @ 3.20GHz"
from me too?

Dustin Kirkland  (kirkland) wrote :

As with any user agent string sent by any web browser, the intention is such that the server can customize the response appropriately for user.

e.g. There may be a bug that affects ARM64 users, but not any other architecture. There might be a kernel vulnerability that is only exploitable machines that have been running a long time, or perhaps machines which are definitely not vulnerable to a regression, if they've been running for longer than the regression. In this way, the news server can generate the most relevant message-of-the-day for a given system.

Or, hopefully, everything is hunky dory, and then we can wish Grace Hopper or Alan Turing a happy birthday (a la Google Doodle) in your Ubuntu system's MOTD :-)

Moreover, it's always easy to disable or customize the urls to the local user or administrator's liking, or firewall it off entirely.

The goal is useful, helpful, tailored information in the MOTD. To actually make the "message of the day", a dynamically and informative "message of the day".

Cheers!
Dustin

Kamilion (kamilion) wrote :

"the news server can generate the most relevant message-of-the-day"

So, you promise it's not just going to return the output of GNU fortune over and over?

And that the serverside will be hardened against exploitation? PS, do me a favor and make sure it's written in a dynamic scripting language so at least I know y'all have to waste CPU time on every request...

Anyway -- I've got to go make sure my containers run this on every login, and update all of my live USB sticks so all six automatic logins on the VTs in the background ends up hitting your motd server.

Y'all don't mind if I patch it to send random uptimes between 4 seconds and 4700 years, and claiming to be a ["Tensilica LX6", "Zilog EZ-80", "Microchip Technology Inc. PIC16F874‑04/P", "EpsonS1C60A16"], right?

</sarcasm>

But seriously -- some comments in the script (actually, your response prefixed with #s would pretty much be spot on) would be appreciated; even if another couple hundred bytes on disk are wasted.

Changed in base-files (Ubuntu Xenial):
assignee: Dustin Kirkland  (kirkland) → Steve Langasek (vorlon)
Jeremy Chadwick (koitsu2013) wrote :

> So, you promise it's not just going to return the output of GNU fortune over and over?

https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068 is confirmed proof what this ticket is for is now being used inappropriately (unprofessionally).

Simos Xenitellis  (simosx) wrote :

@Jeremy: I think it would be more appropriate to say that the current motd.ubuntu.com shows an item about an episode of a TV show, which depicts Ubuntu being used in some IT task.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers