Ubuntu
base-files package

base-files '/etc/update-motd.d/50-motd-news' reports system use to Ubuntu

Bug #1832074 reported by Justin Fletcher
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
base-files (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

System information::

root@here $ lsb_release -rd
Description: Ubuntu 18.04.2 LTS
Release: 18.04

root@here$ dpkg -l base-files | tail -1
ii base-files 10.1ubuntu2.4 amd64 Debian base system miscellaneous files

What I expect to happen::

Logins to my machine should not be communicated to anyone else, and should not provide anyone else of information about my machine.

What does happen::

Logins to my machine report that a login occurred, and provide details about the installed system, to Ubuntu.

Report::

I've just upgraded fromt Trusty to Bionic, and found that on login I get a message telling me something about Ubuntu's Kubernetes. I don't want advertising presented to me when I log in to MY system, so I began to investigate where this is happening - assuming that /etc/update-motd.d/10-help-text or 00-header had been updated during the upgrade and recreated with this content.

Instead, I discover that there is another script that has been added - /etc/update-motd.d/50-motd-news - which adds this junk text to the login. Not only that, but the script comminucates with Ubuntu, to fetch that information. Not only that, but it provides information about the system that is running as part of the request.

During the upgrade, I was not asked about whether it was ok for the system to call home every time I login (or every 12 hours, whichever is sooner, but at least a minute after you boot), and it absolutely would not be my expectation that this be the default. When I log in to my machine, I do not expect that the event would be reported to any off-site system, and I suspect that most other users would be surprised if not horrified to find that the fact that a system is in use was being reported to Ubuntu.

The service can be disabled by changing a setting in /etc/defaults/motd-news from ENABLED=1 to ENABLED=0, but this almost certainly should be defaulting to 0 - tracking disabled by default, not tracking enabled by default.

For example, on my system this provides a user agent containing:

```
curl/7.58.0-2ubuntu3.7 Ubuntu/18.04.2/LTS GNU/Linux/4.15.0-50-generic/x86_64 Intel(R)/Xeon(R)/CPU/X5675/@/3.07GHz uptime/580915.35/4598709.84
```

This means that every time the user logs in (or after 12 hours from the prior log in, whichever is longer) Ubuntu receives:

* The IP address of a system that is in use (which might be behind NAT, but it's still a report).
* The Distribution version details.
* The Kernel version details
* The CPU type
* The uptime

Knowing where a machine is, that it is active, exactly what type of system it is an how often it is restarted, would be an awesome dataset for any attacker to obtain - ideally (for them) it tells them the location of systems that are alive, how they might be attacked - from the distribution version, the kernel and the CPU information, you can determine a set of vulnerabilities to attack - and the uptime, which will indicate how likely the system is to be patched.

The only thing that might be worse might be to include a cookie-jar on the curl command, which would allow tracking of individual systems, rather than aggregating them behind NAT using the IP (although it's still possible that the data reported in the user agent may be able to make that information individually usable). That said, the root user could (unintentionally) enable a cookie jar in their .curlrc and thus enable individual system tracking without realising.

Whilst there may be legitimate reasons for reporting this information (say for reporting to the user that their system has updates available or that the system is vulnerable!), an advertising tool which reports the system's information regularly back to home does not seem appropriate for a 'base-files' package.

The surprise at having my logins recorded on a remote site pales in comparison to the horror of recording a database of systems that might be abused.

The Privacy and potential Security concerns of this feature hugely outweigh any perceived benefit to the user, and I believe that the right course of action is to remove this script entirely from the distribution. At the very least the script's operation should default to being disabled.

Tags: privacy
Revision history for this message
Steve Langasek (vorlon) wrote :

Thank you for your interest in improving the default experience in Ubuntu.

We do understand that not everyone wants their machines to be talking to the Ubuntu servers, which is why there are several ways to disable this functionality.

 - on a per-machine basis, you can set ENABLED=0.
 - on a site-wide basis, you can firewall motd.ubuntu.com.

There is a factual inaccuracy in your report, which is to say that this feature can be used to track login activity on machines. The update-motd script in question contains the following check:

  # If we're not forcing an update, and we have a cached motd-news file,
  # then just print it and exit as quickly as possible, for login performance.
  # Note that systemd should keep this cache file up to date, asynchronously
  if [ "$FORCED" != "1" ]; then
          if [ -r $CACHE ]; then
                  echo
                  safe_print $CACHE
          else
                  : > $CACHE
          fi
          exit 0
  fi

Thus, aside from a possible execution at first login, systems will only contact motd.ubuntu.com twice per day with no correlation with user logins.

It is also the case that Ubuntu systems already talk to Ubuntu servers daily by default, as apt will check twice daily for updates from archive.ubuntu.com and security.ubuntu.com, so the behavior of this update-motd script in base-files is consistent with the existing experience.

Finally, you've raised the concern that this script exposes information about the system that could be used to exploit said system.

Canonical takes the security of Ubuntu users very seriously. This is why, by default, security updates are applied to all Ubuntu systems daily in 18.04. This is why we offer a kernel livepatch service that enables users of Ubuntu 18.04 to fix high and critical kernel vulnerabilities outside of scheduled maintenance windows.

If motd.ubuntu.com were ever to leak information to an attacker about what machines on the Internet were vulnerable to a particular attack, the root problem there would not be that information was shared with motd.ubuntu.com; the root problem would be that Ubuntu machines connected to the Internet had not had necessary security updates applied to them. Because on the Internet at large, attackers do not wait for a service like motd.ubuntu.com to tell them which machines are vulnerable before exploiting them.

On the other hand, motd.ubuntu.com is a very important source of information for US about what versions of Ubuntu are in use in the wild - information that can be used, among other things, to identify problems with the rollout of kernel security updates to our users.

So while it's understandable that some users will not want this behavior, I believe that it is defensible as default behavior in Ubuntu.

Revision history for this message
Steve Langasek (vorlon) wrote :

This bug report touches on a number of issues, which are variously 'invalid', 'wontfix', or 'opinion'. Since the bug title appears to refer to the (incorrect) claim that the update-motd script will expose information to the server about when users are logging in to the system, I am closing as invalid.

Changed in base-files (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.