scripts in /etc/update-motd.d/ run even on login via non-interactive scp and sftp sessions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
PAM |
New
|
Unknown
|
|||
landscape-client (Ubuntu) |
Fix Released
|
Critical
|
Christian Ehrhardt | ||
pam (Ubuntu) |
Confirmed
|
Medium
|
Unassigned | ||
ubuntu-release-upgrader (Ubuntu) |
Fix Released
|
High
|
Christian Ehrhardt | ||
update-motd (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
update-notifier (Ubuntu) |
Fix Released
|
High
|
Christian Ehrhardt |
Bug Description
My client has 200+ devices automatically uploading information via sftp and scp to a server every few minutes. After a recent update, I noticed the load on their server spiking through the roof. Upon investigation, I discovered a horde of landscape-sysinfo and /usr/bin/
It appears that even in non-interactive sessions where this information will never be seen, the configuration options below in /etc/pam.d/sshd cause these items to be launched (in fact, probably everything in /etc/update-
The content of /etc/update-
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
#session optional pam_motd.so motd=/run/
#session optional pam_motd.so noupdate
Also, looking at the script 00-header in /etc/update-
[ -r /etc/lsb-release ] && . /etc/lsb-release
if [ -z "$DISTRIB_
# Fall back to using the very slow lsb_release utility
fi
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
Related branches
- Brian Murray: Pending requested
-
Diff: 30 lines (+12/-0)2 files modifieddebian/95-hwe-eol (+6/-0)
debian/changelog (+6/-0)
- Simon Poirier (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 86 lines (+45/-15)3 files modifieddebian/changelog (+12/-0)
debian/landscape-common.postrm (+6/-0)
debian/landscape-sysinfo.wrapper (+27/-15)
- Brian Murray (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 33 lines (+13/-1)2 files modifieddebian/91-release-upgrade (+6/-1)
debian/changelog (+7/-0)
- Bryce Harrington (community): Needs Information
- Brian Murray: Pending requested
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 30 lines (+12/-0)2 files modifieddebian/95-hwe-eol (+6/-0)
debian/changelog (+6/-0)
description: | updated |
description: | updated |
Changed in pam: | |
status: | Unknown → New |
tags: | removed: server-todo |
Hello Thomas,
Thanks for reporting this and making Ubuntu better.
about your statement on lsb-release, in 00-header:
""""
[ -r /etc/lsb-release ] && . /etc/lsb-release
if [ -z "$DISTRIB_ DESCRIPTION" ] && [ -x /usr/bin/ lsb_release ]; then
DISTRIB_ DESCRIPTION= $(lsb_release -s -d)
# Fall back to using the very slow lsb_release utility
fi
# cat /etc/lsb-release RELEASE= 16.04 CODENAME= xenial DESCRIPTION= "Ubuntu 16.04.7 LTS"
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
""""
the slowpath is only executed if the DISTRIB_DESCRIPTION variable is not set, at least in my tests.
In regards to your statement:
""" motd.d/ * really, really, really shouldn't be executed if the session in question is not interactive, as it provides no value at all. Unfortunately, to disable it for these non-interactive sessions, we also have to disable it for the interactive ones as well where it has some value (though not enough to make spiking the load on this server through the roof an acceptable tradeoff).
The content of /etc/update-
"""
Considering there IS a way of disabling the dynamic motd contents currently by commenting only the line containing the /run/motd.dynamic wording:
# Print the message of the day upon successful login. motd.dynamic
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
# session optional pam_motd.so motd=/run/
session optional pam_motd.so noupdate
I'm flagging this bug as a whishlist priority.