Thanks security-conscious Dustin Kirkland for this great bash script
("I've insisted on shell here for transparency! - Dustin ")
and other contributions like NSA's SELinux or security sensible
software like Pollinate (Entropy-as-a-Service in the cloud) via
https://entropy.ubuntu.com
Packing so many sensible info inside User-Agent sent daily by default
from all Ubuntu to https://motd.ubuntu.com is brillant!
less /etc/update-motd.d/50-motd-news
```
# 50-motd-news - print the live news from the Ubuntu wire
# Copyright (C) 2016-2017 Canonical Ltd.
# Copyright (C) 2016-2017 Dustin Kirkland
##############################################################################
# This program could be rewritten in C or Golang for faster performance.
# Or it could be rewritten in Python or another higher level language
# for more modularity.
# However, I've insisted on shell here for transparency!
# - Dustin
##############################################################################
# Curl browser version, for debug purposes
curl_ver="$(dpkg -l curl | awk '$1 == "ii" { print($3); exit(0); }')"
# Distribution version, for messages releated to this Ubuntu release
. /etc/lsb-release
lsb=$(echo "$DISTRIB_DESCRIPTION" | sed -e "s/ /\//g")
codename="$DISTRIB_CODENAME"
# Kernel version and CPU type, for messages related to a particular revision or
hardware
platform="$(uname -o)/$(uname -r)/$(uname -m)"
arch="$(uname -m)"
cpu="$(grep -m1 "^model name" /proc/cpuinfo | sed -e "s/.*: //" -e
"s:\s\+:/:g")"
cloud_id="unknown"
if [ -x /usr/bin/cloud-id ]; then
/usr/bin/cloud-id > "$CLOUD" 2>/dev/null
if [ $? -eq 0 ]; then
# sanitize it a bit, just in case
cloud_id=$(cut -c -40 "${CLOUD}" | tr -c -d '[:alnum:]')
if [ -z "${cloud_id}" ]; then
cloud_id="unknown"
fi
fi
fi
# Some messages may only be pertinent before or after some amount of uptime
read up idle < /proc/uptime
uptime="uptime/$up/$idle"
# Piece together the user agent
USER_AGENT="curl/$curl_ver $lsb $platform $cpu $uptime cloud_id/$cloud_id"
...
# Fetch and print the news motd
if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT"
-o- "$u" >"$NEWS" 2>"$ERR"; then
```
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424
Title:
motd-news transmitting private hardware data without consent or
knowledge in background
Status in base-files package in Ubuntu:
Confirmed
Bug description:
In package base-files there is a script /etc/update-motd.d/50-motd-
news that harvests private hardware data from the machine and
transmits it in the background every day. There is no notice, no
consent, no nothing. This should be by default disabled until there
is informed consent.
This solution is simple:
1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and
2. Place a comment in the file disclosing the fact that the 50-motd-news
script will harvest private hardware data and upload it to motd.ubuntu.com
daily if the end-user enables it.
Creating databases that maps ip address to specify hardware is a
threat to both privacy and security. If an adversary knows the
specific hardware and the ip address for that hardware their ability
to successfully attack it is greatly increased.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
