Last active
January 12, 2018 16:21
-
-
Save FlorianHeigl/4459785ace5c0b95cae5e9c0f4093e32 to your computer and use it in GitHub Desktop.
ubuntu's motd shit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@dhcp104:~# cat /etc/update-motd.d/91-release-upgrade | |
| #!/bin/sh | |
| # if the current release is under development there won't be a new one | |
| if [ "$(lsb_release -sd | cut -d' ' -f4)" = "(development" ]; then | |
| exit 0 | |
| fi | |
| if [ -x /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ]; then | |
| exec /usr/lib/ubuntu-release-upgrader/release-upgrade-motd | |
| fi | |
| so what they're saying is: | |
| if I'd run a dev version (core?) and I turn it off for sufficient amount of time | |
| it'll never notice there's a new release until I went through enough updates to | |
| change my release string - | |
| they managed to put a race condition in 6 lines of shellscript! | |
| not to mention they call their interpreter as "sh", meaning in posix shell mode and use $(). | |
| This only works because their shell is sloppy :-) | |
| and not to mention this lsb release check plus the other thing are somehow run on | |
| every single login. | |
| because your running OS release might have changed between logins | |
| without passing by dpkg which could also just update that fucking motd piece. | |
| and how do you like how they comment the exception case but not the standard case? | |
| /usr/lib/ubuntu-release-upgrader/release-upgrade-motd is also pretty idiotic | |
| which leaves us with #!/bin/sh which is the single part that is not idiotic. | |
| unless they're sourcing it. | |
| also enjoyable: the official release page: https://wiki.ubuntu.com/UpdateMotd | |
| only question to this whole "feature" is how to totally disable it. | |
| the question is unanswered. | |
| fixes are to remove exec bits from all the scripts in the directory, | |
| uninstall any of | |
| * ubuntu-release-upgrader-core | |
| * update-manager-core | |
| * update-notifier-common | |
| or (best) turn it off in PAM's pam_motd. | |
| via https://www.withoutthesarcasm.com/ubuntu-motd-landscape/ and http://unix.stackexchange.com/questions/205802/disable-pam-login-but-keeping-landscape-sysinfo-y-motd :) | |
| I recommend to only turn it off in PAM. That way it's still run on boot. | |
| The cron option is also very reasonable if there is no monitoring in place to do the very same job. | |
| But in all honesty, daemons like this waste the time beginner 'operators' would need to deploy some monitoring. | |
| If you dig deep enough you'll find this was a feature a mythtv user enjoyed. | |
| And so it happened to become a standard feature for all ubuntu systems, | |
| wasting thousands of hours of cpu time around the world. Seriously, think about that? | |
| This wastes enough to probably be measurable in gramms of depleted fuel rods. | |
| Fuck this. Disable that crap now. | |
| Links with ressources for getting in control of ubuntu: | |
| https://major.io/2015/10/14/what-i-learned-while-securing-ubuntu/ | |
| https://www.cesg.gov.uk/guidance/end-user-devices-security-guidance-ubuntu-1404-lts | |
| (along with install.sh - https://www.cesg.gov.uk/file/1223/download?token=qI47xtp6 and | |
| postinstall.sh - https://www.cesg.gov.uk/file/1230/download?token=hTVfMJi4) | |
| https://cisofy.com/documentation/lynis/get-started/ (Security assessment tool) | |
| https://github.com/GovReady/ubuntu-scap (Security benchmarks from RH adopted, can be used with openscap) | |
| http://people.canonical.com/~kirkland/Ubuntu%2014.04%20LTS%20Security%20for%20Human%20Beings.pdf (ORNL Guide) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment