Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
ubuntu's motd shit
root@dhcp104:~# cat /etc/update-motd.d/91-release-upgrade
#!/bin/sh
# if the current release is under development there won't be a new one
if [ "$(lsb_release -sd | cut -d' ' -f4)" = "(development" ]; then
exit 0
fi
if [ -x /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ]; then
exec /usr/lib/ubuntu-release-upgrader/release-upgrade-motd
fi
so what they're saying is:
if I'd run a dev version (core?) and I turn it off for sufficient amount of time
it'll never notice there's a new release until I went through enough updates to
change my release string -
they managed to put a race condition in 6 lines of shellscript!
not to mention they call their interpreter as "sh", meaning in posix shell mode and use $().
This only works because their shell is sloppy :-)
and not to mention this lsb release check plus the other thing are somehow run on
every single login.
because your running OS release might have changed between logins
without passing by dpkg which could also just update that fucking motd piece.
and how do you like how they comment the exception case but not the standard case?
/usr/lib/ubuntu-release-upgrader/release-upgrade-motd is also pretty idiotic
which leaves us with #!/bin/sh which is the single part that is not idiotic.
unless they're sourcing it.
also enjoyable: the official release page: https://wiki.ubuntu.com/UpdateMotd
only question to this whole "feature" is how to totally disable it.
the question is unanswered.
fixes are to remove exec bits from all the scripts in the directory,
uninstall any of
* ubuntu-release-upgrader-core
* update-manager-core
* update-notifier-common
or (best) turn it off in PAM's pam_motd.
via https://www.withoutthesarcasm.com/ubuntu-motd-landscape/ and http://unix.stackexchange.com/questions/205802/disable-pam-login-but-keeping-landscape-sysinfo-y-motd :)
I recommend to only turn it off in PAM. That way it's still run on boot.
The cron option is also very reasonable if there is no monitoring in place to do the very same job.
But in all honesty, daemons like this waste the time beginner 'operators' would need to deploy some monitoring.
If you dig deep enough you'll find this was a feature a mythtv user enjoyed.
And so it happened to become a standard feature for all ubuntu systems,
wasting thousands of hours of cpu time around the world. Seriously, think about that?
This wastes enough to probably be measurable in gramms of depleted fuel rods.
Fuck this. Disable that crap now.
Links with ressources for getting in control of ubuntu:
https://major.io/2015/10/14/what-i-learned-while-securing-ubuntu/
https://www.cesg.gov.uk/guidance/end-user-devices-security-guidance-ubuntu-1404-lts
(along with install.sh - https://www.cesg.gov.uk/file/1223/download?token=qI47xtp6 and
postinstall.sh - https://www.cesg.gov.uk/file/1230/download?token=hTVfMJi4)
https://cisofy.com/documentation/lynis/get-started/ (Security assessment tool)
https://github.com/GovReady/ubuntu-scap (Security benchmarks from RH adopted, can be used with openscap)
http://people.canonical.com/~kirkland/Ubuntu%2014.04%20LTS%20Security%20for%20Human%20Beings.pdf (ORNL Guide)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment