17

Imagine that, I have a fresh Ubuntu 18.04 installed. But there are some default packages or services that connects to the Internet without my consent. How to get rid of them completely or make them offline in an effective way?

As far as I now, they are:

popularity-contest - The Ubuntu Popularity Contest (or popcon, in short) gathers statistics determining which packages are the most popular with Ubuntu users.

unattended-upgrades - Automatically upgrades computer with the latest security updates.

apt-daily - Updates apt index every day automatically.

snapd - Updates snap packages automatically.

update-manager - Checks for release updates.

I could be missing something. Please post if you know...

The purpose: I want to have full control over the Internet, as in my case, Internet is limited. So, I wish to update or upgrade manually rather than automatically.

muru
  • 197,895
  • 55
  • 485
  • 740
Olimjon
  • 7,292
  • Related on superuser.com: How to disable the data reporting in ubuntu bionic: https://superuser.com/a/1317990/158401 – allo Jul 19 '18 at 12:00

1 Answers1

25

Popularity contest is disabled by default. You can check and disable it with:

dpkg-reconfigure popularity-contest

You can do ...

apt remove popularity-contest

to remove it too.

Disable apt-daily.service:

systemctl stop apt-daily.timer
systemctl disable apt-daily.timer
systemctl disable apt-daily.service
systemctl stop apt-daily-upgrade.timer
systemctl disable apt-daily-upgrade.timer
systemctl disable apt-daily-upgrade.service

One-liner from @muru <3:

systemctl disable --now apt-daily{,-upgrade}.{timer,service}

Disable unattended upgrade:

dpkg-reconfigure -plow unattended-upgrades

Update manager can only be stopped by removing it:

apt purge update-manager-core

You can NOT disable automatic update for snaps. You can set the period when it updates with snap set core refresh.schedule=<spec> but the system will ignore this is if it took too long to update snaps and that would be within 24 hours. This will remove anything snap related:

apt purge snapd ubuntu-core-launcher squashfs-tools

A less intrusive method would be to prevent connection to the server by adding a DENY to your firewall rules (or in the router). To disable the systemd service would be ...

systemctl disable snapd.refresh.service

but that too seems to ignore the 24 hour period.

Regarding snaps:

The agreed semantics to be implemented are the following:

  • Refreshes may be scheduled at an arbitrary weekday and time within the month (e.g. second Tuesday between 1pm and 2pm).
  • Refreshes may be deferred for up to another month so that missed windows and re-scheduling may happen without strange side effects. For example, if it was scheduled for the first day, and then gets scheduled for the end of the month just before it happens, there may effectively be a two months window without refreshes.
  • If the system remains out-of-date after the two months window, the system will start attempting to refresh out of the window.
  • That maximum window is reset every time the system is refreshed, so out-of-band updates may performed at a convenient maintenance window.

So a window of 2 months is possible if you do not reboot.

I do disagree with your way of thinking though. Except for contest (and that one is not active) all of these are about fixing bugs and providing better content. You will make your system LESS secure by disabling these options.

Community
  • 1
Rinzwind
  • 299,756
  • 8
    You can stop and disable the apt-daily units in one command using systemctl disable --now: systemctl disable --now apt-daily{,-upgrade}.{timer,service} – muru Jul 19 '18 at 07:05
  • 7
    @Rinzwind, It may make my system less secure, but, in my case, Internet is limited sometimes. So, it could be better to manually update or upgrade my system. – Olimjon Jul 19 '18 at 07:08
  • @Olimjon I myself would opt for another operating system that does not depend on internet. Ubuntu IS an operating system that has a high dependency on connection to the web. – Rinzwind Jul 19 '18 at 08:23
  • 2
    @Rinzwind I don't think that is good advice. All major OS' rely on the internet for security updates. The OP has limited internet, so "I do disagree with your way of thinking" seems irrelevant here. It's not a way of thinking, it's a physical constraint. +1 for an otherwise good answer though. Is it really impossible to disable snap updates without uninstalling it or using the firewall? That seems rather against the philosophy of Linux generally. – Jon Bentley Jul 19 '18 at 10:42
  • I do. Security should be 1st, 2nd, and 3rd on anyone's list of priorities. Where 1st is to make backups. 2nd is to always update ASAP and 3rd is good passwords. And regarding updates: except for snaps we are talking about a few kBs. Not something that should be a problem. "Is it really impossible to disable snap updates without uninstalling it or using the firewall?" Yeah well I was surpised too; see for instance: https://forum.snapcraft.io/t/disabling-automatic-refresh-for-snap-from-store/707/4 :) – Rinzwind Jul 19 '18 at 11:17
  • 5
    The snap part looks like a serious problem of snap. Having no control over updates proved i.e. in chrome to be a major danger (where extensions suddenly injected ads and the user did not know that its from an extension as he did not know the extension was updated). Maybe someone has a patched version of snap? – allo Jul 19 '18 at 12:03
  • My gut reaction to the snap issue: "Well, you could always just run snap inside of some kind of container, and tell it that it doesn't have internet." – Kevin Jul 19 '18 at 21:21