Security updates to Douro machines were included in our v8.1.5-1 and v8.1.6 releases, and applied when deployed via a remote update package.
Regardless of version, these updates can be applied manually outside of a machine update. This article describes the process to deploy these changes yourself if you have not yet updated to v8.1.6.
Otherwise, if your machines are OSA-registered, please request an update from our support team. (In which case, you do not need to perform the below.)
Description of changes
The changes below harden permissions to the update process, update the root account to use a stronger passphrase, and prevent access to the desktop environment during a brief period during OS start.
To appply these changes, connect a keyboard to the the Douro's panel PC and pull up a terminal with Ctrl+Alt+T.
Then run each of the commands below, one at a time. Punctuation and spacing must be exact.
In the sixth command below, replace sufficientlyLongAndRandomPassword with a sufficiently long and random password that you generate from a password manager. You do not need to remember or record this password, as the one used with sudo su will work in the future.
[enter the password provided by our support team]
curl -o watchdog.js https://raw.githubusercontent.com/lamassu/lamassu-machine/v8.1.6/watchdog.js
curl -o lib/update/updater.js https://raw.githubusercontent.com/lamassu/lamassu-machine/v8.1.6/lib/update/updater.js
sed -Ei 's/(panel\/(command|session)=).*/\1/g' /home/iva/.config/lxsession/Lubuntu/desktop.conf
echo 'root:sufficientlyLongAndRandomPassword' | chpasswd
shutdown -r now
The machine will then restart with the patches applied.