OSNews

Re: "Yes, yes, Linux is coming closer to parity with Windows all the time"

Oh well look at that, another person trying to generalize all Linux distributions as being the same. Such comments only help to prove an individuals inability to understand the differences between Linux distributions or Linux security in general. Especially when it's clearly pointed out by the title and bug report this issue is only related to Ubuntu Linux, not other Linux distributions such as SUSE Linux, Mandriva Linux, etc.

http://en.wikipedia.org/wiki/Linux

Edited 2006-03-13 04:09

One word: decaf. It was a joke, sir. Not a stunningly bright example of one, I grant you, but nominally a joke. Now, the generalization argument could also be made of those who take a line that has the word "Windows" and "Linux" in it and that ends with a smiley and construe it as a well-substatiated argument for or against anything. Those people could be lumped into a column marked "touchy", but I refuse to do that. Or do I? Hmm. Anyway, thanks OSNews for pointing this one out, and to everyone who made this problem, as bad as it was, go away as quickly as it did. I have taken steps to batten down my Breezy, and I look forward to telling people how responsive the entire spectrum of desktop Linux users are in such a situation. Bravo.

No, No, No

it should have special characters and numbers too, so it should be "Apparently#1"

* The file cannot be read remotely. Ubuntu has no open ports by default.

But Ubuntu allow ports to be open, and someone with open ports could be affected.

I completely agree. There are things like Automatix and Easy Ubuntu, which help newbies install things from codecs to p2p clients with a a few clicks...i bet most people who use these have no idea what ports needed to be opened during installation, etc. So let's just admit it is a bad (and dumb (not sure which is worse)) bug, should not have happened, hopefully they fix it soon but let's not make excuses about it. Full disclosure: I do like Ubuntu a lot.

The tone of some on this article is a bit worrying.
I CAN'T believe that some would even attempt to play this down. If this was stated in some other operating system ,say Vista, or maybe even better OSX ,there would be general outrage and disgust disgust at such indecent exposure.

Now some might say that my box is secure, and it's single user operating system,the danger is minimal.
blah blah blah.But i would like to point out that Ubuntu is a linux distro, it can double as a server and people without thinking will set up Ubuntu as a server because it is Linux and not a Desktop distro ,as some people would like to imply such a distinction ( which should not be made to begin with ). Linux is Linux , let's get that straight. I'm apalled !

It's an interesting facet to Linux security,that might be on the increase, that is insecurity and vulnerability being introduced by various user level tools that aid the "user's experience".

I must apologise for the tone of the email. I use Ubuntu @ home on my desktop and as a server machine and I was shocked at this.
root password or sudo enabled user ( however you want to look at ) in clear text ? wow.

Ubuntu is a desktop distro. It really is... Things like sudo are things that a server admin won't touch with a ten foot pole; they're unecessary complications for his situation (he's one of very few who needs root access anyway).

Realistically if we saw this on slackware, debian, or gentoo I'd be more concerned. My concern is when people up-play these security vulnerabilities. It's not the end of the world . It's not sasser, it's just a local exploit. The people most upset should be the developers (or in this case, distributors).

I'm surprised no one has tried to disprove many eyes with this one.. I'm waiting for that argument .

Things like sudo are things that a server admin won't touch with a ten foot pole

Actually I'd beg to differ

I look after 30-50 machines and I couldn't live without Sudo. Sure for a single server-admin they might be a bit of overkill, but sudo is perfect for granting particular users access to some things, but not giving them root.

(e.g. Allowing a developer access to restarting Apache.)

As soon as you have a team of sysadmins looking after a lot of machines sharing root passwords becomes unweildy. In that case having sudo setup to allow all 'sysadmin' group-members access to root is the way to go. It provides a sane sensible approach to delegation, along with logging.

(Especially with one global sudoers file kept under revision control).

I look after 30-50 machines and I couldn't live without Sudo. Sure for a single server-admin they might be a bit of overkill, but sudo is perfect for granting particular users access to some things, but not giving them root.

Couldnt you accomplish the same or similar just by adding the user to the wheel group? I think another possibility would be to make use of setuid.

Ive used sudo in a multi admin/multi server setup and I personally (not speaking for anyone else) hated it. I have no problem with it on the desktop though.

Ok. Let's be honest.
It's a local user priv escalation vulnerability. Ba dee-ba dee-ba that's all folks.

Nasty, annoying, good thing we all know about it now, and why would you be using Ubuntu on a server anyway? I've known a lot of people to do it, I've just never understood it.
Oh well, I can't help wondering how they'll implement the patch for this. A package which runs a script to delete those files?

So you get Joe User who has managed to happily install Ubuntu, and he tells his OS X/Windows-using friend how great and secure it is. Said friend knows about the log file, finds it, gets root on Joe's box. Joe is not happy, and realizes that the Linux zealots on some forum or other were just spewing bullshit.

Some friend. That makes no sense at all. Put me in the room with anyone's desktop Wintel running Linux, and I can hax0r it with a liveCD and chroot. Even change the root password. If we're talking about a system you could just reach around and unplug or open up and remove the hard drive from, nothing you can do in software really counts as breaking in. This "exploit" affects basically two people: paranoid parents and people with untrusted guest accounts.

It affects anyone who gives ssh access to untrusted users.
It affects anyone who shares a machine with others and uses a sensitive password (and was the one to setup the machine).

The second category is pretty rare. But the first category is called a webhost.

>It's a warning sign to all of you who think "Oh, I'll install Linux, and my computar will be UNHAXABLE!!11!"

Really, only anti-linux zealots think that linux users think that Linux is unhackable. Actual Linux users are a lot more realistic.

Fanboys of any type seem to have a hard time thinking of anything less than extremes. It's really a shame, but not everyone can see the balance of pros and cons.

I'm really looking forward to being told how this debacle is exusable because 'the community pulled together and fixed it within 3.14 seconds after discovery' ))))

Actually, if you take a look at the forums, nobody is making any excuses. Nobody is saying it's okay. Linux zealots aren't so bad as to pretend that a serious issue like this isn't a major screw up (unlike the users of some other OSs).

Would someone ban this guy?

You've not made a single constructive statement in this thread. All you've done is call anyone down-playing this "the peanut gallery" and referred to them as zealots, and you just called Mac fans retards.
Cutesy insults or straight up, you just called Mac fans retards, and I'm calling you on it.

This is not slashdot so take your trolling elsewhere and contribute constructive comments or shut up.

The same could be said about you and Microsoft stories, so what is your point?

Yeah, thought so.

This is a cue for the peanut gallery to explain to us all how this is not even close to being a vulnerability, and how there's no reason to worry, and how we should all switch to Linux.

Begin.

If there was a peanut gallery, they would simply rehash the zealous denials from the OS X crowd over the last three security bulletins ("Well, sure it was hacked over ssh, they had a local account, that doesn't count cause it's not remotely exploitable!") or the blind optimism of the Win crowd ("I have two A/V scanners and I run 15 spyware removers 3 times a day so I'm perfectly safe!")

Fact is, this is a design error that has caused a considerable security vulnerability. But there are three things worth noting:

a) The majority of responses on this post demonstrate concern or frustration instead of the usual Ubuntu all-is-forgiven attitude, meaning that users are taking this seriously. Frankly I'm a little pleasantly surprised myself, but there you have it.

b) Nobody in the community or Ubuntu is denying or stonewalling, and in fact the dev responsible has posted to take responsibility, explain how the error happened, and what steps were taken to resolve it; compare that to many vendors that refuse to acknowledge or discuss vulnerabilities until they have the patch out

c) One can argue that a fairly obvious coding error led to this blatant vulnerability, but then MS has made some doozies themselves, and Apple has even followed in Microsoft's footsteps with bad choices by enabling automatic downloads/code execution with Safari and the desktop widgets etc. No vendor is immune to making errors, whether by coding or simply bad design that is only apparent in hindsight. I'm more concerned with how flaws and vulnerabilities are dealt with by the vendor once they're discovered.

As a Kubuntu user, I'd prefer a vulnerability of this nature having never existed (though I'm running Dapper and therefore not affected), but I am also satisfied with the way it was handled and am not going to lose any sleep over it.

Good luck with the trolling.

c) One can argue that a fairly obvious coding error led to this blatant vulnerability, but then MS has made some doozies themselves, and Apple has even followed in Microsoft's footsteps with bad choices by enabling automatic downloads/code execution with Safari and the desktop widgets etc. No vendor is immune to making errors, whether by coding or simply bad design that is only apparent in hindsight. I'm more concerned with how flaws and vulnerabilities are dealt with by the vendor once they're discovered.

This isn't really comparable to the Safari problem. At least here nobody purposely did something too risky. But claiming that the Safari one was only apparent in hindsight is a little silly.

I realized the functionality was ridiculous the first time I clicked on a link to a widget in Safari and I stopped using the browser altogether shortly after that. Defensive coding goes a long way towards avoiding these problems before they happen, it's just that dumb people think that the features are worth the risks (maybe they are, they seem to make more money that way). But you could choose to use software written by people understand bad design and purposely choose not to go that way.

No, it is the password of a user with full sudo priviledges, which is just as bad as a root passoword.

Ubuntu has root locked down by default, so there is no root password.

Ubuntu does not let you know the password for the 'root' user ( the real root password ) so that the beginner user cannot log in as root and do some damage. However, ubuntu enables the user which installs the system to use the 'sudo' command which allows the execution of commands as the root user (this is done to avoid using the root account unless when really needed, for example when installing new packages). To use the sudo command you will have to use your user password (the one you decided at install time). This one is the password which is available in clear text.

So, as you can see, the effect is the same even if it isn't the root password.

Edit: Never mind. Other people have explained the issue.

Edited 2006-03-12 21:02

Bugs are news, especially in security.

It's a significant security hole, that makes one wonder at Ubuntu's ability to roll out an enterprise-grade distribution (Dapper) in the next few weeks. It's a really obvious flaw that should never have been engineered in the first place, and it's startling to see it appear in such a popular distribution.

For example, say you have web-server hosted at a university, were multiple students have access to the machine over ssh: the bug can be used by any student to escalate their privileges and basically do anything they want with the system.

Everyone who has installed Dapper needs to ensure that their system's can be made safe.

This is news.

"Everyone who has installed Dapper needs to ensure that their system's can be made safe."

Correction: Everyone who has installed *Ubuntu* needs to ensure that their system's can be made safe.

Correction: Everyone who calls themself a system administrator needs to ensure that their system's are made safe.

"Correction: Everyone who calls themself a system administrator needs to ensure that their system's are made safe."

That would make sense if Ubuntu was marketed as "Linux for System Administrators". But it doesn't make sense.

It's a significant security hole, that makes one wonder at Ubuntu's ability to roll out an enterprise-grade distribution (Dapper) in the next few weeks
This bug is not in a dapper installation. Now is your question answered?

If you read carefully, he's not at all saying that dapper has this problem. He's alluding to the fact that this flaw was never found or removed from breazy in the first place and how that makes him wonder if the developers are capable enough to let something like this go through on dapper as well. He never implied or stated that dapper had this problem present.

He's questioning their skill and talent as OS creators because of this problem, not saying that it's in the next release.

Now is your question answered?

Dapper actually may have the bug, both via update and fresh install. Search for 'dapper' on the bug report page. At first people claimed dapper didn't have a problem, but since then reports show that dapper does have it in at least some cases. In any case, an update should fix the problem.

I only post this because the word needs to get out that dapper actually may have the bug unlike originally thought. A false since of security leads to insecurity.

It was reported, and now if fixed, just like these things are supposed to work

How, exactly? If there was a root account, you would have to set the password for it at some point, and presumably that would have been logged as well.

Aren't you overreacting a bit?

In any case Dapper is safe, I just checked my own installation. Actually, since it didn't overwrite the files (I udpated with apt-get dist-upgrade), that means that I was safe in the first place.

It would appear that this was a random bug, which of course are the hardest ones to fix...Is this a bad bug? Yes. Has you "trust" been violated? I think that's an exaggeration.

No, I don't think I'm overreacting, I'm think I'm being properly objective. I've been using Ubuntu since the day before Warty was officially released, and since that time I've been a proponent of the distribution on Slashdot, OSnews, and other places -- even wrote a few opeds that got linked to as articles from this site.

Since that time, there has not been a single security flaw this obvious and tragic on any operating system I can think of. I just checked four different Ubuntu systems I maintain (3 Breezy 1 Dapper), and all of them confirm this bug by having the installer password stored in cleartext in a world-readable file. Any user on any of those systems could have escalated to root. Any daemon vuln could have retrieved that password for remote root vuln.

This is not a random bug, it's reproduceable and affects all non-expert Breezy installations. It shows lack of attention to very very important security considerations -- if this was missed, what else was missed in the rush to release on schedule? I understand all too well that sometimes there are applications bugs and design problems, but I do not recall anything nearly of this magnitude in recent memory.

I'm not overreacting, you're underreacting. If this was on MS Windows, what would you be saying right now? Don't let your bias get in the way of seeing what a big deal this really is.

I do think you're overreacting. My Unbuntu Breezy-to-Dapper laptop is unaffected, therefore it does not affect all installations.

If you can't recall bugs that created security holes as severe as this one, then you haven't been following security advisories all that much...there have been worse remote exploits out there. I'm not trying to minimize this vulnerability, but it does require someone to get access to your machine first (and to know about the vulnerability, of course - fortunately, it seems that it had remained mostly unnoticed until now).

I agree that this is bad, but to go and say that your "trust has been violated" is being overly dramatic IMO. That would have required the Ubuntu devs to know about this bug and kept the fact hidden from you.

I do think you're overreacting. My Unbuntu Breezy-to-Dapper laptop is unaffected, therefore it does not affect all installations.

If you can't recall bugs that created security holes as severe as this one, then you haven't been following security advisories all that much...there have been worse remote exploits out there. I'm not trying to minimize this vulnerability, but it does require someone to get access to your machine first (and to know about the vulnerability, of course - fortunately, it seems that it had remained mostly unnoticed until now).

Hmm, please tell me you're not trying to downplay this by suggesting that the fact that (hopefully) nobody else knew about it and by saying that it sometimes doesn't happen! Those are simply not valid excuses.

I agree that this is bad, but to go and say that your "trust has been violated" is being overly dramatic IMO. That would have required the Ubuntu devs to know about this bug and kept the fact hidden from you.

First of all, it's his trust, he can decide whether it's been violated or not. If I were a Ubuntu user, I'd be seriously wondering about the brain-deadedness of the developer who logged the password in the first place, nevermind everyone who didn't realize it.

Sure, it's not a remote exploit, but it's essentially the worst possible local exploit that could be imagined. I mean, you could put the password in motd to save the cracker a few seconds but that would take all the fun out of it.

Edited 2006-03-12 23:55

If you're going to Fedora for a secure system you're insane. Seriously, there is nothing about Fedora that says polish and security. It's not aimed at it, and I doubt the developers even give it a first thought, much less a second one.

If you're gonna get mad and leave Ubuntu please go to something that might be more secure: Slackware, or something. But not an experimental distribution like Fedora!

The world readable part really is pretty pathetic though isn't it? Maybe this will teach developers to think a bit harder about their installer logs!

You must not know a whole lot about Fedora. I mean, sure Fedora is a testbed for Red Hat technologies. Sure it might not always be as bug free as one would like. But Fedora is also where, among other things, the development of selinux and selinux policies, and the hardening of gcc takes place. To say that Fedora isn't security minded is just ludicrous. In my mind, FC4 has to be one of the most secure distros out these days.

Those technologies are implemented in Fedora to test to see if they'll break things for RHEL. Fedora, last I heard, has a pathetic/useless 5,000 rules for SELinux. RHEL has something like 50,000.

Fedora is a testbed. You do _not_ use testbeds in production environments. Once again: You don't trust your wallet to beta-ware.

Well I beg to differ. For one thing it wouldn't make sense for Red Hat to not test everything that's in RHEL and more on Fedora.

Anyway, I just glanced at the changelog for the FC4 targeted policy and also at the changelog for the RHEL 4 targeted policy. There are a greater amount of entries and also more recent entries in the FC4 changelog. As another metric, the FC4 policy directory is 2.8 M total, whereas the RHEL 4 directory is only 2.4 M.

And yes Fedora is a testbed. But that doesn't mean it's swiss cheese. If anything the selinux policies have seemed to error on the side of being too restrictive, not the other way around.

As for using Fedora in production, I'd say it depends. I certainly have no qualms about using it as a home desktop. I also find it quite adequate on the Linux desktops I take care of at work. And Fedora ran for years on our high preformance cluster pretty much without a hitch. I've since moved to using RHEL (read Rocks) on our cluster, mainly due to tiring of the steep upgrade cycle that comes with Fedora, but actually to this day I still use Fedora on a few servers. When RHEL gives me problems, many a time a move to Fedora will straighten things out long enough for the fixes to make their way into RHEL.

Now with that said, is Fedora for everyone? Certainly not. But if you're going to tell me it's absolutely useless, well, my shop proves you wrong.