Linked by Thom Holwerda on Sun 12th Mar 2006 20:46 UTC, submitted by lotusleaf
Ubuntu, Kubuntu, Xubuntu A major, critical bug and possible security threat has been discovered in Ubuntu Breezy. Apparently, the 'root' password (not actually the root password because Ubuntu uses sudo) gets written into the installer's log files in clear text, and can be read by any account on the Ubuntu machine. The bug was first discovered and reproduced on the Ubuntu forums. The bug does not seem to affect Dapper, however, users upgrading from Breezy to Dapper might still be at risk because the log files are not modified. Update: Bug is fixed. Please upgrade.
Order by: Score:
v Auch
by Axentrix on Sun 12th Mar 2006 20:44 UTC
Getting closer...
by diskinetic on Sun 12th Mar 2006 20:45 UTC
diskinetic
Member since:
2005-12-09

Yes, yes, Linux is coming closer to parity with Windows all the time ;)

Reply Score: 3

RE: Getting closer...
by Dark_Knight on Mon 13th Mar 2006 04:04 UTC in reply to "Getting closer..."
Dark_Knight Member since:
2005-07-10

Re: "Yes, yes, Linux is coming closer to parity with Windows all the time"

Oh well look at that, another person trying to generalize all Linux distributions as being the same. Such comments only help to prove an individuals inability to understand the differences between Linux distributions or Linux security in general. Especially when it's clearly pointed out by the title and bug report this issue is only related to Ubuntu Linux, not other Linux distributions such as SUSE Linux, Mandriva Linux, etc.

http://en.wikipedia.org/wiki/Linux

Edited 2006-03-13 04:09

Reply Score: 2

RE[2]: Getting closer...
by diskinetic on Mon 13th Mar 2006 04:18 UTC in reply to "RE: Getting closer..."
diskinetic Member since:
2005-12-09

One word: decaf. It was a joke, sir. Not a stunningly bright example of one, I grant you, but nominally a joke. Now, the generalization argument could also be made of those who take a line that has the word "Windows" and "Linux" in it and that ends with a smiley and construe it as a well-substatiated argument for or against anything. Those people could be lumped into a column marked "touchy", but I refuse to do that. Or do I? Hmm. Anyway, thanks OSNews for pointing this one out, and to everyone who made this problem, as bad as it was, go away as quickly as it did. I have taken steps to batten down my Breezy, and I look forward to telling people how responsive the entire spectrum of desktop Linux users are in such a situation. Bravo.

Reply Score: 3

Misspelled word
by gamehack on Sun 12th Mar 2006 20:47 UTC
gamehack
Member since:
2005-06-29

"Apparantly, the 'root' password" should be "Apparently,...".
Regards

Reply Score: 1

RE: Misspelled word
by raver31 on Mon 13th Mar 2006 08:14 UTC in reply to "Misspelled word"
raver31 Member since:
2005-07-06

No, No, No

it should have special characters and numbers too, so it should be "Apparently#1"

Reply Score: 3

Not too bad, at least for me
by mallard on Sun 12th Mar 2006 20:47 UTC
mallard
Member since:
2006-01-06

I am currently in the process of confirming this on my own Ubuntu box, but this is not really much of a vulnerability (for me at least) for the following reasons:

* The file cannot be read remotely. Ubuntu has no open ports by default.

* I am the only user of the machine. I already know my password. This could only be a problem if I left the machine unlocked/unattended at some point, something I try not to do.

Reply Score: 5

RE: Not too bad, at least for me
by Arcade Fire on Sun 12th Mar 2006 22:02 UTC in reply to "Not too bad, at least for me"
Arcade Fire Member since:
2005-12-11

* The file cannot be read remotely. Ubuntu has no open ports by default.

But Ubuntu allow ports to be open, and someone with open ports could be affected.

Reply Score: 3

RE[2]: Not too bad, at least for me
by Lu-Tze on Sun 12th Mar 2006 22:15 UTC in reply to "RE: Not too bad, at least for me"
Lu-Tze Member since:
2006-01-10

I completely agree. There are things like Automatix and Easy Ubuntu, which help newbies install things from codecs to p2p clients with a a few clicks...i bet most people who use these have no idea what ports needed to be opened during installation, etc. So let's just admit it is a bad (and dumb (not sure which is worse)) bug, should not have happened, hopefully they fix it soon but let's not make excuses about it. Full disclosure: I do like Ubuntu a lot.

Reply Score: 1

RE: Not too bad, at least for me
by antwarrior on Sun 12th Mar 2006 22:43 UTC in reply to "Not too bad, at least for me"
antwarrior Member since:
2006-02-11

The tone of some on this article is a bit worrying.
I CAN'T believe that some would even attempt to play this down. If this was stated in some other operating system ,say Vista, or maybe even better OSX ,there would be general outrage and disgust disgust at such indecent exposure.

Now some might say that my box is secure, and it's single user operating system,the danger is minimal.
blah blah blah.But i would like to point out that Ubuntu is a linux distro, it can double as a server and people without thinking will set up Ubuntu as a server because it is Linux and not a Desktop distro ,as some people would like to imply such a distinction ( which should not be made to begin with ). Linux is Linux , let's get that straight. I'm apalled !

It's an interesting facet to Linux security,that might be on the increase, that is insecurity and vulnerability being introduced by various user level tools that aid the "user's experience".

I must apologise for the tone of the email. I use Ubuntu @ home on my desktop and as a server machine and I was shocked at this.
root password or sudo enabled user ( however you want to look at ) in clear text ? wow.

Reply Score: 5

RE[2]: Not too bad, at least for me
by ma_d on Sun 12th Mar 2006 23:07 UTC in reply to "RE: Not too bad, at least for me"
ma_d Member since:
2005-06-29

Ubuntu is a desktop distro. It really is... Things like sudo are things that a server admin won't touch with a ten foot pole; they're unecessary complications for his situation (he's one of very few who needs root access anyway).

Realistically if we saw this on slackware, debian, or gentoo I'd be more concerned. My concern is when people up-play these security vulnerabilities. It's not the end of the world ;) . It's not sasser, it's just a local exploit. The people most upset should be the developers (or in this case, distributors).

I'm surprised no one has tried to disprove many eyes with this one.. I'm waiting for that argument ;) .

Reply Score: 3

skx2 Member since:
2005-07-06

Things like sudo are things that a server admin won't touch with a ten foot pole

Actually I'd beg to differ

I look after 30-50 machines and I couldn't live without Sudo. Sure for a single server-admin they might be a bit of overkill, but sudo is perfect for granting particular users access to some things, but not giving them root.

(e.g. Allowing a developer access to restarting Apache.)

As soon as you have a team of sysadmins looking after a lot of machines sharing root passwords becomes unweildy. In that case having sudo setup to allow all 'sysadmin' group-members access to root is the way to go. It provides a sane sensible approach to delegation, along with logging.

(Especially with one global sudoers file kept under revision control).

Reply Score: 2

Lettherebemorelight Member since:
2005-07-11

I look after 30-50 machines and I couldn't live without Sudo. Sure for a single server-admin they might be a bit of overkill, but sudo is perfect for granting particular users access to some things, but not giving them root.

Couldnt you accomplish the same or similar just by adding the user to the wheel group? I think another possibility would be to make use of setuid.

Ive used sudo in a multi admin/multi server setup and I personally (not speaking for anyone else) hated it. I have no problem with it on the desktop though.

Reply Score: 1

theine Member since:
2005-09-29

Couldn't you accomplish the same or similar just by adding the user to the wheel group?

Sigh... why is this whole root/sudo thing so hard to grasp for many people?

You cannot accomplish the same with adding users to the wheel group because being a member of said group only allows you to actually become root via "su", for which you then need still the root password.

If you're not a member of the wheel group, you cannot become root via "su", even if you know the root password.

I'd really like to know why you hated sudo, given that command completion works fine with bash-completion, and that you can always become root permanently with "sudo -i"

Reply Score: 2

v Cue the peanut gallery
by Tom K on Sun 12th Mar 2006 20:50 UTC
v RE: Cue the peanut gallery
by situation on Sun 12th Mar 2006 21:20 UTC in reply to "Cue the peanut gallery"
v RE[2]: Cue the peanut gallery
by Tom K on Sun 12th Mar 2006 23:07 UTC in reply to "RE: Cue the peanut gallery"
RE: Cue the peanut gallery
by ma_d on Sun 12th Mar 2006 21:21 UTC in reply to "Cue the peanut gallery"
ma_d Member since:
2005-06-29

Ok. Let's be honest.
It's a local user priv escalation vulnerability. Ba dee-ba dee-ba that's all folks.

Nasty, annoying, good thing we all know about it now, and why would you be using Ubuntu on a server anyway? I've known a lot of people to do it, I've just never understood it.
Oh well, I can't help wondering how they'll implement the patch for this. A package which runs a script to delete those files?

Reply Score: 2

v RE[2]: Cue the peanut gallery
by Tom K on Sun 12th Mar 2006 23:05 UTC in reply to "RE: Cue the peanut gallery"
RE[3]: Cue the peanut gallery
by atsureki on Mon 13th Mar 2006 03:09 UTC in reply to "RE[2]: Cue the peanut gallery"
atsureki Member since:
2006-03-12

So you get Joe User who has managed to happily install Ubuntu, and he tells his OS X/Windows-using friend how great and secure it is. Said friend knows about the log file, finds it, gets root on Joe's box. Joe is not happy, and realizes that the Linux zealots on some forum or other were just spewing bullshit.

Some friend. That makes no sense at all. Put me in the room with anyone's desktop Wintel running Linux, and I can hax0r it with a liveCD and chroot. Even change the root password. If we're talking about a system you could just reach around and unplug or open up and remove the hard drive from, nothing you can do in software really counts as breaking in. This "exploit" affects basically two people: paranoid parents and people with untrusted guest accounts.

Reply Score: 2

v RE[4]: Cue the peanut gallery
by Tom K on Mon 13th Mar 2006 03:25 UTC in reply to "RE[3]: Cue the peanut gallery"
RE[5]: Cue the peanut gallery
by ma_d on Mon 13th Mar 2006 04:09 UTC in reply to "RE[4]: Cue the peanut gallery"
ma_d Member since:
2005-06-29

If your banks ATM has any authentication control you need to look into a new bank.

Reply Score: 0

v RE[6]: Cue the peanut gallery
by Tom K on Mon 13th Mar 2006 05:45 UTC in reply to "RE[5]: Cue the peanut gallery"
RE[7]: Cue the peanut gallery
by ma_d on Mon 13th Mar 2006 07:03 UTC in reply to "RE[6]: Cue the peanut gallery"
ma_d Member since:
2005-06-29

I had something entirely on point. ATM's done authenticate. They merely pass on authentication to some server...

If ATM's authenticated you they'd need to store account numbers and PIN's. The trouble here would be that a smart kid left alone with one for 10 hours could have everyone's PIN after removing the disk from the machine.

The other trouble is that maintaining this database would be a nightmare.

The next problem is that maintaining the authentication software, when you find a bug, would be a nightmare. You'd have to send changes down to millions of ATM's.


An ATM does about as much authentication as a security camera does watch itself. It's simply a middleman.

Who's emotional now ;) .

Reply Score: 1

RE[5]: Cue the peanut gallery
by atsureki on Mon 13th Mar 2006 05:34 UTC in reply to "RE[4]: Cue the peanut gallery"
atsureki Member since:
2006-03-12

So if my bank's ATM had a flaw in the UI that allowed me to bypass authentication and simply withdraw money, that wouldn't be breaking in?

Please, get a clue.


If your "bank" were a private citizen and the "ATM" were his unguarded Wintel box and the "money" were a bunch of bits on a physical disk that you could easily pop out with nothing but a Phillips head screwdriver, then we might be somewhere in the ballpark of what I said, yes.

I'm minimizing the security flaw on the grounds that it's nearly useless, not that it's easy. Gaining low-level control of any PC you have in your physical possession is a walk in the park. Doing it without having to restart isn't much of an exploit.

Another reply mentioned untrusted ssh, but that's a whole separate can of worms. You've gotta know what you're doing to get away with something like that regardless of your distro. Make a chroot jail and debootstrap. No password set prompts, no install log entry, no security bug.

A clear text password sitting anywhere on a filesystem in this day and age is pathetic, but all these red flag terms like root access are going to give people the wrong idea. It's an embarrassment, not a catastrophe.

Reply Score: 2

v RE[6]: Cue the peanut gallery
by Tom K on Mon 13th Mar 2006 05:47 UTC in reply to "RE[5]: Cue the peanut gallery"
RE[7]: Cue the peanut gallery
by ma_d on Mon 13th Mar 2006 06:58 UTC in reply to "RE[6]: Cue the peanut gallery"
ma_d Member since:
2005-06-29

This flaw can't be used to break in. It's a clear cut priviledge escalation issue, break ins are another matter.

This is more like inviting your neighbor over and him then snatching the deed to your house from under your nose. Where a breakin would be someone cutting/breaking the window and stealing things.

You'll notice my analogy made the breakin easier to detect and the damage much easier to find. He also got less, the neighbor got your whole house by some impossibility of law.


Once again. If you are already a user on the machine you can't break into it. You're already in it!

Reply Score: 1

RE[4]: Cue the peanut gallery
by ma_d on Mon 13th Mar 2006 04:13 UTC in reply to "RE[3]: Cue the peanut gallery"
ma_d Member since:
2005-06-29

It affects anyone who gives ssh access to untrusted users.
It affects anyone who shares a machine with others and uses a sensitive password (and was the one to setup the machine).

The second category is pretty rare. But the first category is called a webhost.

Reply Score: 1

RE[5]: Cue the peanut gallery
by codergeek42 on Mon 13th Mar 2006 21:47 UTC in reply to "RE[4]: Cue the peanut gallery"
codergeek42 Member since:
2006-01-07

Wrong. Any webhost who knows what they're doing would not give SSH access to any of its users unless they were separated into VM servers like User-Mode Linux, Xen, or VMware.

Reply Score: 1

RE[3]: Cue the peanut gallery
by rattaro on Mon 13th Mar 2006 03:50 UTC in reply to "RE[2]: Cue the peanut gallery"
rattaro Member since:
2005-08-22

>It's a warning sign to all of you who think "Oh, I'll install Linux, and my computar will be UNHAXABLE!!11!"

Really, only anti-linux zealots think that linux users think that Linux is unhackable. Actual Linux users are a lot more realistic.

Fanboys of any type seem to have a hard time thinking of anything less than extremes. It's really a shame, but not everyone can see the balance of pros and cons.

Reply Score: 4

v RE[4]: Cue the peanut gallery
by Tom K on Mon 13th Mar 2006 03:53 UTC in reply to "RE[3]: Cue the peanut gallery"
RE[5]: Cue the peanut gallery
by archiesteel on Mon 13th Mar 2006 03:59 UTC in reply to "RE[4]: Cue the peanut gallery"
archiesteel Member since:
2005-07-02

Please back up your assertion by showing posts (a reasonable sample, please) where Linux "zealots" claim that Linux is unhackable.

Of course, people who know Linux know very well that it's hackable - hey, it's one of its main features! But don't let facts get in the way of a good straw man!

Meanwhile, I do believe that you have a quarrel with Linux users in general. Otherwise, why would you put "Linux is **** garbage!" on your user page?

Reply Score: 1

v RE[6]: Cue the peanut gallery
by Tom K on Mon 13th Mar 2006 05:44 UTC in reply to "RE[5]: Cue the peanut gallery"
RE[7]: Cue the peanut gallery
by archiesteel on Mon 13th Mar 2006 06:13 UTC in reply to "RE[6]: Cue the peanut gallery"
archiesteel Member since:
2005-07-02

As for backing up my statement ... http://www.google.com/search?q=linux+unhackable

Nice cop out. None of the links on the first page are related to Linux enthusiasts claiming that it's unhackable. None on the second page, either. I didn't look any further, it's clear that you're making unsubstantiated allegations, as usual.

Think of the 13-year-old Linux-using retards who go around claiming they're invincible because they've installed Redhat.

I would, except I've never met any.

And you put "zealots" in quotes, as if it's unheard of that Linux has a religious jihadist following.

It may be heard of, but only from anti-Linux posters who have constructed this myth.

Facts, please, not mere accusations.

Reply Score: 0

RE[7]: Cue the peanut gallery
by Sphinx on Mon 13th Mar 2006 14:24 UTC in reply to "RE[6]: Cue the peanut gallery"
Sphinx Member since:
2005-07-09

Because they use and know it.

Reply Score: 1

RE[5]: Cue the peanut gallery
by rattaro on Mon 13th Mar 2006 05:22 UTC in reply to "RE[4]: Cue the peanut gallery"
rattaro Member since:
2005-08-22

>. . . it's the effing retarded zealots that I go after.

Try not to think that you are better than others, because you aren't, and people who live in glass houses shouldn't throw stones.

Reply Score: 1

RE: Cue the peanut gallery
by Harald on Sun 12th Mar 2006 21:22 UTC in reply to "Cue the peanut gallery"
Harald Member since:
2006-03-10

I'm really looking forward to being told how this debacle is exusable because 'the community pulled together and fixed it within 3.14 seconds after discovery' ;) ))))

Reply Score: 1

RE[2]: Cue the peanut gallery
by jaylaa on Sun 12th Mar 2006 22:00 UTC in reply to "RE: Cue the peanut gallery"
jaylaa Member since:
2006-01-17

Actually, if you take a look at the forums, nobody is making any excuses. Nobody is saying it's okay. Linux zealots aren't so bad as to pretend that a serious issue like this isn't a major screw up (unlike the users of some other OSs).

Reply Score: 5

v RE[3]: Cue the peanut gallery
by Tom K on Sun 12th Mar 2006 23:06 UTC in reply to "RE[2]: Cue the peanut gallery"
RE[4]: Cue the peanut gallery
by ma_d on Sun 12th Mar 2006 23:11 UTC in reply to "RE[3]: Cue the peanut gallery"
ma_d Member since:
2005-06-29

Would someone ban this guy?

You've not made a single constructive statement in this thread. All you've done is call anyone down-playing this "the peanut gallery" and referred to them as zealots, and you just called Mac fans retards.
Cutesy insults or straight up, you just called Mac fans retards, and I'm calling you on it.

This is not slashdot so take your trolling elsewhere and contribute constructive comments or shut up.

Reply Score: 1

v RE[5]: Cue the peanut gallery
by Tom K on Sun 12th Mar 2006 23:35 UTC in reply to "RE[4]: Cue the peanut gallery"
RE[5]: Cue the peanut gallery
by tomcat on Mon 13th Mar 2006 21:33 UTC in reply to "RE[4]: Cue the peanut gallery"
tomcat Member since:
2006-01-06

There is some truth to what he says. At least some Mac fans are retards. ;-p

Reply Score: 1

v RE: Cue the peanut gallery
by archiesteel on Sun 12th Mar 2006 21:51 UTC in reply to "Cue the peanut gallery"
v RE[2]: Cue the peanut gallery
by Tom K on Sun 12th Mar 2006 23:07 UTC in reply to "RE: Cue the peanut gallery"
RE[2]: Cue the peanut gallery
by sappyvcv on Sun 12th Mar 2006 23:14 UTC in reply to "RE: Cue the peanut gallery"
sappyvcv Member since:
2005-07-06

The same could be said about you and Microsoft stories, so what is your point?

Yeah, thought so.

Reply Score: 0

v RE[3]: Cue the peanut gallery
by archiesteel on Sun 12th Mar 2006 23:48 UTC in reply to "RE[2]: Cue the peanut gallery"
v RE[4]: Cue the peanut gallery
by sappyvcv on Mon 13th Mar 2006 00:21 UTC in reply to "RE[3]: Cue the peanut gallery"
RE[5]: Cue the peanut gallery
by archiesteel on Mon 13th Mar 2006 00:31 UTC in reply to "RE[4]: Cue the peanut gallery"
archiesteel Member since:
2005-07-02

I don't have an anti-Microsoft agenda, I am critical of Microsoft anti-competitive behavior, that's quite different.

Also, because someone is criticial of Microsoft doesn't mean that they are anti-Windows, despite what you imply. I find this mental shortcut of yours to be rather disingenuous.

That said, I sometimes (not very often) participate in MS threads, and I am critical of MS, but that has nothing to do with the constant flamebaiting that Tom K indulges him. That you'd even contemplate a similarity is indicative, in my view, that you still haven't gotten over the fact that I pointed out that most of your posts were pro-MS (not pro-Windows).

Reply Score: 0

RE[6]: Cue the peanut gallery
by sappyvcv on Mon 13th Mar 2006 00:58 UTC in reply to "RE[5]: Cue the peanut gallery"
sappyvcv Member since:
2005-07-06

Actually you have admitted you have an anti-Microsoft agenda. I'm sorry if you want to take it back now.

And your anti-Windows agenda is much more subtle, and not troll-like, but it's there.

No, you're not anywhere near Tom K, but the same idea applies.

And if you honestly think I haven't "gotten over" that, you're delusional. I moved on long ago.

Again, I was just commenting on the "anti-Linux agenda".

Reply Score: 0

RE[7]: Cue the peanut gallery
by archiesteel on Mon 13th Mar 2006 02:38 UTC in reply to "RE[6]: Cue the peanut gallery"
archiesteel Member since:
2005-07-02

Actually you have admitted you have an anti-Microsoft agenda. I'm sorry if you want to take it back now.

(sigh) Since you insist on questioning my character, I'll reiterate my position with regards to Microsoft. I believe that MS is abusing its monopoly status in the Operating System and Office Suite markets. I have nothing about Microsoft's presence in other markets, because they don't have monopoly status there.

I believe that computing is an ever growing part of our lives, and as such represents something that's much too important to leave in the hands of private monopolies. I believe in competition in the marketplace, and unfortunately in the PC world Microsoft either squelches competition or acquires it. As such (and again, only in these markets) I believe that Microsoft must lose its monopoly status. I believe that advocating alternative OSes is a good way to achieve this goal, as the more people use them the better they become.

I also believe that Microsoft's multi-million advertising campaigns against Linux and the general FUD they spread about it cannot be matched by the Linux community. Microsoft's anti-Linux agenda is clear, and my own position towards them is reciprocal, since I am part of the community.

You see, this is why it's not the same "idea" that applies own position and Tom K's knee-jerk anti-Linux stance. I make logical arguments to criticize a company (one of the richest, and a monopoly) for its abusive behavior, which I consider dangerous, while Tom K repeatedly provokes and attacks a community of people and the OS they choose to use. That is how his trolling is different than my legitimate criticism. That is why we are nothing alike, him and I, and why your comparison was both uncalled for and, well, a cheap shot in itself. So let's call it even and we can all really move on, all right?

Reply Score: 1

RE: Cue the peanut gallery
by elsewhere on Mon 13th Mar 2006 01:52 UTC in reply to "Cue the peanut gallery"
elsewhere Member since:
2005-07-13

This is a cue for the peanut gallery to explain to us all how this is not even close to being a vulnerability, and how there's no reason to worry, and how we should all switch to Linux.

Begin.


If there was a peanut gallery, they would simply rehash the zealous denials from the OS X crowd over the last three security bulletins ("Well, sure it was hacked over ssh, they had a local account, that doesn't count cause it's not remotely exploitable!") or the blind optimism of the Win crowd ("I have two A/V scanners and I run 15 spyware removers 3 times a day so I'm perfectly safe!")

Fact is, this is a design error that has caused a considerable security vulnerability. But there are three things worth noting:

a) The majority of responses on this post demonstrate concern or frustration instead of the usual Ubuntu all-is-forgiven attitude, meaning that users are taking this seriously. Frankly I'm a little pleasantly surprised myself, but there you have it.

b) Nobody in the community or Ubuntu is denying or stonewalling, and in fact the dev responsible has posted to take responsibility, explain how the error happened, and what steps were taken to resolve it; compare that to many vendors that refuse to acknowledge or discuss vulnerabilities until they have the patch out

c) One can argue that a fairly obvious coding error led to this blatant vulnerability, but then MS has made some doozies themselves, and Apple has even followed in Microsoft's footsteps with bad choices by enabling automatic downloads/code execution with Safari and the desktop widgets etc. No vendor is immune to making errors, whether by coding or simply bad design that is only apparent in hindsight. I'm more concerned with how flaws and vulnerabilities are dealt with by the vendor once they're discovered.

As a Kubuntu user, I'd prefer a vulnerability of this nature having never existed (though I'm running Dapper and therefore not affected), but I am also satisfied with the way it was handled and am not going to lose any sleep over it.

Good luck with the trolling.

Reply Score: 5

RE[2]: Cue the peanut gallery
by kamper on Mon 13th Mar 2006 03:07 UTC in reply to "RE: Cue the peanut gallery"
kamper Member since:
2005-08-20

c) One can argue that a fairly obvious coding error led to this blatant vulnerability, but then MS has made some doozies themselves, and Apple has even followed in Microsoft's footsteps with bad choices by enabling automatic downloads/code execution with Safari and the desktop widgets etc. No vendor is immune to making errors, whether by coding or simply bad design that is only apparent in hindsight. I'm more concerned with how flaws and vulnerabilities are dealt with by the vendor once they're discovered.

This isn't really comparable to the Safari problem. At least here nobody purposely did something too risky. But claiming that the Safari one was only apparent in hindsight is a little silly.

I realized the functionality was ridiculous the first time I clicked on a link to a widget in Safari and I stopped using the browser altogether shortly after that. Defensive coding goes a long way towards avoiding these problems before they happen, it's just that dumb people think that the features are worth the risks (maybe they are, they seem to make more money that way). But you could choose to use software written by people understand bad design and purposely choose not to go that way.

Reply Score: 1

to root or not to root
by baafie on Sun 12th Mar 2006 20:51 UTC
baafie
Member since:
2006-01-23

.. the 'root' password (not actually the root password because Ubuntu uses sudo)..

So is it the root password or not?

Reply Score: 1

RE: to root or not to root
by mallard on Sun 12th Mar 2006 20:54 UTC in reply to "to root or not to root"
mallard Member since:
2006-01-06

No, it is the password of a user with full sudo priviledges, which is just as bad as a root passoword.

Ubuntu has root locked down by default, so there is no root password.

Reply Score: 4

RE: to root or not to root
by battlehorse on Sun 12th Mar 2006 20:59 UTC in reply to "to root or not to root"
battlehorse Member since:
2005-07-06

Ubuntu does not let you know the password for the 'root' user ( the real root password ) so that the beginner user cannot log in as root and do some damage. However, ubuntu enables the user which installs the system to use the 'sudo' command which allows the execution of commands as the root user (this is done to avoid using the root account unless when really needed, for example when installing new packages). To use the sudo command you will have to use your user password (the one you decided at install time). This one is the password which is available in clear text.

So, as you can see, the effect is the same even if it isn't the root password.

Reply Score: 3

RE: to root or not to root
by atsureki on Sun 12th Mar 2006 21:00 UTC in reply to "to root or not to root"
atsureki Member since:
2006-03-12

Edit: Never mind. Other people have explained the issue.

Edited 2006-03-12 21:02

Reply Score: 1

Easy fix.
by SEJeff on Sun 12th Mar 2006 20:55 UTC
SEJeff
Member since:
2005-11-05

The user you create during the Ubuntu install has full sudo privileges. Using sudo, that user is effectively root. The user created during the installation is the user's password that is stored in those files.

Your best bet is to remove the following files with rm:
/var/log/installer/cdebconf/questions.dat
/var/log/installer/cdebconf/questions.dat
/var/log/debian-installer/cdebconf/questions.dat
/var/log/debian-installer/cdebconf/questions.dat

That is the workaround that you should do after installing breezy.

Reply Score: 5

v This is not news, its a bug!
by NDunkel on Sun 12th Mar 2006 21:00 UTC
RE: This is not news, its a bug!
by Sphinx on Sun 12th Mar 2006 21:08 UTC in reply to "This is not news, its a bug!"
Sphinx Member since:
2005-07-09

Bugs are news, especially in security.

Reply Score: 4

RE: This is not news, its a bug!
by BryanFeeney on Sun 12th Mar 2006 21:15 UTC in reply to "This is not news, its a bug!"
BryanFeeney Member since:
2005-07-06

It's a significant security hole, that makes one wonder at Ubuntu's ability to roll out an enterprise-grade distribution (Dapper) in the next few weeks. It's a really obvious flaw that should never have been engineered in the first place, and it's startling to see it appear in such a popular distribution.

For example, say you have web-server hosted at a university, were multiple students have access to the machine over ssh: the bug can be used by any student to escalate their privileges and basically do anything they want with the system.

Everyone who has installed Dapper needs to ensure that their system's can be made safe.

This is news.

Reply Score: 5

RE[2]: This is not news, its a bug!
by ryan on Sun 12th Mar 2006 21:58 UTC in reply to "RE: This is not news, its a bug!"
ryan Member since:
2005-07-06

"Everyone who has installed Dapper needs to ensure that their system's can be made safe."

Correction: Everyone who has installed *Ubuntu* needs to ensure that their system's can be made safe.

Reply Score: 1

ma_d Member since:
2005-06-29

Correction: Everyone who calls themself a system administrator needs to ensure that their system's are made safe.

Reply Score: 1

ryan Member since:
2005-07-06

"Correction: Everyone who calls themself a system administrator needs to ensure that their system's are made safe."

That would make sense if Ubuntu was marketed as "Linux for System Administrators". But it doesn't make sense.

Reply Score: 1

h-milch-mann Member since:
2005-10-27

It's a significant security hole, that makes one wonder at Ubuntu's ability to roll out an enterprise-grade distribution (Dapper) in the next few weeks
This bug is not in a dapper installation. Now is your question answered?

Reply Score: 4

DittoBox Member since:
2005-07-08

If you read carefully, he's not at all saying that dapper has this problem. He's alluding to the fact that this flaw was never found or removed from breazy in the first place and how that makes him wonder if the developers are capable enough to let something like this go through on dapper as well. He never implied or stated that dapper had this problem present.

He's questioning their skill and talent as OS creators because of this problem, not saying that it's in the next release.

Now is your question answered?

Reply Score: 4

mdmkolbe Member since:
2005-09-15

Dapper actually may have the bug, both via update and fresh install. Search for 'dapper' on the bug report page. At first people claimed dapper didn't have a problem, but since then reports show that dapper does have it in at least some cases. In any case, an update should fix the problem.

I only post this because the word needs to get out that dapper actually may have the bug unlike originally thought. A false since of security leads to insecurity.

Reply Score: 1

BluenoseJake Member since:
2005-08-11

It was reported, and now if fixed, just like these things are supposed to work

Reply Score: 1

v Now I'm LMFAO at you guys
by stephanem on Sun 12th Mar 2006 21:18 UTC
RE: Now I'm LMFAO at you guys
by smittal on Sun 12th Mar 2006 22:54 UTC in reply to "Now I'm LMFAO at you guys "
smittal Member since:
2006-02-03

How, exactly? If there was a root account, you would have to set the password for it at some point, and presumably that would have been logged as well.

Reply Score: 2

Ubuntu developers
by tejaskokje on Sun 12th Mar 2006 21:22 UTC
tejaskokje
Member since:
2005-07-18

This is a very basic bug/problem. This shows that none of developers/QA even bothered to look at installation log files during development. They just assumed it be flawless.

Tejas Kokje

Reply Score: 5

the root password..
by amaze_9 on Sun 12th Mar 2006 21:26 UTC
amaze_9
Member since:
2005-11-12

Gaurd the root password with your life.

..if you see what I mean..

Reply Score: 3

more details
by ssam on Sun 12th Mar 2006 22:03 UTC
ssam
Member since:
2006-03-12

there is code in the installer to remove this info from the log, but it seems to fail sometimes.

this does not effect all installs (it did not effect me)

it only has the password entered into the installer, if you have changed your password you are safe.

this is only exploitable by someone who has a login to your computer.

a fix should released shortly.

for now: change your password.

Reply Score: 2

Can't be excused
by miscz on Sun 12th Mar 2006 22:07 UTC
miscz
Member since:
2005-07-17

I'm an Ubuntu fanboy and can't find any excuse, oh boy :|

Reply Score: 3

This is a terrible security flaw
by ryan on Sun 12th Mar 2006 22:10 UTC
ryan
Member since:
2005-07-06

It's telling that no one had discovered this bug for so long, because not recording passwords in cleartext in a world-readable file is such a basic thing that no one would even expect to look there.

If what they say is true, that this flaw isn't present on the installer anymore in Dapper, it's hard to believe that when they fixed that it wasn't figured out that the installer was broken in the Breezy version.

Everyone has security problems from time to time and I understand that, but this flaw is more blatant and worse than any flaw I can remember Windows ever having. Trust is a hard thing to win back once you've lost it. I'm seriously considering switching to Fedora over this, I feel my trust has been violated.

Reply Score: 2

archiesteel Member since:
2005-07-02

Aren't you overreacting a bit?

In any case Dapper is safe, I just checked my own installation. Actually, since it didn't overwrite the files (I udpated with apt-get dist-upgrade), that means that I was safe in the first place.

It would appear that this was a random bug, which of course are the hardest ones to fix...Is this a bad bug? Yes. Has you "trust" been violated? I think that's an exaggeration.

Reply Score: 2

ryan Member since:
2005-07-06

No, I don't think I'm overreacting, I'm think I'm being properly objective. I've been using Ubuntu since the day before Warty was officially released, and since that time I've been a proponent of the distribution on Slashdot, OSnews, and other places -- even wrote a few opeds that got linked to as articles from this site.

Since that time, there has not been a single security flaw this obvious and tragic on any operating system I can think of. I just checked four different Ubuntu systems I maintain (3 Breezy 1 Dapper), and all of them confirm this bug by having the installer password stored in cleartext in a world-readable file. Any user on any of those systems could have escalated to root. Any daemon vuln could have retrieved that password for remote root vuln.

This is not a random bug, it's reproduceable and affects all non-expert Breezy installations. It shows lack of attention to very very important security considerations -- if this was missed, what else was missed in the rush to release on schedule? I understand all too well that sometimes there are applications bugs and design problems, but I do not recall anything nearly of this magnitude in recent memory.

I'm not overreacting, you're underreacting. If this was on MS Windows, what would you be saying right now? Don't let your bias get in the way of seeing what a big deal this really is.

Reply Score: 4

archiesteel Member since:
2005-07-02

I do think you're overreacting. My Unbuntu Breezy-to-Dapper laptop is unaffected, therefore it does not affect all installations.

If you can't recall bugs that created security holes as severe as this one, then you haven't been following security advisories all that much...there have been worse remote exploits out there. I'm not trying to minimize this vulnerability, but it does require someone to get access to your machine first (and to know about the vulnerability, of course - fortunately, it seems that it had remained mostly unnoticed until now).

I agree that this is bad, but to go and say that your "trust has been violated" is being overly dramatic IMO. That would have required the Ubuntu devs to know about this bug and kept the fact hidden from you.

Reply Score: 2

kamper Member since:
2005-08-20

I do think you're overreacting. My Unbuntu Breezy-to-Dapper laptop is unaffected, therefore it does not affect all installations.

If you can't recall bugs that created security holes as severe as this one, then you haven't been following security advisories all that much...there have been worse remote exploits out there. I'm not trying to minimize this vulnerability, but it does require someone to get access to your machine first (and to know about the vulnerability, of course - fortunately, it seems that it had remained mostly unnoticed until now).


Hmm, please tell me you're not trying to downplay this by suggesting that the fact that (hopefully) nobody else knew about it and by saying that it sometimes doesn't happen! Those are simply not valid excuses.

I agree that this is bad, but to go and say that your "trust has been violated" is being overly dramatic IMO. That would have required the Ubuntu devs to know about this bug and kept the fact hidden from you.

First of all, it's his trust, he can decide whether it's been violated or not. If I were a Ubuntu user, I'd be seriously wondering about the brain-deadedness of the developer who logged the password in the first place, nevermind everyone who didn't realize it.

Sure, it's not a remote exploit, but it's essentially the worst possible local exploit that could be imagined. I mean, you could put the password in motd to save the cracker a few seconds but that would take all the fun out of it.

Edited 2006-03-12 23:55

Reply Score: 3

archiesteel Member since:
2005-07-02

Hmm, please tell me you're not trying to downplay this by suggesting that the fact that (hopefully) nobody else knew about it and by saying that it sometimes doesn't happen!

No, I'm not. I simply relieved that there were apparently little damage done due to this vulnerability. I'm acknowledging that we were lucky - this time.

Those are simply not valid excuses.

I am well aware of that.

First of all, it's his trust, he can decide whether it's been violated or not.

Right, and it's my right to express the opinion that he is overreacting. What's your point?

If I were a Ubuntu user, I'd be seriously wondering about the brain-deadedness of the developer who logged the password in the first place, nevermind everyone who didn't realize it.

The "brain-dead" developer posted a candid explanation of how this vulnerability came to be in this thread, you can discuss it with him if you want.

As for not realizing it, that's pretty much everybody until today.

Reply Score: 2

kamper Member since:
2005-08-20

Right, and it's my right to express the opinion that he is overreacting. What's your point?

My point is that it's one thing for you to not take this seriously, but you can't really tell other people they should not doubt the developers for a mistake as serious as this. He can take it as seriously as he likes.

The "brain-dead" developer posted a candid explanation of how this vulnerability came to be in this thread, you can discuss it with him if you want.

Well, two points there: I respect the balls it took to come in here and fess up. And I don't think there's any point in bashing him over the head with it, as I'm sure he understands how brain-dead the mistake was (and he's not claiming otherwise, so far as I can tell).

Explanations, though, however candid, aren't excuses. Sure, it could have happened to anybody, but his team failed too, in not checking up properly on his work.

As for not realizing it, that's pretty much everybody until today.

We hope :p but we don't know that the guy that reported it was actually the first to find it ;) But not everybody is part of a team that claims to be releasing a secure product (read: it's not everyone else's responsibility to find these mistakes).

Anyway, I'm not a ubuntu user and probably will never be one so there's little point of me being on the offensive.

Reply Score: 1

archiesteel Member since:
2005-07-02

My point is that it's one thing for you to not take this seriously

You're missing my point, is that I'm taking this seriously. Just because I'm not tearing my shirt and saying that I'm going to change distros and claiming that this is the worst vulnerability in recent history doen't mean I don't care.

Yes, this is a bad vulnerability. Bad, bad, bad. But I'm not going to switch distros for that, nor do I feel that my trust has been violated. Ergo, I believe that the original poster is overreacting.

but you can't really tell other people they should not doubt the developers for a mistake as serious as this. He can take it as seriously as he likes.

I have already agreed to that. I, however, can still say that, in my humble opinion, he is overreacting. And, for your information, I can tell anyone what I bloody well feel like, just like they're free to take my advice, argue about it or just ignore me. That's the beauty of freedom of speech.

Me saying that he's overreacting isn't trying to censor him, it's simply stating my opinion. By telling me I can't express myself on whether or not he's overreacting, however, you are in effect advocating censorship. And, ironically enough, you have every right to. I just disagree.

Explanations, though, however candid, aren't excuses. Sure, it could have happened to anybody, but his team failed too, in not checking up properly on his work.

They're not excuses, of course. Now, I'm pretty satisfied with the speed at which the vulnerability was fixed, and that there apparently weren't any wide-scale damages due to this vulnerability. So it's a bad mark for Ubuntu, but to me that's not worth switching, and I don't believe that the Ubuntu devs acted in bad faith. My trust is them has not changed, it only proves to me that they are human.

We hope :p but we don't know that the guy that reported it was actually the first to find it ;) But not everybody is part of a team that claims to be releasing a secure product (read: it's not everyone else's responsibility to find these mistakes).

Of course not, but there is an awful lot of Ubuntu users. It's not very difficult to see if a string containing your password appears in plain-text in a file, especially if it's a rare word, name, or combination of letters/digits. I'm surprised that it took so long for someone to notice, frankly!

Reply Score: 1

RE: This is a terrible security flaw
by ma_d on Mon 13th Mar 2006 07:25 UTC in reply to "This is a terrible security flaw"
ma_d Member since:
2005-06-29

If you're going to Fedora for a secure system you're insane. Seriously, there is nothing about Fedora that says polish and security. It's not aimed at it, and I doubt the developers even give it a first thought, much less a second one.

If you're gonna get mad and leave Ubuntu please go to something that might be more secure: Slackware, or something. But not an experimental distribution like Fedora!

The world readable part really is pretty pathetic though isn't it? Maybe this will teach developers to think a bit harder about their installer logs!

Reply Score: 1

Mathman Member since:
2005-07-08

You must not know a whole lot about Fedora. I mean, sure Fedora is a testbed for Red Hat technologies. Sure it might not always be as bug free as one would like. But Fedora is also where, among other things, the development of selinux and selinux policies, and the hardening of gcc takes place. To say that Fedora isn't security minded is just ludicrous. In my mind, FC4 has to be one of the most secure distros out these days.

Reply Score: 1

ma_d Member since:
2005-06-29

Those technologies are implemented in Fedora to test to see if they'll break things for RHEL. Fedora, last I heard, has a pathetic/useless 5,000 rules for SELinux. RHEL has something like 50,000.

Fedora is a testbed. You do _not_ use testbeds in production environments. Once again: You don't trust your wallet to beta-ware.

Reply Score: 1

Mathman Member since:
2005-07-08

Well I beg to differ. For one thing it wouldn't make sense for Red Hat to not test everything that's in RHEL and more on Fedora.

Anyway, I just glanced at the changelog for the FC4 targeted policy and also at the changelog for the RHEL 4 targeted policy. There are a greater amount of entries and also more recent entries in the FC4 changelog. As another metric, the FC4 policy directory is 2.8 M total, whereas the RHEL 4 directory is only 2.4 M.

And yes Fedora is a testbed. But that doesn't mean it's swiss cheese. If anything the selinux policies have seemed to error on the side of being too restrictive, not the other way around.

As for using Fedora in production, I'd say it depends. I certainly have no qualms about using it as a home desktop. I also find it quite adequate on the Linux desktops I take care of at work. And Fedora ran for years on our high preformance cluster pretty much without a hitch. I've since moved to using RHEL (read Rocks) on our cluster, mainly due to tiring of the steep upgrade cycle that comes with Fedora, but actually to this day I still use Fedora on a few servers. When RHEL gives me problems, many a time a move to Fedora will straighten things out long enough for the fixes to make their way into RHEL.

Now with that said, is Fedora for everyone? Certainly not. But if you're going to tell me it's absolutely useless, well, my shop proves you wrong.

Reply Score: 1

Finalzone Member since:
2005-07-06

And yes Fedora is a testbed. But that doesn't mean it's swiss cheese

One can said that any Linux distro is pratically a testbed to each other. After all Fedora is not the only testbed system as Ubuntu itself was based on Debian Sid.

Reply Score: 1

ma_d Member since:
2005-06-29

Oh Fedora is a fine desktop. I didn't like it as one, but I'm sure it's nice for some. But I wouldn't touch it with a ten foot pole as a system I had to support.
Supporting RH8/9 is bad enough! And they were conservative with those.

Reply Score: 1

Finalzone Member since:
2005-07-06

If you're going to Fedora for a secure system you're insane. Seriously, there is nothing about Fedora that says polish and security. It's not aimed at it, and I doubt the developers even give it a first thought, much less a second one.

Obviously you didn't follow Fedora track to make that assumption. When you will got the chance to see fifth release, you will notice the polishment made from the desktop to wallpaper.

Like Mathman pointed, one of major feature from Fedora especially the incoming FC5 is its security system which is more user-friendly than previous release. As tester, I report that FC5T3 is amazingly stable despite its testing nature.

Edited 2006-03-13 10:02

Reply Score: 1

ma_d Member since:
2005-06-29

I've never seen a fedora work right, and I've run FC2, FC3, and FC4 briefly (long enough to hate it and move on, about 12 hours). And it _is_ RedHat's testing distribution. If you want security, that's not a bad one to run, RHEL that is. Of course, that costs money.

Reply Score: 1

Finalzone Member since:
2005-07-06

I've never seen a fedora work right, and I've run FC2, FC3, and FC4 briefly ...sic...
Perhaps you are unlucky with your hardware.

And it _is_ RedHat's testing distribution.
Much like OpenSuse is Novell's tested and OpenSolaris a test bed for Solaris, right? At least users got opportunity can try some technologies ported for an entreprise product to a bleeding edge OS and vice versa.

If you want security, that's not a bad one to run, RHEL that is. Of course, that costs money.
Because RHEL is about subscription to the services aimed to entreprise level which is its primary target. I have seen some small businesses using Fedora in production environnment even though that OS was not aimed for.

Sorry for hijacking the topic. It was meant to point out flaws and correct them.

Reply Score: 1

v Sudo....
by Shakey on Sun 12th Mar 2006 22:13 UTC
RE: Sudo....
by ssam on Sun 12th Mar 2006 22:21 UTC in reply to "Sudo...."
ssam Member since:
2006-03-12

its quite easy see https://wiki.ubuntu.com/RootSudo

Reply Score: 0

RE: Sudo....
by jaylaa on Sun 12th Mar 2006 22:25 UTC in reply to "Sudo...."
jaylaa Member since:
2006-01-17

sudo apt-get remove sudo

No joke. Though you need to enable a true root account before running this command. Which means you could just 'apt-get remove sudo' as root. Or just use Synaptic

Reply Score: 0

RE[2]: Sudo....
by DittoBox on Sun 12th Mar 2006 23:19 UTC in reply to "RE: Sudo...."
DittoBox Member since:
2005-07-08

Read the forum post. That's still not a solution. The main user's password is still printed in the log file, as well as root's if you set that up as well in setup.

And uninstalling a major part of ubuntu security (don't laugh the preceding two words) could lead to breakage on the next upgrade. Synaptic won't run after you remove it anyway.

When you open Synaptic it asks for your password. That's a GUI wrapper for sudo, asking for for the sudo-privaliged user's credentials so it can launch.

So if you haven't got your root password setup, running synaptic and then removing sudo will pretty much render your system broken. I may have misunderstood you but it looks like your saying "create a root password then remove sudo via the command line...or just use synaptic".

HTH

Reply Score: 2

RE[3]: Sudo....
by jaylaa on Fri 17th Mar 2006 23:32 UTC in reply to "RE[2]: Sudo...."
jaylaa Member since:
2006-01-17

Read the question I was answering. I wasn't suggesting this as a way to fix this bug, I was just telling someone how to get rid of sudo. Which is what they asked:

I know this may not be the correct medium for this question, but...

Is there any way to get rid of sudo once Ubuntu is installed? I HATE it.

Thanks,

Reply Score: 1

JMcCarthy
Member since:
2005-08-12

I thought most normal people just did a; sudo passwd root

what a stupid 'feature'.

Reply Score: 0

smittal Member since:
2006-02-03

When I was first screwing around with Linux, sudo was pain in the ass--but these days, it's more convenient than suing to root to execute one command.

Reply Score: 0

DittoBox Member since:
2005-07-08

This doesn't fix the problem. The log files aren't showing the true root password, they're showing the first created users' password. The first created user is just a normal user account with full sudo privileges. This is at least the way things are done in a "normal" installation. In expert mode the root password can be defined.

This doesn't change the fact that any users (including root, or the main the sysadmin user which has full sudo rights) and their passwords you create and define in setup are logged in clear text. That's totally inexcusable.

Reply Score: 2

DevL Member since:
2005-07-06

Not really. If you need to do anything more than a single command as root just use sudo su and you're set until you've finished whatever you need to do as root.

Reply Score: 0

Trollstoi Member since:
2005-11-11

sudo su

Reply Score: 1

Easy workaround!
by n1xt3r on Sun 12th Mar 2006 23:33 UTC
n1xt3r
Member since:
2006-02-05

Change your password :p

Reply Score: 3

cjwatson
Member since:
2006-03-12

I'm the Ubuntu installer maintainer, so obviously this bug is ultimately my fault. I'm sorry for that - it's clear it shouldn't have sneaked past QA. (We'll be updating our testing processes to be rather more careful about this sort of thing.) Now that I've spent the evening doing security updates to clean up the mess, I thought I might take a moment to explain how this happened, and why it wasn't noticed as an issue in Breezy at the same time as it was fixed in Dapper.

The Ubuntu installer (like Debian) uses a framework called debconf to do all its user interaction; that framework has a backend database which stores all the answers, which is where passwords ended up being stored for this vulnerability. Naturally, when you're asking for passwords using debconf, you take a lot of care to clean them out of the database afterwards: we explicitly clear them out in the password-asking code pretty much as soon as we can, and we have a separate database for the answers to password questions which isn't copied to the directory of installer log files in the final installed system. This had all been working well for some time (e.g. in Hoary).

Unfortunately, the way we arranged for the password question to be asked in the first stage of the Breezy installer meant that two debconf databases were involved rather than one, and the passwords only got cleared out of one of those databases. Even this would have been OK if it weren't for the fact that some changes we needed to make in cdebconf for other reasons in Breezy (I've yet to track down the exact changesets involved, but never mind) broke the mechanism that was supposed to make sure that passwords ended up in a separate database. Sigh.

As for why we didn't notice the problem in Breezy when this was fixed in Dapper, well, that's because the fix in Dapper was part of a massive installer reorganisation (http://riva.ucam.org/~cjwatson/blog/ubuntu/2006-01-03-single-stage-...) and it was really just fixed by accident. So it goes.

Anyhow, I've fixed this just about as soon as was humanly possible for me, and take it extremely seriously. While perhaps for some of you it's too little too late, we'll do everything we can to install better defences against this kind of thing in future.

Reply Score: 5

Sartoris Member since:
2005-07-07

Thank you for posting that.

Reply Score: 1

archiesteel Member since:
2005-07-02

Thank you for coming forward, admitting your mistake and giving us a better idea of how such a serious security vulnerability could have happened.

Reply Score: 1

aaronb Member since:
2005-07-06

Thanks for being open and Honest.

Reply Score: 1

Sphinx Member since:
2005-07-09

Sure, blame debian. Funny I don't see their use of debconf dumping roots pword everywhere.

Reply Score: 1

Not here
by Emil on Mon 13th Mar 2006 00:17 UTC
Emil
Member since:
2005-06-29

All my Ubuntu computers are safe. My log files are empty. Maybe it's because I've installed it in Expert mode?

Reply Score: 1

fixed already
by ssam on Mon 13th Mar 2006 00:53 UTC
ssam
Member since:
2006-03-12
Linux facists in full force
by stephanem on Mon 13th Mar 2006 04:17 UTC
stephanem
Member since:
2006-01-11

A lot of anti-linux posts have been modded down. This is so typical of a linux site. You want constructive criticism, deal with the posts that Linux or Ubuntu sucks and tell us how you are going to fix it.


Shouting down people who criticize Linux will surely make OSNEWS a Slashdot sister site.

Edited 2006-03-13 04:17

Reply Score: 0

RE: Linux facists in full force
by jaylaa on Mon 13th Mar 2006 06:04 UTC in reply to "Linux facists in full force"
jaylaa Member since:
2006-01-17

A lot of anti-linux posts have been modded down. This is so typical of a linux site. You want constructive criticism, deal with the posts that Linux or Ubuntu sucks and tell us how you are going to fix it.

Yes, a lot of anti-linux posts were modded down. But they were far from being posts of constructive criticism. At worst they were trolls, at best, off topic. The constructive criticism posts are the ones discussing the actual flaw, how it happened, how serious it is, and yes, criticising Ubuntu for letting it happen. Posts like that were not modded down. Some are at +5 right now.

Reply Score: 4

RE: Linux facists in full force
by Sphinx on Mon 13th Mar 2006 14:23 UTC in reply to "Linux facists in full force"
Sphinx Member since:
2005-07-09

Hey don't look at me, haven't had any mod points to spend in either direction in over a month.

Reply Score: 1

How Does This Affect......
by Pelly on Mon 13th Mar 2006 04:59 UTC
Pelly
Member since:
2005-07-07

The issue is that there is a security vulnerability regarding a quite popular Linux distro.

People who develop code for Linux are human beings that are capable of making mistakes. Even the most stringent QA Testing can miss things.

The questions that came to my mind are:

1. Since Ubuntu is Debian based, is this particular problem Ubuntu-specific or are other Debian derivatives such as Kubuntu, Xandros, Linspire or others affected?

2. It looks like Ubuntu's 'Breezy' is affected but not 'Dapper.' Can a security patch to correct this issue be implemented easily?

3. Is this particular issue present in previous versions of Ubuntu

My 2 cents.

Reply Score: 1

RE: How Does This Affect......
by DigitalAxis on Mon 13th Mar 2006 06:28 UTC in reply to "How Does This Affect......"
DigitalAxis Member since:
2005-08-28

I'm less worried about this issue in and of itself than I am of the process that allowed a bug like this to make it into a shipping product. I'll grant that it was subtle enough to make it through what, 5 months without being noticed? But still.

4. Have any policies been implimented to minimize the chances of this happening in the future?

I know, the chances will never be zero...

Reply Score: 1

RE[2]: How Does This Affect......
by cjwatson on Mon 13th Mar 2006 10:54 UTC in reply to "RE: How Does This Affect......"
cjwatson Member since:
2006-03-12

I've added a check for this to our testing procedures, and since last night we've been actively making installer code more defensive to make as damn sure as possible that this won't happen again. As you say, the chances will never be zero, but we'll do our best.

Reply Score: 2

RE: How Does This Affect......
by cjwatson on Mon 13th Mar 2006 10:50 UTC in reply to "How Does This Affect......"
cjwatson Member since:
2006-03-12

1. This particular problem is Ubuntu-specific, although Joey Hess asked me to note here that "Debian managed not to be affected by essentially lucky timing"; one of the twin root causes of the problem has been in Debian code between about April 2005 and last night (when I fixed it). However, Debian only started going anywhere near using that code in d-i etch beta 2, and as best as I can tell escaped any consequences. It is unlikely that other Debian derivatives were doing sufficiently similar things to be affected, although all derivatives of Ubuntu 5.10 are affected.

2. Already done, last night.

3. No; Warty had entirely different code paths which weren't vulnerable to this problem, and we've verified Hoary clean.

Reply Score: 3

RE[2]: How Does This Affect......
by cjwatson on Tue 14th Mar 2006 12:53 UTC in reply to "RE: How Does This Affect......"
cjwatson Member since:
2006-03-12

Upon further investigation, I must correct this slightly; both Ubuntu dapper and current Debian etch are affected by a similar problem if and only if you use an installer preconfiguration file to preseed a root or user password. (If you don't know whether you have done this, then you haven't.) This is a less severe problem because obviously if this is the case then the password was already readable in the preconfiguration file, and there's a facility for preseeding pre-encrypted passwords; however, it would allow somebody to attack an encrypted password at their leisure without having to get the contents of /etc/shadow first.

I've committed a set of fixes for this to cdebconf to go with Joey Hess' changes to world-readability of installer log files, and we'll have it sorted out soon.

Reply Score: 3

RE[3]: How Does This Affect......
by irbis on Tue 14th Mar 2006 14:24 UTC in reply to "RE[2]: How Does This Affect......"
irbis Member since:
2005-07-08

cjwatson:

"I've committed a set of fixes for this to cdebconf to go with Joey Hess' changes to world-readability of installer log files, and we'll have it sorted out soon."

"we'll do everything we can to install better defences against this kind of thing in future"

Great, keep up that good work to improve Ubuntu security. And thanks also for taking time to clear these things up here in this OSnews thread. You deserve your +3.00 commentator points here, cjwatson... :-)

Edited 2006-03-14 14:26

Reply Score: 1

Total nOOb
by russ on Mon 13th Mar 2006 05:04 UTC
russ
Member since:
2006-03-13

I must admit that i've been using breezy for about 3 weeks now. I decided to get into Linux a while back and saw all of the talk about Ubuntu so i figured i would try it. The last time i used Linux was with (formerly known as) Mandrake about 5 years ago, and then it was only for about a couple of months for a class i was taking. I just didnt have the time to flatten the learning curve to really get into Linux then. Now, i have more time, and i even got the kids ported over (from XP)to using Ubuntu. I installed it on a laptop and desktop at home and i must say, it was a much more pleasant experience than i had 5 years ago. In fact, it was easy as installing Windows, an environment i've been in for 10 years now.

I gave my nOOb story to make this point: I like the direction Ubuntu is going, even though they made a HUGE mistake with the log file in clear text, and, if they are like the rest of us, it wont be the last mistake they make. I have seen plenty of mistakes over the years in NT and 2000 networks. Knowing this, i won't jump ship on Ubuntu. The main reason is that they already have the fix posted (would LOVE to see that kind of turn-around time on the networks i work on!) and the second reason is that the dev basically stepped up and said we screwed up, and here is why(..).

I like that, takes guts and it shows me they care about the distro (Even if the mistake may appear otherwise). I chose breezy because i was putting on my machines at the house, not on a mission critical network. Ubuntu is still relatively young, and this error proves it. Whether or not Dapper can live up to the server side hype, i dont know, but i do know i'll keep Ubuntu on my machines. Sorry about the length, just no quick way to make this point.

Reply Score: 5

A Lesson in Making Fun of This Event
by ma_d on Mon 13th Mar 2006 07:14 UTC
ma_d
Member since:
2005-06-29

There's been a few posts here trying to make fun of this, but to be honest, they've been very pathetic. They've utterly failed to put ironic twists on anything and have fallen closer to libel than they fall to a good ha-ha laugh.

So, sadly, let's read slashdot to see how to make fun of this:
http://it.slashdot.org/comments.pl?sid=180016&cid=14905312
http://it.slashdot.org/comments.pl?sid=180016&cid=14905339
http://it.slashdot.org/comments.pl?sid=180016&cid=14905362
http://it.slashdot.org/comments.pl?sid=180016&cid=14905444


Also, it looks like this problem has been fixed today. What's that, about 12 hours to fix? Not that it was a hard solution... This problem was discovered by a user and fixed on a Sunday, the day it was reported. Kudos to the Ubuntu folks for making such a stupid mistake and fixing it with such grace.

Ok, continue bickering over this; talk of religion, fan-boyism, stupidity, security, and whatever else you kids call each other these days.

Reply Score: 2

Ubuntu is gaining popularity
by Morin on Mon 13th Mar 2006 10:06 UTC
Morin
Member since:
2005-12-31

... and it seems like a lot of people are really upset about Ubuntu gaining popularity. Yes, this is a major bug and there is no excuse for it - guess why it was fixed in Dapper. But the amount of bashing in response is just funny. This reminds me a bit of the flame wars following the Mac dumb-user exploits, but then, this time very few (curse them!) are saying "you are invulnerable, this thing won't hurt you, and if it does then you should not be allowed to use your computer."

Reply Score: 2

oh well ...
by cg0def on Mon 13th Mar 2006 12:16 UTC
cg0def
Member since:
2006-02-12

ok just because one distro screwed the pooch how does that make Linux a bad OS diskinetic?

As far as Ubuntu goes ... shame on you. Using sudo is no excuse for not testing the way ALL passwords are stored. Yes people do care about usability but linux users care about security probably a tat bit more than they do about usability.

Reply Score: 1

Open source + Closed mind = Cult Mentality
by rakamaka on Mon 13th Mar 2006 13:22 UTC
rakamaka
Member since:
2005-08-12

I use debian pure compiled everything...
--------------------
It was MAC exploit last week and now it is Linux/ubuntu exploit.
read all posts about this news. Did you see any mind setup?
Noone has so far accepted responsibility /guilt about slipping of this bug in distro. maybe Mark Shuttleworth has not been conveyed this news by his cronies. All people/developers are busy bashing others who criticize them and modding down anti-linux posts.
For average Joe(to whom Ubuntu was friendlist distro) this is thunderbolt. And none of devels on this forum has pointed simple click-to-install patch for this bug for average Joe.
Windows is bugged and slow to release patches. But at least average Joe can install it when available.

Reply Score: 0

joelito_pr Member since:
2005-07-07

For average Joe(to whom Ubuntu was friendlist distro) this is thunderbolt. And none of devels on this forum has pointed simple click-to-install patch for this bug for average Joe.
Windows is bugged and slow to release patches. But at least average Joe can install it when available.


That comment shows ignorance of Ubuntu's update process.

Any Ubuntu user that has the default setup will see the update indicator. A couple clicks it's all it takes. More advanced users can use apt-get or synaptic to download the patch. And more paranoid users would clear the install logs and change the password

Reply Score: 4

DigitalAxis Member since:
2005-08-28

Either you're a troll, or you haven't read these comments carefully, or your sarcasm needs work.

cjwatson has accepted responsibility/guilt about the bug in the system. He even registered a name on this forum, just to apologize and explain what Ubuntu's doing about it. Take a look at any of the three posts he's made thus far.

His resence here would indicate that at least someone in the Ubuntu heirarchy (even if it is just cjwatson) realizes the catastrophic importance of this, and is trying to explain themselves.

And I wouldn't exactly consider fessing up to be "bashing others who criticize them"; the argument is over people who are generalizing from one Linux distro with a major flaw, to ALL Linux distros (that hopefully don't have that flaw.) Maybe it's different on other forums.

As for Ubuntu, they seems to be fair game (LOTS of critical posts) since THEY're the ones who messed up and THEY're the ones who fessed up, and THEY're the ones who left passwords in a text file readable by all users.

Lastly, Debian/Ubuntu does have 'click to install'. It's just in the package manager. It's like Windows Update, only it's used for everything.

Reply Score: 2

lol
by Duffman on Mon 13th Mar 2006 14:06 UTC
Duffman
Member since:
2005-11-23

We can now start to say that "Linux is more secure because of its market share" :-D

Who is laughing now ?

Reply Score: 0

Sounds scary
by siki_miki on Mon 13th Mar 2006 14:07 UTC
siki_miki
Member since:
2006-01-17

But it isn't THAT bad after all. On real multiuser machines administrator will create separate root password anyway. It is desktop machines for one or two users that will have this security problem (anyway, who installs ubuntu on multiuser machines and doesn't turn off it's way of dealing with passwords?)

And since ubuntu is to be used by users with high speed internet connection, most who do care will upgrade.

Reply Score: 1

rakamaka
Member since:
2005-08-12

Last week I posted this in response to news about MAC hacking and i got modded/slashed down for technicallity that MAC is not opensource bla bla bla....
Well now it is Ubuntu /opensource turn, so I am reposting
-------------------------------------------------
I am debian pure user compile everything myself, and so computer literate.

Linux posters on OSN regularly chide themselves that there are thousands of eyes watching open source code and even if any vulnerability is found will be fixed in minutes. The question is why this simple exploit got into system at first place? What happened to those thousands of eyes? are they sleeping? are they drunk? or are they just living in ivory tower?

Now devels responding to this item have started deflecting average readers attention from 'root cause' of this problem by discussing technicalities of the hack. From average users viewpoint, i ask just one question, over last 2-3 years of ubuntu world how come this simple exploitable command/bug, whatever u call it, slipped under the nose of thousands of delvels around the world?????

FearFactor : it is not 'Rocket Science'(Mark S.) for an experienced Hacker to figure out these type of exploites in future...

Conclusion: number of viruses,bugs,exploites = marketshare * popularity

Reply Score: 0

ma_d Member since:
2005-06-29

It only affects one release, which is approximately 6 months old. It doesn't exist in older releases.

The technicalities, as you call them, are why the average user is unaffected by the issue.

The thousands of eyes caught it. This wasn't found by a security researcher. It wasn't found by a developer. It was found by a user. And the thousands of eyes fixed it, in under 24 hours.

Number of exploits has little to do with popularity. The amount of use they get does. There are probably more discovered security holes in FOSS than commercial variants (with the exception of the older IIS), they also tend to get fixed quickly and the diversity of deployment often makes them almost unusable.

Reply Score: 2

Way to go Ubuntu!
by BluenoseJake on Mon 13th Mar 2006 18:58 UTC
BluenoseJake
Member since:
2005-08-11

Man, there's a lot of bs in this discussion. All software contains bugs, and all operating systems, commercial and FOSS have had very serious security problems in the past and will continue to have them in the future. You can flame all you want, but what the situation comes down to is that Ubuntu had a critical security problem, they owned up to it and fixed it a remarkably short period of time, and that's that. If only more vendors were this honest and transparent, even the developer himself posted and explained the situation. As far as I am concerned, they could not have handled it better

Reply Score: 2

RE: Way to go Ubuntu!
by Morin on Mon 13th Mar 2006 19:51 UTC in reply to "Way to go Ubuntu!"
Morin Member since:
2005-12-31

> All software contains bugs [...]

This is a bad assumption to start with, because it opens up excuses for missed bugs.

Reply Score: 1

RE[2]: Way to go Ubuntu!
by ma_d on Mon 13th Mar 2006 20:55 UTC in reply to "RE: Way to go Ubuntu!"
ma_d Member since:
2005-06-29

It's an assumption in reality. It's the truth, and it's something to remember if you ever want to ship.

If you want to never ship, believe you can prove your software and go at it. It'll be rock solid, in 50 years when its dependencies no longer exist.

Reply Score: 1

RE[2]: Way to go Ubuntu!
by BluenoseJake on Tue 14th Mar 2006 14:10 UTC in reply to "RE: Way to go Ubuntu!"
BluenoseJake Member since:
2005-08-11

There is always bugs, anything built by humans is imperfect by definition, best we can do is an approximation of perfect, which leaves rooms for errors

Reply Score: 1

RE[2]: Way to go Ubuntu!
by BluenoseJake on Tue 14th Mar 2006 15:51 UTC in reply to "RE: Way to go Ubuntu!"
BluenoseJake Member since:
2005-08-11

It's a valid assumption, because all developers are human, and humans are not perfect, and in something as complex as an OS, mistakes are bound to happen

EDIT, I guess I responded twice to this, sorry

Edited 2006-03-14 16:09

Reply Score: 1

RE[3]: Way to go Ubuntu!
by Morin on Tue 14th Mar 2006 18:02 UTC in reply to "RE[2]: Way to go Ubuntu!"
Morin Member since:
2005-12-31

[Bluenose Jake]
> It's a valid assumption, because all developers are
> human, and humans are not perfect, and in something as
> complex as an OS, mistakes are bound to happen

Yes, but it's an assumption a customer should make to be prepared for flaws which pop up. It should not be made to downplay the importance of a flaw (your original posting sounded like that to me).

[ma_d]
> If you want to never ship, believe you can prove your
> software and go at it. It'll be rock solid, in 50
> years when its dependencies no longer exist.

I guess you're lucky that few lives depend on the correctness of software yet (especially the software written by you).

Reply Score: 1

Debian fork eh??
by NixerX on Mon 13th Mar 2006 21:17 UTC
NixerX
Member since:
2006-01-04

With a f**k up like that is more spoon like.
And I love Ubunutu.
-nX

Reply Score: 0

Ubuntu security
by irbis on Tue 14th Mar 2006 08:53 UTC
irbis
Member since:
2005-07-08

Just because of these kind of issues, I tend to like extra secure operating systems like OpenBSD a lot (at least in principle), and be a bit security geek myself. OpenBSD would just never have left something like this to happen in their OS.

It is better to be a bit too much on the safe side than to be a bit lazy with security.

By the way, I wonder when will Ubuntu have a secure default firewall in its installation? What is this: P2P software is installed but a firewall not?? Isn't Ubuntu supposed to be a newbie friendly OS ready for secure Intenet usage from the start? Thus it should have a firewall installed. It is just not enough to say that there are no ports open in the default install IMHO. Please, just include the easy to use GUI firewall config program Firestarter in the default Ubuntu installation and the firewall issue is solved.

Reply Score: 1

Hugging sucks, IMHO
by da_Chicken on Tue 14th Mar 2006 10:43 UTC
da_Chicken
Member since:
2006-01-01

Every day is a hug day in the Ubuntu world. But there are special hug days that are also bug days. Some people also say that every day is a bug day. And then, logically, every day is a hug day and a bug day.
https://lists.ubuntu.com/archives/ubuntu-desktop/2006-February/00026...

Planning is one thing, but we'll surely stick to our concept of success: the Hug Day. This is a very special Bug Day: on Hug Day, when someone closes a bug, then someone else should hug him/her. Why? This is a very special way for us to tell everyone that we love contributions!
https://wiki.ubuntu.com/UbuntuBugDay

Dammit. Those Ubuntu marketing people really need to stop harassing Ubuntu devs by hugging them all the time. There is no doubt in my mind that this critical bug could have been easily avoided if only the PR department would let the devs concentrate on their work.

Reply Score: 1

RE: Hugging sucks, IMHO
by dragoncow2 on Wed 15th Mar 2006 22:03 UTC in reply to "Hugging sucks, IMHO"
dragoncow2 Member since:
2006-03-15

Are you suggesting that devs don't need/want/like hugs? How would you like being a hugless dev? Perhaps the devs would program malicious code if they didn't get their hugs? Huh, ever thought about that? You're cruel.

Reply Score: 1

Dapper will be more secure than Breezy
by da_Chicken on Tue 14th Mar 2006 17:13 UTC
da_Chicken
Member since:
2006-01-01

I just installed the latest flight/alpha version of Dapper Drake and it seems that the next Ubuntu release will be very good security-wise. Firewall is configured by default and all network-listening services are secured. Many other distros don't bother with these "small" details and most new users just think that Linux is safe by default. Well, it isn't necessarily so, but the default installation of Ubuntu Dapper will be quite secure. Well done, Ubuntu.

Also, thanks cjwatson for keeping us informed. It's good to hear that Ubuntu and Debian are collaborating, making GNU/Linux safer for users and fixing all known bugs ASAP.

Reply Score: 1