A major, critical bug and possible security threat has been discovered in Ubuntu Breezy. Apparently, the ‘root’ password (not actually the root password because Ubuntu uses sudo) gets written into the installer’s log files in clear text, and can be read by any account on the Ubuntu machine. The bug was first discovered and reproduced on the Ubuntu forums. The bug does not seem to affect Dapper, however, users upgrading from Breezy to Dapper might still be at risk because the log files are not modified. Update: Bug is fixed. Please upgrade.
Auch, thats one hell of a security issue.
Guess I got even more reasons to stay away from the ubuntu-crap
Yes, yes, Linux is coming closer to parity with Windows all the time
Re: “Yes, yes, Linux is coming closer to parity with Windows all the time”
Oh well look at that, another person trying to generalize all Linux distributions as being the same. Such comments only help to prove an individuals inability to understand the differences between Linux distributions or Linux security in general. Especially when it’s clearly pointed out by the title and bug report this issue is only related to Ubuntu Linux, not other Linux distributions such as SUSE Linux, Mandriva Linux, etc.
http://en.wikipedia.org/wiki/Linux
Edited 2006-03-13 04:09
One word: decaf. It was a joke, sir. Not a stunningly bright example of one, I grant you, but nominally a joke. Now, the generalization argument could also be made of those who take a line that has the word “Windows” and “Linux” in it and that ends with a smiley and construe it as a well-substatiated argument for or against anything. Those people could be lumped into a column marked “touchy”, but I refuse to do that. Or do I? Hmm. Anyway, thanks OSNews for pointing this one out, and to everyone who made this problem, as bad as it was, go away as quickly as it did. I have taken steps to batten down my Breezy, and I look forward to telling people how responsive the entire spectrum of desktop Linux users are in such a situation. Bravo.
“Apparantly, the ‘root’ password” should be “Apparently,…”.
Regards
No, No, No
it should have special characters and numbers too, so it should be “Apparently#1”
I am currently in the process of confirming this on my own Ubuntu box, but this is not really much of a vulnerability (for me at least) for the following reasons:
* The file cannot be read remotely. Ubuntu has no open ports by default.
* I am the only user of the machine. I already know my password. This could only be a problem if I left the machine unlocked/unattended at some point, something I try not to do.
* The file cannot be read remotely. Ubuntu has no open ports by default.
But Ubuntu allow ports to be open, and someone with open ports could be affected.
I completely agree. There are things like Automatix and Easy Ubuntu, which help newbies install things from codecs to p2p clients with a a few clicks…i bet most people who use these have no idea what ports needed to be opened during installation, etc. So let’s just admit it is a bad (and dumb (not sure which is worse)) bug, should not have happened, hopefully they fix it soon but let’s not make excuses about it. Full disclosure: I do like Ubuntu a lot.
The tone of some on this article is a bit worrying.
I CAN’T believe that some would even attempt to play this down. If this was stated in some other operating system ,say Vista, or maybe even better OSX ,there would be general outrage and disgust disgust at such indecent exposure.
Now some might say that my box is secure, and it’s single user operating system,the danger is minimal.
blah blah blah.But i would like to point out that Ubuntu is a linux distro, it can double as a server and people without thinking will set up Ubuntu as a server because it is Linux and not a Desktop distro ,as some people would like to imply such a distinction ( which should not be made to begin with ). Linux is Linux , let’s get that straight. I’m apalled !
It’s an interesting facet to Linux security,that might be on the increase, that is insecurity and vulnerability being introduced by various user level tools that aid the “user’s experience”.
I must apologise for the tone of the email. I use Ubuntu @ home on my desktop and as a server machine and I was shocked at this.
root password or sudo enabled user ( however you want to look at ) in clear text ? wow.
Ubuntu is a desktop distro. It really is… Things like sudo are things that a server admin won’t touch with a ten foot pole; they’re unecessary complications for his situation (he’s one of very few who needs root access anyway).
Realistically if we saw this on slackware, debian, or gentoo I’d be more concerned. My concern is when people up-play these security vulnerabilities. It’s not the end of the world . It’s not sasser, it’s just a local exploit. The people most upset should be the developers (or in this case, distributors).
I’m surprised no one has tried to disprove many eyes with this one.. I’m waiting for that argument .
Things like sudo are things that a server admin won’t touch with a ten foot pole
Actually I’d beg to differ
I look after 30-50 machines and I couldn’t live without Sudo. Sure for a single server-admin they might be a bit of overkill, but sudo is perfect for granting particular users access to some things, but not giving them root.
(e.g. Allowing a developer access to restarting Apache.)
As soon as you have a team of sysadmins looking after a lot of machines sharing root passwords becomes unweildy. In that case having sudo setup to allow all ‘sysadmin’ group-members access to root is the way to go. It provides a sane sensible approach to delegation, along with logging.
(Especially with one global sudoers file kept under revision control).
I look after 30-50 machines and I couldn’t live without Sudo. Sure for a single server-admin they might be a bit of overkill, but sudo is perfect for granting particular users access to some things, but not giving them root.
Couldnt you accomplish the same or similar just by adding the user to the wheel group? I think another possibility would be to make use of setuid.
Ive used sudo in a multi admin/multi server setup and I personally (not speaking for anyone else) hated it. I have no problem with it on the desktop though.
Couldn’t you accomplish the same or similar just by adding the user to the wheel group?
Sigh… why is this whole root/sudo thing so hard to grasp for many people?
You cannot accomplish the same with adding users to the wheel group because being a member of said group only allows you to actually become root via “su”, for which you then need still the root password.
If you’re not a member of the wheel group, you cannot become root via “su”, even if you know the root password.
I’d really like to know why you hated sudo, given that command completion works fine with bash-completion, and that you can always become root permanently with “sudo -i”
This is a cue for the peanut gallery to explain to us all how this is not even close to being a vulnerability, and how there’s no reason to worry, and how we should all switch to Linux.
Begin.
It’ll be like the OS X of the Linux world, with everyone excusing Ubuntu!
Do switch to Linux though, just not Ubuntu
Yeah, Ubuntu on my iBook is crap.
Ok. Let’s be honest.
It’s a local user priv escalation vulnerability. Ba dee-ba dee-ba that’s all folks.
Nasty, annoying, good thing we all know about it now, and why would you be using Ubuntu on a server anyway? I’ve known a lot of people to do it, I’ve just never understood it.
Oh well, I can’t help wondering how they’ll implement the patch for this. A package which runs a script to delete those files?
It goes to show that even the godly Linux devs make retarded mistakes. It’s a warning sign to all of you who think “Oh, I’ll install Linux, and my computar will be UNHAXABLE!!11!”.
So you get Joe User who has managed to happily install Ubuntu, and he tells his OS X/Windows-using friend how great and secure it is. Said friend knows about the log file, finds it, gets root on Joe’s box. Joe is not happy, and realizes that the Linux zealots on some forum or other were just spewing bullshit.
The truth can be painful when you’ve had unrealistic expectations implanted in your head.
So you get Joe User who has managed to happily install Ubuntu, and he tells his OS X/Windows-using friend how great and secure it is. Said friend knows about the log file, finds it, gets root on Joe’s box. Joe is not happy, and realizes that the Linux zealots on some forum or other were just spewing bullshit.
Some friend. That makes no sense at all. Put me in the room with anyone’s desktop Wintel running Linux, and I can hax0r it with a liveCD and chroot. Even change the root password. If we’re talking about a system you could just reach around and unplug or open up and remove the hard drive from, nothing you can do in software really counts as breaking in. This “exploit” affects basically two people: paranoid parents and people with untrusted guest accounts.
> nothing you can do in software really counts as breaking in
So if my bank’s ATM had a flaw in the UI that allowed me to bypass authentication and simply withdraw money, that wouldn’t be breaking in?
Please, get a clue.
If your banks ATM has any authentication control you need to look into a new bank.
You missed the point. Obviously your bank card and PIN number are a form of authentication.
f–k, you are so stupid sometimes. If you don’t have anything to say about my point, then simply don’t say anything.
I had something entirely on point. ATM’s done authenticate. They merely pass on authentication to some server…
If ATM’s authenticated you they’d need to store account numbers and PIN’s. The trouble here would be that a smart kid left alone with one for 10 hours could have everyone’s PIN after removing the disk from the machine.
The other trouble is that maintaining this database would be a nightmare.
The next problem is that maintaining the authentication software, when you find a bug, would be a nightmare. You’d have to send changes down to millions of ATM’s.
An ATM does about as much authentication as a security camera does watch itself. It’s simply a middleman.
Who’s emotional now .
It’s an authentication interface, then. As far as my point goes, your pedantics change nothing.
So if my bank’s ATM had a flaw in the UI that allowed me to bypass authentication and simply withdraw money, that wouldn’t be breaking in?
Please, get a clue.
If your “bank” were a private citizen and the “ATM” were his unguarded Wintel box and the “money” were a bunch of bits on a physical disk that you could easily pop out with nothing but a Phillips head screwdriver, then we might be somewhere in the ballpark of what I said, yes.
I’m minimizing the security flaw on the grounds that it’s nearly useless, not that it’s easy. Gaining low-level control of any PC you have in your physical possession is a walk in the park. Doing it without having to restart isn’t much of an exploit.
Another reply mentioned untrusted ssh, but that’s a whole separate can of worms. You’ve gotta know what you’re doing to get away with something like that regardless of your distro. Make a chroot jail and debootstrap. No password set prompts, no install log entry, no security bug.
A clear text password sitting anywhere on a filesystem in this day and age is pathetic, but all these red flag terms like root access are going to give people the wrong idea. It’s an embarrassment, not a catastrophe.
I’m not saying it’s a catastrophe, but I still take issue with the fact that you think nothing that is done through software can constitute “breaking in”. I gave one of many hundreds of thousands of examples.
A security researcher you are not cut out to be, so don’t pretend to be one.
This flaw can’t be used to break in. It’s a clear cut priviledge escalation issue, break ins are another matter.
This is more like inviting your neighbor over and him then snatching the deed to your house from under your nose. Where a breakin would be someone cutting/breaking the window and stealing things.
You’ll notice my analogy made the breakin easier to detect and the damage much easier to find. He also got less, the neighbor got your whole house by some impossibility of law.
Once again. If you are already a user on the machine you can’t break into it. You’re already in it!
You can “break in” to things you’re not supposed to be able to see or do. I guess it doesn’t constitute “breaking in” to an NT Terminal Server if I’ve got public guest access, but manage to get Admin eh?
I wonder how the Linux crowd would take to such a story. Would they defend it and say that it wasn’t a break-in?
It affects anyone who gives ssh access to untrusted users.
It affects anyone who shares a machine with others and uses a sensitive password (and was the one to setup the machine).
The second category is pretty rare. But the first category is called a webhost.
Wrong. Any webhost who knows what they’re doing would not give SSH access to any of its users unless they were separated into VM servers like User-Mode Linux, Xen, or VMware.
>It’s a warning sign to all of you who think “Oh, I’ll install Linux, and my computar will be UNHAXABLE!!11!”
Really, only anti-linux zealots think that linux users think that Linux is unhackable. Actual Linux users are a lot more realistic.
Fanboys of any type seem to have a hard time thinking of anything less than extremes. It’s really a shame, but not everyone can see the balance of pros and cons.
No, anti-Linux zealots *know* that Linux zealots think that Linux is unhackable. I don’t have any quarrel with regular old Linux users, it’s the effing retarded zealots that I go after.
Please back up your assertion by showing posts (a reasonable sample, please) where Linux “zealots” claim that Linux is unhackable.
Of course, people who know Linux know very well that it’s hackable – hey, it’s one of its main features! But don’t let facts get in the way of a good straw man!
Meanwhile, I do believe that you have a quarrel with Linux users in general. Otherwise, why would you put “Linux is **** garbage!” on your user page?
Why would non-Windows users go off about Windows, calling it shit/garbage, just randomly? Remember, devil’s advocate.
As for backing up my statement … http://www.google.com/search?q=linux+unhackable
Think of the 13-year-old Linux-using retards who go around claiming they’re invincible because they’ve installed Redhat. 🙂 There’s your backup. And you put “zealots” in quotes, as if it’s unheard of that Linux has a religious jihadist following.
As for backing up my statement … http://www.google.com/search?q=linux+unhackable
Nice cop out. None of the links on the first page are related to Linux enthusiasts claiming that it’s unhackable. None on the second page, either. I didn’t look any further, it’s clear that you’re making unsubstantiated allegations, as usual.
Think of the 13-year-old Linux-using retards who go around claiming they’re invincible because they’ve installed Redhat.
I would, except I’ve never met any.
And you put “zealots” in quotes, as if it’s unheard of that Linux has a religious jihadist following.
It may be heard of, but only from anti-Linux posters who have constructed this myth.
Facts, please, not mere accusations.
You can keep living in your GNU-infested dream world. I’m not doing your research for you.
Go to any Linux forum populated by preteens and junior highschool kids. It’s as simple as that.
>Go to any Linux forum populated by preteens and junior highschool kids. It’s as simple as that.
I guess most of the adults who visit this site never bother going to sites for preteens, so we wouldn’t know about the kids you refer to. That you do visit them, and find a need to pick on them says a lot.
Slashdot.
‘Nuff said.
I’d be interested to see one of these fabled slashdot posts you speak of. Mind you one that doesn’t come with a -1 rating.
In other words, you have no facts to back up your statements, as usual.
Because they use and know it.
>. . . it’s the effing retarded zealots that I go after.
Try not to think that you are better than others, because you aren’t, and people who live in glass houses shouldn’t throw stones.
I’m really looking forward to being told how this debacle is exusable because ‘the community pulled together and fixed it within 3.14 seconds after discovery’ ))))
Actually, if you take a look at the forums, nobody is making any excuses. Nobody is saying it’s okay. Linux zealots aren’t so bad as to pretend that a serious issue like this isn’t a major screw up (unlike the users of some other OSs).
> Linux zealots aren’t so bad as to pretend that a serious issue like this isn’t a major screw up (unlike the users of some other OSs).
You’re kidding, right? Linux zealots and Mactards alike both do this.
Would someone ban this guy?
You’ve not made a single constructive statement in this thread. All you’ve done is call anyone down-playing this “the peanut gallery” and referred to them as zealots, and you just called Mac fans retards.
Cutesy insults or straight up, you just called Mac fans retards, and I’m calling you on it.
This is not slashdot so take your trolling elsewhere and contribute constructive comments or shut up.
Wow, a little less emotion please!
I said MACTARDS do it, not MAC FANS. All Mactards are Mac fans, but not all Mac fans are Mactards, get it? I am a Mac fan, but I’m not a Mactard.
I’m sorry if you have the need to get all emotional about the fact that Ubuntu had a security vulnerability, and I’m saying there was no excuse for it. I’m just playing devil’s advocate here — you all do the same when it comes to Windows.
I’d like to see the comments for a story reporting Microsoft for keeping the Administrator password in an undeleted log file after installation. Oh boy.
There is some truth to what he says. At least some Mac fans are retards. ;-p
Tom, please quit your flamebaiting. We all know of your trolling ways, how every story is an excuse for you to promote your anti-Linux agenda, but it’s getting really old.
Why not try to engage in constructive criticism, for a change? Must you absolutely try to cause strife whenever you post? What does that tell us about you?
Please grow up. Thanks.
Need a Kleenex?
The same could be said about you and Microsoft stories, so what is your point?
Yeah, thought so.
Rrrreally?
Show me one story where I throw insults at Windows users, or say that Windows is crap.
Show me where I indulged in flamebaiting on the same level as mr Tom K (formerly Linux is Poo), and with the same frequency?
You know very well that I am critical of Microsoft, not Windows, as I explained to you last time. Now, since I wasn’t talking to you in this case, why don’t you just worry about things that actually concern you, mmm?
Tom K is a textbook troll in the sense that all he wants to do is throw insults and provocative statements around to elicit a reaction, because that’s probably the extent of his social interactions. That was my point, now if you have a point of your own, perhaps you should make it instead of indulging in petty revenge.
Yeah, I thought so too.
Actually I’m referring to your “anti-Linux agenda”.
You’ve stated yourself you have an anti-Microsoft (and by extension, Windows) agenda, yet you continue to post in stories about MS/Windows with very little constructive criticism.
I don’t have an anti-Microsoft agenda, I am critical of Microsoft anti-competitive behavior, that’s quite different.
Also, because someone is criticial of Microsoft doesn’t mean that they are anti-Windows, despite what you imply. I find this mental shortcut of yours to be rather disingenuous.
That said, I sometimes (not very often) participate in MS threads, and I am critical of MS, but that has nothing to do with the constant flamebaiting that Tom K indulges him. That you’d even contemplate a similarity is indicative, in my view, that you still haven’t gotten over the fact that I pointed out that most of your posts were pro-MS (not pro-Windows).
Actually you have admitted you have an anti-Microsoft agenda. I’m sorry if you want to take it back now.
And your anti-Windows agenda is much more subtle, and not troll-like, but it’s there.
No, you’re not anywhere near Tom K, but the same idea applies.
And if you honestly think I haven’t “gotten over” that, you’re delusional. I moved on long ago.
Again, I was just commenting on the “anti-Linux agenda”.
Actually you have admitted you have an anti-Microsoft agenda. I’m sorry if you want to take it back now.
(sigh) Since you insist on questioning my character, I’ll reiterate my position with regards to Microsoft. I believe that MS is abusing its monopoly status in the Operating System and Office Suite markets. I have nothing about Microsoft’s presence in other markets, because they don’t have monopoly status there.
I believe that computing is an ever growing part of our lives, and as such represents something that’s much too important to leave in the hands of private monopolies. I believe in competition in the marketplace, and unfortunately in the PC world Microsoft either squelches competition or acquires it. As such (and again, only in these markets) I believe that Microsoft must lose its monopoly status. I believe that advocating alternative OSes is a good way to achieve this goal, as the more people use them the better they become.
I also believe that Microsoft’s multi-million advertising campaigns against Linux and the general FUD they spread about it cannot be matched by the Linux community. Microsoft’s anti-Linux agenda is clear, and my own position towards them is reciprocal, since I am part of the community.
You see, this is why it’s not the same “idea” that applies own position and Tom K’s knee-jerk anti-Linux stance. I make logical arguments to criticize a company (one of the richest, and a monopoly) for its abusive behavior, which I consider dangerous, while Tom K repeatedly provokes and attacks a community of people and the OS they choose to use. That is how his trolling is different than my legitimate criticism. That is why we are nothing alike, him and I, and why your comparison was both uncalled for and, well, a cheap shot in itself. So let’s call it even and we can all really move on, all right?
So you just reiterated that you do indeed have an anti-Microsoft agenda, and reworded what I said about Tom K being a troll and you being subtle and not a troll.
My take from your original post was that his posting in these threads should not be tolerated because of his anti-Linux agenda and lack of constructive criticism, and in that regard, I compared you to him. I did not compare his trolling to you at all. Also, know that I agree, that posting constantly in threads about things you dislike without constructive criticism should be frowned upon and quite possibly moderated.
Anyway, thanks, glad we can agree on something
So you just reiterated that you do indeed have an anti-Microsoft agenda
In a sense, yes. And I will as long as Microsoft has an anti-Linux agenda. 🙂
But where I draw the line is that my agenda is not comparable to Tom K’s, because mine (in my opinion, of course) is morally defensible, while his isn’t.
What I object to is the notion that all agendas are the same, therefore his trolling is comparable to my criticism, when in fact they aren’t, and therefore it isn’t.
An agenda can be positive (think “anti-poverty agenda” or “anti-crime agenda) or negative (“racist agenda” for example). Implying that all agendas are equally reprehensible is in my view an untenable position.
At least we agree he’s a troll. Cheers!
But where I draw the line is that my agenda is not comparable to Tom K’s, because mine (in my opinion, of course) is morally defensible, while his isn’t.
What I object to is the notion that all agendas are the same, therefore his trolling is comparable to my criticism, when in fact they aren’t, and therefore it isn’t.
I never said your agenda’s are on the same level (they are not), just that they are the same type of agendas. The biggest difference is how you push them, which is what I was trying to say. He pushes his with trolling. You push yours with subtlety and no trlling.
Heh. You almost make it sound like a compliment. 🙂
Just wanted to say how much I appreciate having bright guys such as yourself hanging around here. Keep up the good work.
Thanks.
This is a cue for the peanut gallery to explain to us all how this is not even close to being a vulnerability, and how there’s no reason to worry, and how we should all switch to Linux.
Begin.
If there was a peanut gallery, they would simply rehash the zealous denials from the OS X crowd over the last three security bulletins (“Well, sure it was hacked over ssh, they had a local account, that doesn’t count cause it’s not remotely exploitable!”) or the blind optimism of the Win crowd (“I have two A/V scanners and I run 15 spyware removers 3 times a day so I’m perfectly safe!”)
Fact is, this is a design error that has caused a considerable security vulnerability. But there are three things worth noting:
a) The majority of responses on this post demonstrate concern or frustration instead of the usual Ubuntu all-is-forgiven attitude, meaning that users are taking this seriously. Frankly I’m a little pleasantly surprised myself, but there you have it.
b) Nobody in the community or Ubuntu is denying or stonewalling, and in fact the dev responsible has posted to take responsibility, explain how the error happened, and what steps were taken to resolve it; compare that to many vendors that refuse to acknowledge or discuss vulnerabilities until they have the patch out
c) One can argue that a fairly obvious coding error led to this blatant vulnerability, but then MS has made some doozies themselves, and Apple has even followed in Microsoft’s footsteps with bad choices by enabling automatic downloads/code execution with Safari and the desktop widgets etc. No vendor is immune to making errors, whether by coding or simply bad design that is only apparent in hindsight. I’m more concerned with how flaws and vulnerabilities are dealt with by the vendor once they’re discovered.
As a Kubuntu user, I’d prefer a vulnerability of this nature having never existed (though I’m running Dapper and therefore not affected), but I am also satisfied with the way it was handled and am not going to lose any sleep over it.
Good luck with the trolling.
c) One can argue that a fairly obvious coding error led to this blatant vulnerability, but then MS has made some doozies themselves, and Apple has even followed in Microsoft’s footsteps with bad choices by enabling automatic downloads/code execution with Safari and the desktop widgets etc. No vendor is immune to making errors, whether by coding or simply bad design that is only apparent in hindsight. I’m more concerned with how flaws and vulnerabilities are dealt with by the vendor once they’re discovered.
This isn’t really comparable to the Safari problem. At least here nobody purposely did something too risky. But claiming that the Safari one was only apparent in hindsight is a little silly.
I realized the functionality was ridiculous the first time I clicked on a link to a widget in Safari and I stopped using the browser altogether shortly after that. Defensive coding goes a long way towards avoiding these problems before they happen, it’s just that dumb people think that the features are worth the risks (maybe they are, they seem to make more money that way). But you could choose to use software written by people understand bad design and purposely choose not to go that way.
.. the ‘root’ password (not actually the root password because Ubuntu uses sudo)..
So is it the root password or not?
No, it is the password of a user with full sudo priviledges, which is just as bad as a root passoword.
Ubuntu has root locked down by default, so there is no root password.
Ubuntu does not let you know the password for the ‘root’ user ( the real root password ) so that the beginner user cannot log in as root and do some damage. However, ubuntu enables the user which installs the system to use the ‘sudo’ command which allows the execution of commands as the root user (this is done to avoid using the root account unless when really needed, for example when installing new packages). To use the sudo command you will have to use your user password (the one you decided at install time). This one is the password which is available in clear text.
So, as you can see, the effect is the same even if it isn’t the root password.
Edit: Never mind. Other people have explained the issue.
Edited 2006-03-12 21:02
The user you create during the Ubuntu install has full sudo privileges. Using sudo, that user is effectively root. The user created during the installation is the user’s password that is stored in those files.
Your best bet is to remove the following files with rm:
/var/log/installer/cdebconf/questions.dat
/var/log/installer/cdebconf/questions.dat
/var/log/debian-installer/cdebconf/questions.dat
/var/log/debian-installer/cdebconf/questions.dat
That is the workaround that you should do after installing breezy.
This Post is ridiculous. Its just asking for ubuntu-bashing, and even worse will lead to long-lasting misconceptions about ubuntu.
Just because you’re an ubuntu-forum reader and at the same time a news-poster on OSnews, you tell the whole world about the bug instead of confirming it on the bugzilla?! This is not news, its a bug.
Bugs are news, especially in security.
It’s a significant security hole, that makes one wonder at Ubuntu’s ability to roll out an enterprise-grade distribution (Dapper) in the next few weeks. It’s a really obvious flaw that should never have been engineered in the first place, and it’s startling to see it appear in such a popular distribution.
For example, say you have web-server hosted at a university, were multiple students have access to the machine over ssh: the bug can be used by any student to escalate their privileges and basically do anything they want with the system.
Everyone who has installed Dapper needs to ensure that their system’s can be made safe.
This is news.
“Everyone who has installed Dapper needs to ensure that their system’s can be made safe.”
Correction: Everyone who has installed *Ubuntu* needs to ensure that their system’s can be made safe.
Correction: Everyone who calls themself a system administrator needs to ensure that their system’s are made safe.
“Correction: Everyone who calls themself a system administrator needs to ensure that their system’s are made safe.”
That would make sense if Ubuntu was marketed as “Linux for System Administrators”. But it doesn’t make sense.
It’s a significant security hole, that makes one wonder at Ubuntu’s ability to roll out an enterprise-grade distribution (Dapper) in the next few weeks
This bug is not in a dapper installation. Now is your question answered?
If you read carefully, he’s not at all saying that dapper has this problem. He’s alluding to the fact that this flaw was never found or removed from breazy in the first place and how that makes him wonder if the developers are capable enough to let something like this go through on dapper as well. He never implied or stated that dapper had this problem present.
He’s questioning their skill and talent as OS creators because of this problem, not saying that it’s in the next release.
Now is your question answered?
Dapper actually may have the bug, both via update and fresh install. Search for ‘dapper’ on the bug report page. At first people claimed dapper didn’t have a problem, but since then reports show that dapper does have it in at least some cases. In any case, an update should fix the problem.
I only post this because the word needs to get out that dapper actually may have the bug unlike originally thought. A false since of security leads to insecurity.
It was reported, and now if fixed, just like these things are supposed to work
who modded me down when I posted Ubuntu is utter garbage:
http://www.osnews.com/permalink.php?news_id=13639&comment_id=94837
This would never have been an issue if you had a proper root account where you can log in.
How, exactly? If there was a root account, you would have to set the password for it at some point, and presumably that would have been logged as well.
This is a very basic bug/problem. This shows that none of developers/QA even bothered to look at installation log files during development. They just assumed it be flawless.
Tejas Kokje
Gaurd the root password with your life.
..if you see what I mean..
there is code in the installer to remove this info from the log, but it seems to fail sometimes.
this does not effect all installs (it did not effect me)
it only has the password entered into the installer, if you have changed your password you are safe.
this is only exploitable by someone who has a login to your computer.
a fix should released shortly.
for now: change your password.
I’m an Ubuntu fanboy and can’t find any excuse, oh boy 😐
It’s telling that no one had discovered this bug for so long, because not recording passwords in cleartext in a world-readable file is such a basic thing that no one would even expect to look there.
If what they say is true, that this flaw isn’t present on the installer anymore in Dapper, it’s hard to believe that when they fixed that it wasn’t figured out that the installer was broken in the Breezy version.
Everyone has security problems from time to time and I understand that, but this flaw is more blatant and worse than any flaw I can remember Windows ever having. Trust is a hard thing to win back once you’ve lost it. I’m seriously considering switching to Fedora over this, I feel my trust has been violated.
Aren’t you overreacting a bit?
In any case Dapper is safe, I just checked my own installation. Actually, since it didn’t overwrite the files (I udpated with apt-get dist-upgrade), that means that I was safe in the first place.
It would appear that this was a random bug, which of course are the hardest ones to fix…Is this a bad bug? Yes. Has you “trust” been violated? I think that’s an exaggeration.
No, I don’t think I’m overreacting, I’m think I’m being properly objective. I’ve been using Ubuntu since the day before Warty was officially released, and since that time I’ve been a proponent of the distribution on Slashdot, OSnews, and other places — even wrote a few opeds that got linked to as articles from this site.
Since that time, there has not been a single security flaw this obvious and tragic on any operating system I can think of. I just checked four different Ubuntu systems I maintain (3 Breezy 1 Dapper), and all of them confirm this bug by having the installer password stored in cleartext in a world-readable file. Any user on any of those systems could have escalated to root. Any daemon vuln could have retrieved that password for remote root vuln.
This is not a random bug, it’s reproduceable and affects all non-expert Breezy installations. It shows lack of attention to very very important security considerations — if this was missed, what else was missed in the rush to release on schedule? I understand all too well that sometimes there are applications bugs and design problems, but I do not recall anything nearly of this magnitude in recent memory.
I’m not overreacting, you’re underreacting. If this was on MS Windows, what would you be saying right now? Don’t let your bias get in the way of seeing what a big deal this really is.
I do think you’re overreacting. My Unbuntu Breezy-to-Dapper laptop is unaffected, therefore it does not affect all installations.
If you can’t recall bugs that created security holes as severe as this one, then you haven’t been following security advisories all that much…there have been worse remote exploits out there. I’m not trying to minimize this vulnerability, but it does require someone to get access to your machine first (and to know about the vulnerability, of course – fortunately, it seems that it had remained mostly unnoticed until now).
I agree that this is bad, but to go and say that your “trust has been violated” is being overly dramatic IMO. That would have required the Ubuntu devs to know about this bug and kept the fact hidden from you.
I do think you’re overreacting. My Unbuntu Breezy-to-Dapper laptop is unaffected, therefore it does not affect all installations.
If you can’t recall bugs that created security holes as severe as this one, then you haven’t been following security advisories all that much…there have been worse remote exploits out there. I’m not trying to minimize this vulnerability, but it does require someone to get access to your machine first (and to know about the vulnerability, of course – fortunately, it seems that it had remained mostly unnoticed until now).
Hmm, please tell me you’re not trying to downplay this by suggesting that the fact that (hopefully) nobody else knew about it and by saying that it sometimes doesn’t happen! Those are simply not valid excuses.
I agree that this is bad, but to go and say that your “trust has been violated” is being overly dramatic IMO. That would have required the Ubuntu devs to know about this bug and kept the fact hidden from you.
First of all, it’s his trust, he can decide whether it’s been violated or not. If I were a Ubuntu user, I’d be seriously wondering about the brain-deadedness of the developer who logged the password in the first place, nevermind everyone who didn’t realize it.
Sure, it’s not a remote exploit, but it’s essentially the worst possible local exploit that could be imagined. I mean, you could put the password in motd to save the cracker a few seconds but that would take all the fun out of it.
Edited 2006-03-12 23:55
Hmm, please tell me you’re not trying to downplay this by suggesting that the fact that (hopefully) nobody else knew about it and by saying that it sometimes doesn’t happen!
No, I’m not. I simply relieved that there were apparently little damage done due to this vulnerability. I’m acknowledging that we were lucky – this time.
Those are simply not valid excuses.
I am well aware of that.
First of all, it’s his trust, he can decide whether it’s been violated or not.
Right, and it’s my right to express the opinion that he is overreacting. What’s your point?
If I were a Ubuntu user, I’d be seriously wondering about the brain-deadedness of the developer who logged the password in the first place, nevermind everyone who didn’t realize it.
The “brain-dead” developer posted a candid explanation of how this vulnerability came to be in this thread, you can discuss it with him if you want.
As for not realizing it, that’s pretty much everybody until today.
Right, and it’s my right to express the opinion that he is overreacting. What’s your point?
My point is that it’s one thing for you to not take this seriously, but you can’t really tell other people they should not doubt the developers for a mistake as serious as this. He can take it as seriously as he likes.
The “brain-dead” developer posted a candid explanation of how this vulnerability came to be in this thread, you can discuss it with him if you want.
Well, two points there: I respect the balls it took to come in here and fess up. And I don’t think there’s any point in bashing him over the head with it, as I’m sure he understands how brain-dead the mistake was (and he’s not claiming otherwise, so far as I can tell).
Explanations, though, however candid, aren’t excuses. Sure, it could have happened to anybody, but his team failed too, in not checking up properly on his work.
As for not realizing it, that’s pretty much everybody until today.
We hope :p but we don’t know that the guy that reported it was actually the first to find it But not everybody is part of a team that claims to be releasing a secure product (read: it’s not everyone else’s responsibility to find these mistakes).
Anyway, I’m not a ubuntu user and probably will never be one so there’s little point of me being on the offensive.
My point is that it’s one thing for you to not take this seriously
You’re missing my point, is that I’m taking this seriously. Just because I’m not tearing my shirt and saying that I’m going to change distros and claiming that this is the worst vulnerability in recent history doen’t mean I don’t care.
Yes, this is a bad vulnerability. Bad, bad, bad. But I’m not going to switch distros for that, nor do I feel that my trust has been violated. Ergo, I believe that the original poster is overreacting.
but you can’t really tell other people they should not doubt the developers for a mistake as serious as this. He can take it as seriously as he likes.
I have already agreed to that. I, however, can still say that, in my humble opinion, he is overreacting. And, for your information, I can tell anyone what I bloody well feel like, just like they’re free to take my advice, argue about it or just ignore me. That’s the beauty of freedom of speech.
Me saying that he’s overreacting isn’t trying to censor him, it’s simply stating my opinion. By telling me I can’t express myself on whether or not he’s overreacting, however, you are in effect advocating censorship. And, ironically enough, you have every right to. I just disagree.
Explanations, though, however candid, aren’t excuses. Sure, it could have happened to anybody, but his team failed too, in not checking up properly on his work.
They’re not excuses, of course. Now, I’m pretty satisfied with the speed at which the vulnerability was fixed, and that there apparently weren’t any wide-scale damages due to this vulnerability. So it’s a bad mark for Ubuntu, but to me that’s not worth switching, and I don’t believe that the Ubuntu devs acted in bad faith. My trust is them has not changed, it only proves to me that they are human.
We hope :p but we don’t know that the guy that reported it was actually the first to find it But not everybody is part of a team that claims to be releasing a secure product (read: it’s not everyone else’s responsibility to find these mistakes).
Of course not, but there is an awful lot of Ubuntu users. It’s not very difficult to see if a string containing your password appears in plain-text in a file, especially if it’s a rare word, name, or combination of letters/digits. I’m surprised that it took so long for someone to notice, frankly!
Me saying that he’s overreacting isn’t trying to censor him, it’s simply stating my opinion. By telling me I can’t express myself on whether or not he’s overreacting, however, you are in effect advocating censorship. And, ironically enough, you have every right to. I just disagree.
Well I think that you telling him he’s overreacting is every bit as much censorship as me telling you not to tell him to overreact :p
Yes, it is ironic. It’s a never ending cycle! I’ll agree to disagree
Well I think that you telling him he’s overreacting is every bit as much censorship as me telling you not to tell him to overreact :p
It isn’t, really. I’m not saying he shouldn’t say what he says, I’m simply saying that I believe he’s overreacting. If I had said that he should not say these things, then I’be trying to censor him, but that’s not what I was saying at all.
I’m appraising his state of mind, not saying what he should say. Big difference. I agree: let’s agree to disagree! lol
Telling someone what they should and shouldn’t say is not censorship.
From a position of authority, telling someone what they can and cannot say is censorship.
Advise is not, and never will be, a form of censorship when it is simply advise.
If you’re going to Fedora for a secure system you’re insane. Seriously, there is nothing about Fedora that says polish and security. It’s not aimed at it, and I doubt the developers even give it a first thought, much less a second one.
If you’re gonna get mad and leave Ubuntu please go to something that might be more secure: Slackware, or something. But not an experimental distribution like Fedora!
The world readable part really is pretty pathetic though isn’t it? Maybe this will teach developers to think a bit harder about their installer logs!
You must not know a whole lot about Fedora. I mean, sure Fedora is a testbed for Red Hat technologies. Sure it might not always be as bug free as one would like. But Fedora is also where, among other things, the development of selinux and selinux policies, and the hardening of gcc takes place. To say that Fedora isn’t security minded is just ludicrous. In my mind, FC4 has to be one of the most secure distros out these days.
Those technologies are implemented in Fedora to test to see if they’ll break things for RHEL. Fedora, last I heard, has a pathetic/useless 5,000 rules for SELinux. RHEL has something like 50,000.
Fedora is a testbed. You do _not_ use testbeds in production environments. Once again: You don’t trust your wallet to beta-ware.
Well I beg to differ. For one thing it wouldn’t make sense for Red Hat to not test everything that’s in RHEL and more on Fedora.
Anyway, I just glanced at the changelog for the FC4 targeted policy and also at the changelog for the RHEL 4 targeted policy. There are a greater amount of entries and also more recent entries in the FC4 changelog. As another metric, the FC4 policy directory is 2.8 M total, whereas the RHEL 4 directory is only 2.4 M.
And yes Fedora is a testbed. But that doesn’t mean it’s swiss cheese. If anything the selinux policies have seemed to error on the side of being too restrictive, not the other way around.
As for using Fedora in production, I’d say it depends. I certainly have no qualms about using it as a home desktop. I also find it quite adequate on the Linux desktops I take care of at work. And Fedora ran for years on our high preformance cluster pretty much without a hitch. I’ve since moved to using RHEL (read Rocks) on our cluster, mainly due to tiring of the steep upgrade cycle that comes with Fedora, but actually to this day I still use Fedora on a few servers. When RHEL gives me problems, many a time a move to Fedora will straighten things out long enough for the fixes to make their way into RHEL.
Now with that said, is Fedora for everyone? Certainly not. But if you’re going to tell me it’s absolutely useless, well, my shop proves you wrong.
And yes Fedora is a testbed. But that doesn’t mean it’s swiss cheese
One can said that any Linux distro is pratically a testbed to each other. After all Fedora is not the only testbed system as Ubuntu itself was based on Debian Sid.
Oh Fedora is a fine desktop. I didn’t like it as one, but I’m sure it’s nice for some. But I wouldn’t touch it with a ten foot pole as a system I had to support.
Supporting RH8/9 is bad enough! And they were conservative with those.
If you’re going to Fedora for a secure system you’re insane. Seriously, there is nothing about Fedora that says polish and security. It’s not aimed at it, and I doubt the developers even give it a first thought, much less a second one.
Obviously you didn’t follow Fedora track to make that assumption. When you will got the chance to see fifth release, you will notice the polishment made from the desktop to wallpaper.
Like Mathman pointed, one of major feature from Fedora especially the incoming FC5 is its security system which is more user-friendly than previous release. As tester, I report that FC5T3 is amazingly stable despite its testing nature.
Edited 2006-03-13 10:02
I’ve never seen a fedora work right, and I’ve run FC2, FC3, and FC4 briefly (long enough to hate it and move on, about 12 hours). And it _is_ RedHat’s testing distribution. If you want security, that’s not a bad one to run, RHEL that is. Of course, that costs money.
I’ve never seen a fedora work right, and I’ve run FC2, FC3, and FC4 briefly …sic…
Perhaps you are unlucky with your hardware.
And it _is_ RedHat’s testing distribution.
Much like OpenSuse is Novell’s tested and OpenSolaris a test bed for Solaris, right? At least users got opportunity can try some technologies ported for an entreprise product to a bleeding edge OS and vice versa.
If you want security, that’s not a bad one to run, RHEL that is. Of course, that costs money.
Because RHEL is about subscription to the services aimed to entreprise level which is its primary target. I have seen some small businesses using Fedora in production environnment even though that OS was not aimed for.
Sorry for hijacking the topic. It was meant to point out flaws and correct them.
I know this may not be the correct medium for this question, but…
Is there any way to get rid of sudo once Ubuntu is installed? I HATE it.
Thanks,
its quite easy see https://wiki.ubuntu.com/RootSudo
sudo apt-get remove sudo
No joke. Though you need to enable a true root account before running this command. Which means you could just ‘apt-get remove sudo’ as root. Or just use Synaptic
Read the forum post. That’s still not a solution. The main user’s password is still printed in the log file, as well as root’s if you set that up as well in setup.
And uninstalling a major part of ubuntu security (don’t laugh the preceding two words) could lead to breakage on the next upgrade. Synaptic won’t run after you remove it anyway.
When you open Synaptic it asks for your password. That’s a GUI wrapper for sudo, asking for for the sudo-privaliged user’s credentials so it can launch.
So if you haven’t got your root password setup, running synaptic and then removing sudo will pretty much render your system broken. I may have misunderstood you but it looks like your saying “create a root password then remove sudo via the command line…or just use synaptic”.
HTH
Read the question I was answering. I wasn’t suggesting this as a way to fix this bug, I was just telling someone how to get rid of sudo. Which is what they asked:
I know this may not be the correct medium for this question, but…
Is there any way to get rid of sudo once Ubuntu is installed? I HATE it.
Thanks,
I thought most normal people just did a; sudo passwd root
what a stupid ‘feature’.
When I was first screwing around with Linux, sudo was pain in the ass–but these days, it’s more convenient than suing to root to execute one command.
This doesn’t fix the problem. The log files aren’t showing the true root password, they’re showing the first created users’ password. The first created user is just a normal user account with full sudo privileges. This is at least the way things are done in a “normal” installation. In expert mode the root password can be defined.
This doesn’t change the fact that any users (including root, or the main the sysadmin user which has full sudo rights) and their passwords you create and define in setup are logged in clear text. That’s totally inexcusable.
Not really. If you need to do anything more than a single command as root just use sudo su and you’re set until you’ve finished whatever you need to do as root.
sudo su
Change your password :p
I’m the Ubuntu installer maintainer, so obviously this bug is ultimately my fault. I’m sorry for that – it’s clear it shouldn’t have sneaked past QA. (We’ll be updating our testing processes to be rather more careful about this sort of thing.) Now that I’ve spent the evening doing security updates to clean up the mess, I thought I might take a moment to explain how this happened, and why it wasn’t noticed as an issue in Breezy at the same time as it was fixed in Dapper.
The Ubuntu installer (like Debian) uses a framework called debconf to do all its user interaction; that framework has a backend database which stores all the answers, which is where passwords ended up being stored for this vulnerability. Naturally, when you’re asking for passwords using debconf, you take a lot of care to clean them out of the database afterwards: we explicitly clear them out in the password-asking code pretty much as soon as we can, and we have a separate database for the answers to password questions which isn’t copied to the directory of installer log files in the final installed system. This had all been working well for some time (e.g. in Hoary).
Unfortunately, the way we arranged for the password question to be asked in the first stage of the Breezy installer meant that two debconf databases were involved rather than one, and the passwords only got cleared out of one of those databases. Even this would have been OK if it weren’t for the fact that some changes we needed to make in cdebconf for other reasons in Breezy (I’ve yet to track down the exact changesets involved, but never mind) broke the mechanism that was supposed to make sure that passwords ended up in a separate database. Sigh.
As for why we didn’t notice the problem in Breezy when this was fixed in Dapper, well, that’s because the fix in Dapper was part of a massive installer reorganisation (http://riva.ucam.org/~cjwatson/blog/ubuntu/2006-01-03-single-stage-…) and it was really just fixed by accident. So it goes.
Anyhow, I’ve fixed this just about as soon as was humanly possible for me, and take it extremely seriously. While perhaps for some of you it’s too little too late, we’ll do everything we can to install better defences against this kind of thing in future.
Thank you for posting that.
Thank you for coming forward, admitting your mistake and giving us a better idea of how such a serious security vulnerability could have happened.
Thanks for being open and Honest.
Sure, blame debian. Funny I don’t see their use of debconf dumping roots pword everywhere.
All my Ubuntu computers are safe. My log files are empty. Maybe it’s because I’ve installed it in Expert mode?
http://www.ubuntu.com/usn/usn-262-1
A lot of anti-linux posts have been modded down. This is so typical of a linux site. You want constructive criticism, deal with the posts that Linux or Ubuntu sucks and tell us how you are going to fix it.
Shouting down people who criticize Linux will surely make OSNEWS a Slashdot sister site.
Edited 2006-03-13 04:17
A lot of anti-linux posts have been modded down. This is so typical of a linux site. You want constructive criticism, deal with the posts that Linux or Ubuntu sucks and tell us how you are going to fix it.
Yes, a lot of anti-linux posts were modded down. But they were far from being posts of constructive criticism. At worst they were trolls, at best, off topic. The constructive criticism posts are the ones discussing the actual flaw, how it happened, how serious it is, and yes, criticising Ubuntu for letting it happen. Posts like that were not modded down. Some are at +5 right now.
Hey don’t look at me, haven’t had any mod points to spend in either direction in over a month.
The issue is that there is a security vulnerability regarding a quite popular Linux distro.
People who develop code for Linux are human beings that are capable of making mistakes. Even the most stringent QA Testing can miss things.
The questions that came to my mind are:
1. Since Ubuntu is Debian based, is this particular problem Ubuntu-specific or are other Debian derivatives such as Kubuntu, Xandros, Linspire or others affected?
2. It looks like Ubuntu’s ‘Breezy’ is affected but not ‘Dapper.’ Can a security patch to correct this issue be implemented easily?
3. Is this particular issue present in previous versions of Ubuntu
My 2 cents.
I’m less worried about this issue in and of itself than I am of the process that allowed a bug like this to make it into a shipping product. I’ll grant that it was subtle enough to make it through what, 5 months without being noticed? But still.
4. Have any policies been implimented to minimize the chances of this happening in the future?
I know, the chances will never be zero…
I’ve added a check for this to our testing procedures, and since last night we’ve been actively making installer code more defensive to make as damn sure as possible that this won’t happen again. As you say, the chances will never be zero, but we’ll do our best.
1. This particular problem is Ubuntu-specific, although Joey Hess asked me to note here that “Debian managed not to be affected by essentially lucky timing”; one of the twin root causes of the problem has been in Debian code between about April 2005 and last night (when I fixed it). However, Debian only started going anywhere near using that code in d-i etch beta 2, and as best as I can tell escaped any consequences. It is unlikely that other Debian derivatives were doing sufficiently similar things to be affected, although all derivatives of Ubuntu 5.10 are affected.
2. Already done, last night.
3. No; Warty had entirely different code paths which weren’t vulnerable to this problem, and we’ve verified Hoary clean.
Upon further investigation, I must correct this slightly; both Ubuntu dapper and current Debian etch are affected by a similar problem if and only if you use an installer preconfiguration file to preseed a root or user password. (If you don’t know whether you have done this, then you haven’t.) This is a less severe problem because obviously if this is the case then the password was already readable in the preconfiguration file, and there’s a facility for preseeding pre-encrypted passwords; however, it would allow somebody to attack an encrypted password at their leisure without having to get the contents of /etc/shadow first.
I’ve committed a set of fixes for this to cdebconf to go with Joey Hess’ changes to world-readability of installer log files, and we’ll have it sorted out soon.
cjwatson:
“I’ve committed a set of fixes for this to cdebconf to go with Joey Hess’ changes to world-readability of installer log files, and we’ll have it sorted out soon.”
“we’ll do everything we can to install better defences against this kind of thing in future”
Great, keep up that good work to improve Ubuntu security. And thanks also for taking time to clear these things up here in this OSnews thread. You deserve your +3.00 commentator points here, cjwatson… 🙂
Edited 2006-03-14 14:26
I must admit that i’ve been using breezy for about 3 weeks now. I decided to get into Linux a while back and saw all of the talk about Ubuntu so i figured i would try it. The last time i used Linux was with (formerly known as) Mandrake about 5 years ago, and then it was only for about a couple of months for a class i was taking. I just didnt have the time to flatten the learning curve to really get into Linux then. Now, i have more time, and i even got the kids ported over (from XP)to using Ubuntu. I installed it on a laptop and desktop at home and i must say, it was a much more pleasant experience than i had 5 years ago. In fact, it was easy as installing Windows, an environment i’ve been in for 10 years now.
I gave my nOOb story to make this point: I like the direction Ubuntu is going, even though they made a HUGE mistake with the log file in clear text, and, if they are like the rest of us, it wont be the last mistake they make. I have seen plenty of mistakes over the years in NT and 2000 networks. Knowing this, i won’t jump ship on Ubuntu. The main reason is that they already have the fix posted (would LOVE to see that kind of turn-around time on the networks i work on!) and the second reason is that the dev basically stepped up and said we screwed up, and here is why(..).
I like that, takes guts and it shows me they care about the distro (Even if the mistake may appear otherwise). I chose breezy because i was putting on my machines at the house, not on a mission critical network. Ubuntu is still relatively young, and this error proves it. Whether or not Dapper can live up to the server side hype, i dont know, but i do know i’ll keep Ubuntu on my machines. Sorry about the length, just no quick way to make this point.
MOTHER OF GOD!
There’s been a few posts here trying to make fun of this, but to be honest, they’ve been very pathetic. They’ve utterly failed to put ironic twists on anything and have fallen closer to libel than they fall to a good ha-ha laugh.
So, sadly, let’s read slashdot to see how to make fun of this:
http://it.slashdot.org/comments.pl?sid=180016&cid=14905312
http://it.slashdot.org/comments.pl?sid=180016&cid=14905339
http://it.slashdot.org/comments.pl?sid=180016&cid=14905362
http://it.slashdot.org/comments.pl?sid=180016&cid=14905444
Also, it looks like this problem has been fixed today. What’s that, about 12 hours to fix? Not that it was a hard solution… This problem was discovered by a user and fixed on a Sunday, the day it was reported. Kudos to the Ubuntu folks for making such a stupid mistake and fixing it with such grace.
Ok, continue bickering over this; talk of religion, fan-boyism, stupidity, security, and whatever else you kids call each other these days.
… and it seems like a lot of people are really upset about Ubuntu gaining popularity. Yes, this is a major bug and there is no excuse for it – guess why it was fixed in Dapper. But the amount of bashing in response is just funny. This reminds me a bit of the flame wars following the Mac dumb-user exploits, but then, this time very few (curse them!) are saying “you are invulnerable, this thing won’t hurt you, and if it does then you should not be allowed to use your computer.”
ok just because one distro screwed the pooch how does that make Linux a bad OS diskinetic?
As far as Ubuntu goes … shame on you. Using sudo is no excuse for not testing the way ALL passwords are stored. Yes people do care about usability but linux users care about security probably a tat bit more than they do about usability.
I use debian pure compiled everything…
——————–
It was MAC exploit last week and now it is Linux/ubuntu exploit.
read all posts about this news. Did you see any mind setup?
Noone has so far accepted responsibility /guilt about slipping of this bug in distro. maybe Mark Shuttleworth has not been conveyed this news by his cronies. All people/developers are busy bashing others who criticize them and modding down anti-linux posts.
For average Joe(to whom Ubuntu was friendlist distro) this is thunderbolt. And none of devels on this forum has pointed simple click-to-install patch for this bug for average Joe.
Windows is bugged and slow to release patches. But at least average Joe can install it when available.
For average Joe(to whom Ubuntu was friendlist distro) this is thunderbolt. And none of devels on this forum has pointed simple click-to-install patch for this bug for average Joe.
Windows is bugged and slow to release patches. But at least average Joe can install it when available.
That comment shows ignorance of Ubuntu’s update process.
Any Ubuntu user that has the default setup will see the update indicator. A couple clicks it’s all it takes. More advanced users can use apt-get or synaptic to download the patch. And more paranoid users would clear the install logs and change the password
Either you’re a troll, or you haven’t read these comments carefully, or your sarcasm needs work.
cjwatson has accepted responsibility/guilt about the bug in the system. He even registered a name on this forum, just to apologize and explain what Ubuntu’s doing about it. Take a look at any of the three posts he’s made thus far.
His resence here would indicate that at least someone in the Ubuntu heirarchy (even if it is just cjwatson) realizes the catastrophic importance of this, and is trying to explain themselves.
And I wouldn’t exactly consider fessing up to be “bashing others who criticize them”; the argument is over people who are generalizing from one Linux distro with a major flaw, to ALL Linux distros (that hopefully don’t have that flaw.) Maybe it’s different on other forums.
As for Ubuntu, they seems to be fair game (LOTS of critical posts) since THEY’re the ones who messed up and THEY’re the ones who fessed up, and THEY’re the ones who left passwords in a text file readable by all users.
Lastly, Debian/Ubuntu does have ‘click to install’. It’s just in the package manager. It’s like Windows Update, only it’s used for everything.
We can now start to say that “Linux is more secure because of its market share” 😀
Who is laughing now ?
But it isn’t THAT bad after all. On real multiuser machines administrator will create separate root password anyway. It is desktop machines for one or two users that will have this security problem (anyway, who installs ubuntu on multiuser machines and doesn’t turn off it’s way of dealing with passwords?)
And since ubuntu is to be used by users with high speed internet connection, most who do care will upgrade.
Last week I posted this in response to news about MAC hacking and i got modded/slashed down for technicallity that MAC is not opensource bla bla bla….
Well now it is Ubuntu /opensource turn, so I am reposting
————————————————-
I am debian pure user compile everything myself, and so computer literate.
Linux posters on OSN regularly chide themselves that there are thousands of eyes watching open source code and even if any vulnerability is found will be fixed in minutes. The question is why this simple exploit got into system at first place? What happened to those thousands of eyes? are they sleeping? are they drunk? or are they just living in ivory tower?
Now devels responding to this item have started deflecting average readers attention from ‘root cause’ of this problem by discussing technicalities of the hack. From average users viewpoint, i ask just one question, over last 2-3 years of ubuntu world how come this simple exploitable command/bug, whatever u call it, slipped under the nose of thousands of delvels around the world?????
FearFactor : it is not ‘Rocket Science'(Mark S.) for an experienced Hacker to figure out these type of exploites in future…
Conclusion: number of viruses,bugs,exploites = marketshare * popularity
It only affects one release, which is approximately 6 months old. It doesn’t exist in older releases.
The technicalities, as you call them, are why the average user is unaffected by the issue.
The thousands of eyes caught it. This wasn’t found by a security researcher. It wasn’t found by a developer. It was found by a user. And the thousands of eyes fixed it, in under 24 hours.
Number of exploits has little to do with popularity. The amount of use they get does. There are probably more discovered security holes in FOSS than commercial variants (with the exception of the older IIS), they also tend to get fixed quickly and the diversity of deployment often makes them almost unusable.
Man, there’s a lot of bs in this discussion. All software contains bugs, and all operating systems, commercial and FOSS have had very serious security problems in the past and will continue to have them in the future. You can flame all you want, but what the situation comes down to is that Ubuntu had a critical security problem, they owned up to it and fixed it a remarkably short period of time, and that’s that. If only more vendors were this honest and transparent, even the developer himself posted and explained the situation. As far as I am concerned, they could not have handled it better
> All software contains bugs […]
This is a bad assumption to start with, because it opens up excuses for missed bugs.
It’s an assumption in reality. It’s the truth, and it’s something to remember if you ever want to ship.
If you want to never ship, believe you can prove your software and go at it. It’ll be rock solid, in 50 years when its dependencies no longer exist.
There is always bugs, anything built by humans is imperfect by definition, best we can do is an approximation of perfect, which leaves rooms for errors
It’s a valid assumption, because all developers are human, and humans are not perfect, and in something as complex as an OS, mistakes are bound to happen
EDIT, I guess I responded twice to this, sorry
Edited 2006-03-14 16:09
[Bluenose Jake]
> It’s a valid assumption, because all developers are
> human, and humans are not perfect, and in something as
> complex as an OS, mistakes are bound to happen
Yes, but it’s an assumption a customer should make to be prepared for flaws which pop up. It should not be made to downplay the importance of a flaw (your original posting sounded like that to me).
[ma_d]
> If you want to never ship, believe you can prove your
> software and go at it. It’ll be rock solid, in 50
> years when its dependencies no longer exist.
I guess you’re lucky that few lives depend on the correctness of software yet (especially the software written by you).
With a f**k up like that is more spoon like.
And I love Ubunutu.
-nX
Just because of these kind of issues, I tend to like extra secure operating systems like OpenBSD a lot (at least in principle), and be a bit security geek myself. OpenBSD would just never have left something like this to happen in their OS.
It is better to be a bit too much on the safe side than to be a bit lazy with security.
By the way, I wonder when will Ubuntu have a secure default firewall in its installation? What is this: P2P software is installed but a firewall not?? Isn’t Ubuntu supposed to be a newbie friendly OS ready for secure Intenet usage from the start? Thus it should have a firewall installed. It is just not enough to say that there are no ports open in the default install IMHO. Please, just include the easy to use GUI firewall config program Firestarter in the default Ubuntu installation and the firewall issue is solved.
Every day is a hug day in the Ubuntu world. But there are special hug days that are also bug days. Some people also say that every day is a bug day. And then, logically, every day is a hug day and a bug day.
https://lists.ubuntu.com/archives/ubuntu-desktop/2006-February/00026…
Planning is one thing, but we’ll surely stick to our concept of success: the Hug Day. This is a very special Bug Day: on Hug Day, when someone closes a bug, then someone else should hug him/her. Why? This is a very special way for us to tell everyone that we love contributions!
https://wiki.ubuntu.com/UbuntuBugDay
Dammit. Those Ubuntu marketing people really need to stop harassing Ubuntu devs by hugging them all the time. There is no doubt in my mind that this critical bug could have been easily avoided if only the PR department would let the devs concentrate on their work.
Are you suggesting that devs don’t need/want/like hugs? How would you like being a hugless dev? Perhaps the devs would program malicious code if they didn’t get their hugs? Huh, ever thought about that? You’re cruel.
I just installed the latest flight/alpha version of Dapper Drake and it seems that the next Ubuntu release will be very good security-wise. Firewall is configured by default and all network-listening services are secured. Many other distros don’t bother with these “small” details and most new users just think that Linux is safe by default. Well, it isn’t necessarily so, but the default installation of Ubuntu Dapper will be quite secure. Well done, Ubuntu.
Also, thanks cjwatson for keeping us informed. It’s good to hear that Ubuntu and Debian are collaborating, making GNU/Linux safer for users and fixing all known bugs ASAP.