Slashdot Mirror
Root Password Readable in Clear Text with Ubuntu
BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."
What's the problem? Open source passwords make it more secure.
It came out, it was fixed. There are going to be problems in any project this large, but it shows how much the Ubuntu team cares to respond to a problem this quickly and on a Sunday of all days. Ubuntu really has become a nice distro. It's completely free and polished around the edges. I hope they continue to do well.
A thanks to Teotihacan for finding this. I'm sure that eventually several sysadmins would have failed security audits because of this. -- Jim http://www.runfatboy.net/
You give someone local access to your system, and are worried about them reading your user password (Ubuntu has no root password by default), but not worried about them just copying all your files.
Invariably, a lot of the comments to this story are going to commend the team on the incredibly speed with which they've released a patch, and there'll probably be some comments comparing it to closed software. Yet another victory for the open source model!
Yet how long has this massive fault been sitting there waiting for the first person to discover it? How do we know that the public acknowledgement of it was the first actual discovery of it?
I believe Breezy was released in October, so for five months install logs have been sitting, world-readable, often with the root password. Surely in that time someone well less savoury motives did a simple grep of an install looking for the most trivial of faults.
Feeling confident in the speed of the patch relies upon the belief that no one with nefarious motives discovered it before a benevolent bug submitter did.
try sudo bash
The article title isn't entirely correct. There is no root password. But you can set one.
Read the article. The Slashdot summary is incorrect; the password is for the account you create during installation, which has sudo rights and therefore is just as effective as a root account.
Karma: Terrifying (mostly affected by atrocities you've committed)
Information wants to be free
That's a feature. It's so you don't go messing around with root if you don't know what you're doing, as Ubuntu is geared toward being user friendly, and to people who aren't necessarily entirely familiar with the workings of Linux. It's easy enough to activate the root account, just 'sudo passwd'.
see this is why i use windows. there are never security patches to install, just service packs which allow me to get new secutiry features like windows firewall. nothing beats windows security, and there's that helpful blue screen to tell me if something's gone wrong.
30 seconds and my post got a flamebait. I love Slashdot.
Within the same 30 seconds a post appeared following mine comparing the fix (which has the massive complexity of deleting some log files) with Microsoft's WMF fix, exactly as predicted. Beautiful, and so predictable.
Fuuuuck.
I knew I never should have trusted those badgers.
Smiling at me with their big cartoon teeth, eating up all the aspen, wanting to admin their own machines.
I've been a sap, and it's going to cost me.
And now I'm worried about the hedgehogs.
sudo su -
passwd
This IS a very serious issue, however it does require some work (accessing log) to obtain root. In comparison to other operating systems which provide default root ("administrator") access, without a password, on installation; this isn't as big of a deal. On top of this, from my understanding, a change of the root password after installation would prevent further issues. Overall this seems to be a problem but certainly not a huge one.
Proof by very large bribes. QED.
Sunday is probably peak development time for free software.
http://michaelsmith.id.au
Or, "sudo -s". Or, "sudo passwd root", and use whatever methods you are more comfortable with to elevate permissions.
Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
He patched it within hours today, and posted to osnews with a description of what happened. He also posted a copy on the ubuntu forums page including details of what happened. It affects clean installs of breezy, and dapper upgrades from a breezy install, but not hoary or a clean dapper. hoary = 5.04 breezy = 5.10 dapper = not officially released yet
But you can get the root password, as the default user has sudo access. 'sudo su -', and that is that.
Freedom would be not to choose between black and white but to abjure such prescribed choices. -Theodor Adorno
Any programmer who doesn't stop themselves and think that writing something like fprintf(logfile, "root password entered is: %s\n", password); is not the best idea should not be writing code for a secure operating system.
All that the operating system/software need to know is how to verify that the password entered is correct. And that can be done without storing the root password at all (encrypted or not) with a hash.
Powered by caffeine and sugar; BSD
Contribute to Open Password comunity - release your passwords under the GPP (General Public Password) license! Because closed passwords are just series of * symbols - it's hard to use, share and modify them freely. :-)
Yeah, because it's approximately an equal effort to delete log files and to change anything about the WMF code, or whatever was causing that bug?
"Quoting yourself is stupid." -Me
$ sudo passwd root
Should ask to reset the root password. You can then use 'su' to evoke a shell as the root user.
This is for Breezy, which, I believe, had a root account which couldn't be used for login, just for sudo. Later versions disabled that password as well, only allowing a special non-root user to sudo by reentering his password.
Fixing a patch that either simply removes this log file or encrypts the password in it is very simple. I could do this in a few minutes tops.
Microsoft's security issues often are the result of an issue that requires code re-writes and changes. It takes time to do that, compile it, and test it. There is a huge difference between this tiny flaw and a buffer overflow in Windows Media Player.
Deleting a log file isn't quite the same thing as fixing buffer overflows and whatnot in a huge chunk of code. Yeah, it took MS 2 weeks -- and that was too long. It's not like the two bugs were equal in scope, though.
Way up.
Never ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever EVER under ANY circumstances put a plaintext password in *ANY* file. Ever.
...just what made that distro so "breezy"!
Information wants to be free -- but informants want to be paid.
I wonder if my balls will run on your mom, described here in full detail http://www.mature4ten.com/t1/index.php?aid=6218&pi d=9&sid=85&tid=1&optid=522&c=A&refid=2149409
Ubuntu is poised to become to standard by which Linux distros are judged. I've been running the latest stable release, Breezy Badger 5.10 for awhile and it's rock solid, good looking, and easy to administer. Last night I downloaded Flight 5, the latest development iso for Dapper Drake 6.04, and was immediately impressed. In just one upgrade, they've managed to really go the extra mile with all the new features. I love minimalist simplicity, and Ubuntu gives me just that. Ubuntu is Debian made easy for the masses. You get the bullet-proof Debian core with a great, easy interface. Nothing touches this at the moment. Linux for human being is a great tagline.
Now, let the script kiddies who have nothing better to do flame me for saying Ubuntu is cool. These same script kiddies who think they're 1337 because they have to manually set up their Slackware box. These same wanna-be geeks who are still bootstrapping their Gentoo systems for 12 hours to extract a extra 5 milliseconds of speed from their CPUs. I've done all that and now that I'm almost 40 years old, I just want a quick, stable system to work from.
Ubuntu devs fix a massive hole in a few hours, tops Microsoft devs fix a massive hole (WMF security bug) in two weeks-ish...
This should read:
Ubuntu devs fix a massive hole in a few MONTHS, tops
I give props to them providing a fix so soon after the found it, but come on folks, this distro has been out for MONTHS now.
This is just going to give Bill an excuse to bash Linux even more.
This was probably just some way for the Ubuntu developers to steal passwords. But, since someone noticed they had to act like it was an accident and release a patch.
Ryan - http://www.thecosmotron.com/
I installed the beta of Breezy 5.10 and /var/log/installer/cdebconf/questions.dat *did not* contain my password. Looks like this only affected the final release.
When you have 300,000,000 users things are a little more complicated than when you have 3,000.
I find it very interesting that the severity of this bug is identical to the severity of the security hole found in OSX last week... yet the difference in attitudes is remarkable.
Look at the slashdot summary. "An extremely critical bug and security threat". Compare with the OSX bug which was written off because it's not remotely exploitable.
Apple hasn't even acknowledged that the OSX privilege escalation exists, let alone patched it.
Guidelines to posting a comment
1. RTFA
2. RTFA
3. Try seeing if TFA is true (ie open questions.dat)
4. Post Comment.
The problem is that all that happens during installation is logged in
And that includes logging of the username / password that the installer creates at time of installation. Of course if the user changes the password after the installation then the log file while not be updated and will still continue the old password.
I love humanity, it is people I hate
What I've read so far indicates the patches/corrections just remove the
file that had the password in cleartext. Where the password was
written in cleartext to a world readable file, at minimum, the password
should also be considered compromised, or likely to have been
compromised. Should force a password change, or at minimum strongly
advise (e.g. via security advisory) changing the password. Running
integrity check would also be advisable.
open var/log/installer/cdebconf/questions.dat, check at line 2140. Mine is there, individual results may vary
I love humanity, it is people I hate
Apple hasn't even acknowledged that the OSX privilege escalation exists, let alone patched it.
3 382
I agree with you regarding the different attitudes regarding this hole and the OS X holes. But I believe the recent OS X holes were indeed patched with Apple's March 2006 Security Update (though some websites are questioning whether the patches really fixed the underlying problems or merely placed band-aids on them).
http://docs.info.apple.com/article.html?artnum=30
-- "I never gave these stories much credence." - HAL 9000
Ubuntu users, be sure to get the patch right away.
What does this patch fix? The installer? Sorry, but the installer is burned in the installation media, and a patch can be applied only after the installer has been run. So updating the system or even upgrading to Dapper (where it has been fixed) doesn't help. So....patch whAt???
No really, the installation ISO images should be fixed immediately and redistributed.
Also saying that it "only affects The 5.10 Breezy Badger release" may be a bit belittling, as probably most people have installed exactly that release.
It is unimaginable that OpenBSD would ever have an error like this.
http://www.thebricktestament.com/the_law/when_to_
Edubuntu has a neat installation of a Linux terminal server so this thing could have made a backdoor in school labs, etc. where it would have been a multi-simultaneous-user system. On a single-user system it would have been no problem because you can always be yourself.
If you're spending a lot of time in the shell "sudo -s". Otherwise I actually find sudo handy because it keeps its state for a certain timeout perioud where you don't need to type the root password again. In this case it's nice when you're switching between user and root commands.
all these comments and noone has yet said it... ..ok...I'll do it, you've forced me..
Is this a "badger hole"?
Hey, someone *had* to say it. Laugh.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
You definitely have a valid point, but you still can't defend Microsoft's slow response to the WMF issue.
Within hours, a member of the SomethingAwful forums had hacked together a patch to the gdi32.dll with a few dozen NOP instructions to render the SetAbortProc call useless. Obviously with just a hex editor and no access to the Windows source code.
And how long did Microsoft take?
Many people know how to generate these special characters but I'll mention anyway: using the ALT/META key and the NUMPAD keys. Having a character map printout handy so you know the DEC (decimal) values of these special characters is a good idea if you decide to implement one of these passwords. Punch in ALT-DecimalValue with number lock on.
They may not work in some situations if special characters and not allowed, but you'd be surprised that they do work most often.
I bet most dictionary attacks don't run through many special characters. The cracker is lazy too and will probably not even consider that you chose a funny character which does not even exist on the keyboard.
Remember not to use NULL (#0) though, for crying out loud.
Based on the FPP, it sounds like the solution was to delete the install log. But that means the password was stored on the hard drive in clear text at some point. A deleted file doesn't go away automatically. Especially in this case where it is surrounded by predicatable ASCII characters... a "strings" on the partition and a grep -B2 -A2 or similar should locate it. Of course that requires root, but then what's the point of encrypting it if you are going to also store it in clear text.
It DOES have a root account, it's just it sets the root password to some value that you're not trusted enough to be told. I personally fall prey to "bad" sysadmin techniques, and I sudo passwd root first thing. I then log in as root for sysadmin functions. In general, my systems are not intended for multiuser shell access (read - I'm the only user with shell access anyway), and it's a pain to sudo everything. I end up using sudo bash, so I may as well just log in as root to start with. I've never really understood why it's so BAD to log in as root. Yeah, so you can screw stuff up on accident if you're not careful. Typing sudo before the command as a regular user is just as bad. I guess it might make sense if you have multiple sysadmins and want to track who did what. But in my case, I am the only sysadmin, so why bother with the extra "security"?
Don't use a bleeding edge home desktop OS if you want a secure multi-user server.
I'll probably be modded down for this...
http://www.bash.org/?244321
The netatalk package, which provides Appletalk services (most commonly used servies are AFP, ie filesharing, and papd, the printing spooler), isn't compiled in with ANY encrypted password support. If you connect to a debian or debian-based appletalk fileserver, you get a warning you are transmitting your password in clear-text. Yes, we're jumping about 10 years BACKWARDS in security.
Why? Because the legal-circle-jerk that is the debian-legal mailing list, decided that it wasn't "legal" to link netatalk (a GPL project) to OpenSSL (license supposedly incompatible with GPL.) This doesn't stop every other distribution on the planet from compiling netatalk with openssl, and hence supporting encrypted passwords.
They politely suggested that GnuTLS, which isn't even remotely drop-in, be used instead. That was back in 2002...and the issue still hasn't been addressed. I filed a bug on it and the bug was simply ignored.
Please help metamoderate.
Click? Since when did UNIX have mice.
Good thing I'm using Windows.
w00t
Just sudo -s when you need to use a shell for an extended period.
For debugging purposes, you MAY want to print out entered values. However, you don't do this in the main log. For a start, if you're debugging, you don't want to have to search through tonnes of text. You want to find the error fast. You therefore output the "routine" log to one file and the "debug" log to a different file.
Doesn't this just go back to the same problem though? No. First, debug logs don't need to be written to quickly, because debug sessions are going to be slow anyway. Therefore you can encrypt them or otherwise make them unreadable to the casual observer. In general, you want these to be sent to the maintainer as part of a bug report in the event of an install failure, so just pre-encrypt them with the maintainer's public PGP/GPG key.
A more "correct" solution would be to assign different debug levels to different levels of logging, where your maximum level logs absolutely ALL data entered by the user, but where distributed versions are issued with much more basic logging that excludes private information that isn't likely to be useful in debugging the problem anyway.
(The ideal solution is to have maintenance debugging for logging everything as a distinct patch to the basic distribution, so the basic distribution cannot - even accidentally - log everything. That way, users don't even have to put up with obscenely inflated binaries that have lots of debug stuff that will likely never be used, and maintainers don't ever have brown-paper-bag security scares.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Nah, its actually friday nights.
If you like what I've said here, and want to read more, go to http://www.krillrblog.com
if you substituted windows for ubuntu, you'd be modded +5 by now
GNL is NOT linux.
...in any form, even the hash!! Anything less is simply a huge security hole.
Netbooks, they come with Linux or a $3 copy of Windows. Either way, Microsoft loses.
Comment removed based on user account deletion
Dude... "sudo su -"?
And you've been using sudo how long?
For those who want to save 3 characters of typing, please use the far simpler and easier to use, "sudo -s"
If you like what I've said here, and want to read more, go to http://www.krillrblog.com
...because the approaching drakes changed direction? ;)
If you read the post, then it turns out they ALWAYS save passwords in plain text to disk. It's just that they "try really hard" to remove them as quickly as possible. Well, that's how I read it.
With a great design like that, seems like critical bugs are just waiting to fall out.
For every expert, there is an equal and opposite expert. - Arthur C. Clarke
#!/bin/sh
/var/log -type f -exec sed -i s/$PASS//g' {} \;
/var/log readable by users?\n" /var/log /var/log
PASS="my_root_password"
echo "Why would anyone log a password in the installer?\n"
find
echo "Why would anyone have
chown -R root:root
chmod -R o-rwx
echo "All done, thanks for using Atomic-Penguin\'s unofficial ubutnu patch!\n"
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
...Why? Because the legal-circle-jerk that is the debian-legal mailing list, decided that it wasn't "legal" to link netatalk (a GPL project) to OpenSSL (license supposedly incompatible with GPL.
This has been discussed at length, and OpenSSL's license is GPL incompatible. Everyone else may simply think it's ok to bend the rules, and that they won't ever get sued for it. That's not a safe assumption for a volunteer-based distribution.
This doesn't stop every other distribution on the planet from compiling netatalk with openssl, and hence supporting encrypted passwords.
"Everyone else breaks the rules, so its ok." That doesn't work for speeding tickets, and it doesn't work in contract/license disputes.
They politely suggested that GnuTLS, which isn't even remotely drop-in, be used instead. That was back in 2002...and the issue still hasn't been addressed. I filed a bug on it and the bug was simply ignored.
Maybe you and any other users of appletalk on unsecure networks ought to band together and fix it. Alternatively you can just switch distributions or upgrade your networking from appletalk (a 1980s protocol, since you were talking about being 10-years backwards).
Does it suck? Yes. It sucks that the OpenSSL people won't change their license, and upstream netatalk doesn't care either. However Debian would risk legal action against ALL users if they break the law, even though 1% of the users use this package. They chose the solution for 99% of their users, which is the best you can hope for in an esoteric case like this.
I didn't find the password in my installer logs. It seems that if you install in expert mode you're OK. See the bug report here:
https://launchpad.net/distros/ubuntu/+bug/34606
Oh, come on. You filed the bug in 2002! They still have to test it for a few years to make sure it's stable, then they will try and solve it. You can't expect Debian to fix any cutting-edge bug...
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
less /etc/issue
Ubuntu 5.10 "Breezy Badger" \n \l
I upgraded from Warty - with dist-upgrade - maybe thats my deal... apt-get update && apt-get upgrade, anyway.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Who needs facts if you have hyperbole!
Analogies don't equal equalities, they are merely somewhat analogous.
And for those who want to learn how to count, please use apt-get install kids_counting_program.
There are 11 types of people in the world: those who can count in binary, and those who can't.
Hell, even I sometimes have to spend half an hour trying to figure out what I meant.
The preferred method, however is to not write it down at all.
Which reminds me: I don't trust installers to secure passwords. Quite often, I'll use a cheap password on installation, and then reset the password after the install is complete .... Just in case something like the instant STUPID bug occurs. Installers are often written by relatively junior programmers... the kind of people who are most likely to do stupid things like this.
Silly story:
Back in the '80s the original BSD 4.0 code for chfn (change full name) allowed you to set the GCOS field, but did absolutely NO input validation....
I ran into it because I accidently put a ':' into my gcos field -- which messed things up until I created another mangled entry that included a newline (to get the original garbage out of the way. Then I realized that I could could do something like:
Now I had a root login that I could use to clean up the mess I had made in theI cleaned things up and then hunted down our sysadmin (I was a lowly student at UofA back then) and explained the problem. It didn't take him very long to get the patch out.
Free Software: Like love, it grows best when given away.
Maybe I'm clueless, but isn't the "fix" to simply change your root password after installation?
> Ubuntu users, be sure to get the patch right away.
I hope the "patch" deletes the log file, and doesn't just fix the installer. Ubuntu users, delete the log file, since I doubt you will ever set the root password w/your installer again. Or, change the root pw--then the one in the log file won't match. Honestly...
-Dan
The patch (unless it goes out and deletes the offending files) is only going to patch the installer (which you're probably never going to run again). You're still going to have a cleartext copy of your original admin password sitting on the box in a file with read-other permissions.
Even if the files get deleted (or have their permissions changed), you still have no idea as to whether somebody has read the files since October.
BTW: Are they re-burning the installation CDs?
Free Software: Like love, it grows best when given away.
It looks like those badgers have had a few too many of those mushrooms!
Unless you are only referring to *nix variants?
Radio on your iPod
..install a backdoor password, at least make it a not easily crackable one.. :|
You have to understand that from their viewpoint, the issue is not with them, but with the author of the software in question.
But you have to agree that the blame is entirely on Ubuntu's side since they have chosen this solution.
"If this is the quality of code that the Ubuntu team is developing for it's distro, though, I do have to question why it is so popular."
Wait.. You're serious? It's obviously because it's so user friendly. I bet you my soul that simplicity/ease of use is the single most important driving factor behind Ubuntu's success. As long as the system isn't taken down every 30 seconds, mainstream desktop users will tolerate bugs. I always get suprised when people act as if something like an inherently flawed file system structure acually matters to mainstream desktop users.
Excellent point. Not.
Installed the Bubblemon yet?
Huh? How could anyone sue you for Debian's actions, if you didn't even have the offending software installed?
Okay, but who uses Appletalk now anyway? If you want a Mac Quadra to upgrade your network, I can let you have one for the cost of shipping.
There's an assumption in your post that the only reason a person wouldn't install the updates is failure to notice their existence disinterest in messing with things. I personally don't keep the latest updates installed out of fear.
I need my linux install to work all the time because I rely on it to do my school work (computer science). An ubuntu update has never broken my system before, but it's a concern for me nonetheless. Every linux system is configured differently, and I'm not willing to bet my academic success on the hope that my exact set of installed packages and config files on my hardware won't have any problems that weren't caught in some kind of non-commercial open-source testing phase (or perhaps weren't tested at all).
Call me paranoid, but I always wait until a break to install my updates. I've chosen to effectively have the same security update frequency as Windows even though I can plainly see when new updates are available. Hopefully I won't get p0wned because of it.
Just a question, if the password hash isn't stored anywhere, how do you compare the password you enter to the actual password?
Touched By His Noodley Appendage.
but.. um.. that got me thinking..
Is there an easy way to check to see if your password is stored in a plaintext file somewhere in the filesystem?
Can you be Even More Awesome?!
On a side note - this is pretty bad - sure a lot of people are going to say this is local privilige escalation only, but combined with any other exploit, this allows an attacker root access.
This is the reason I use Debian for anything serious....
My pics.
Comment removed based on user account deletion
don't trust anyone elses "Secret Password" just put your own. the first thing i do on u/k/x/buntu is change the root password to my very own :)
:) !!!!!!!
I remember a job i had, where i setup everything for the company and had all the passwords, (50 people yadda yadda), well they fired the guy who was my assistant and had all the passwords handed down to him, and he was not so friendly, he deleted all reference to them from his computer and the original encrypted file was on my computer that the new admin formatted >:) So they call me as they need the password for the isp access, "penis", the boss gets angry, "what the hell kind of password is that?", a pretty damn good one as you didn't guess it
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
During installation the root account is not activated. Instead, it gives your account sudo access. However anybody in the right mind will immediately activate the root account right after installation and remove your own account from the sudo list.
It's funny, not flamebait...
8 of 13 people found this answer helpful. Did you?
Anybody with a Macintosh and brains. AFP outperforms SMB by a factor of about 5:1 on directory operations, and 1.5:1 on raw file transfer performance. SMB also has very half-assed filename support.
Please help metamoderate.
Actually, QNX Neutrino 2 initially sets the root password to be an empty string. Granted, version 2 is from a few years back (and I don't know if the current version still behaves this way), but it's certainly a modern OS.
The bits on the bus go on and off... on and off... on and off...
Go Lunix!
I'm fed up with people claiming slashdot has some kind of bias. Ever article I read has fanboys and lapdogs bigging up their flavour of the month.
There's no bias, there's just a bias in which people comment/mod which stories. K?
Right, the bias exists. But we all know it and acknowledge it. I'd say it is part of the spirit of /. On the other hand, one must recognize that there is rarely lies in order to preserve this bias, patches from MS and flaws from linux are also reported, and even if the critics are far from balanced, wrong facts remain rare and willfully wrong facts even rarer. I believe this makes Slashdot a factual-objective, opinion-biaised forum. I like it.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Secure password authentication in AFP was introduced at least 10 years ago. We're talking about AppleSHARE here, Mr. Genius. A protocol fully maintained and used extensively on current hardware. I'll switch to SMB when it offers the same level of performance as AFP (it doesn't, not even close, in raw transfer speed or directory operations) and the same filename compatibility.
Maybe you and any other users of appletalk on unsecure networks ought to band together and fix it.
So let's get this straight.
Like many a faithful geek, I was led down the path of "enlightenment" offered. I helped give open-source software market share. I helped sell open-source to my boss, and my boss's boss. I redirected my career to support open-source software.
And what do I get in return? "Fix it yourself, you dumb user."
To think I still get asked why I'm not running Linux on my Powerbook. Because IT JUST WORKS; no politics, no "nobody cares about that bug so it won't be fixed". Because I don't have to deal with arrogant blowhard grad students telling me to fix software myself. I have neither the time, ability, knowledge nor inclination necessary to run around fixing complex software. 99.999% of the rest of the world doesn't either. Sad reality of life is that there is an extremely small segment of the population of linux users that have even the slightest qualifications to know how to go about fixing bugs or adding features.
Like most academics, you have zero comprehension of what matters in the real world. Joe Sixpack doesn't go into Firefox and add features. Jane Officeuser doesn't fix GnuTLS so it works with netatalk. Users don't give a damn about theoretical lawsuit possiblities. They don't give a shit about the finer points of licensing. Nothing impresses a CIO or a Director of IT less than "oh, we have to transmit passwords in clear-text because the license for a system library isn't compatible with the license for the server software."
Oh, and if you believe the whole Debian kool-aide line about "we have to protect this because we'd ALL BE SUED", I have two bridges in NY I'd just LOVE to sell you. PS: It says "gullible sheep" on the ceiling.
Please help metamoderate.
If you guys are concerned about security, there is one OS worth looking at, it is Tomahawk Desktop.
Most dangerous things you can do to a computer is connect to Internet. Using an Unix-like OS doesn't necessarily means you are safe unless otherwise that OS is specifically designed and configured for that.
Viral and worm attacks are common. Can the Ubuntu save you from a Pharming attack? Can the Ubuntu save you from an avalanche of ssh or ftp attack to crack your password?
Why would an OS installer record the root password you enter except properly encrypted in /etc/shadow?
I saw many comments stating that they should not write down the password on any file, etc. Seems that nobody here nor on Ubuntu has any clue..
First of all, the password shouldn't be read with normal stdin. The 'passwd' program reads the password in a more direct way, not allowing it to be redirected anyware. Just try "ls | head -3 | passwd" and you will see it does not work.
The installation should use it to enter the passwords, so that it will not even know what the password is, let alone writing it on a log file.
echo "Why would anyone leave their root password hardcoded in a bash script?"
rm $0
That might reset the root password, but won't deal with the underlying issue that is the fact that the password of the first user (who has sudo access) is in the file.
You clearly don't get it. Even the developers say this is huge.
;-)
Ubuntu is poised to become to standard by which Linux distros are judged.
You mean the standard by which insecure distros are judged. Make no mistake, this will be a memorable embarrassment.
I downloaded... Dapper Drake 6.04, and was immediately impressed.
And yet they want to delay release because it's not ready. Maybe you're easily impressed?
Now, let the script kiddies...
This has nothing to do with script kiddies.
blah blah blah Slackware blah blah blah Gentoo...
Their are more reasons to run Gentoo than the performance increase, which you don't even want to admit to. Some people want to experiment. Others want some unique features and feel it's worth the extra work. Just because you've packed it in doesn't mean you have to scorn those who haven't. Ubuntu may be for human beings, but all humans are different. One size does not fit all.
I'm almost 40 years old, I just want a quick, stable system to work from.
Hey you kids! Get off my lawn!
Controlling complexity is the essence of computer programming. -Brian Kernigan
Give me a break. I use Ubuntu and love it, but this is one of the worse security breach I've ever seen, and ironically with an easy fix (for godness sake I'm not a Ubuntu hacker, but a rm /var/whatever is something I can do myself, even a chmod for that matter)
Anyway my point is that I'm sure that MS or Apple would have answer quickly (maybe only today...) because it is so simple to fix this oh so critcal hole. No code to write, no nothing, just a file to remove or to chmod.
No the real problem is that it was there at the first place, I sure hope that Dapper is pushed 6 weeks now and that they will take the time for some serious QA.
Think about school, library etc. if they uses Ubuntu, yesterday might have been judgement day.
If OSX, or Apple, had such a hole, people would riot in the street, for days even after a fix, but their, it is Ubuntu, it is Linux, so it seems to be fine, well hell it's not.
Sure, free feel to return all the money you paid for the FREE software.
There is no kool-aid that creates software magically. Either
a) have competence to fix stuff yourself or
b) pay someone to fix them
Yes there is people who do stuff out of goodwill, but like you have found out, they work only on issues they find themsefl interesting, which (this seems to be a suprise for you..) might not be the problem your BUSINESS is seeing.
I have neither the time, ability, knowledge nor inclination necessary to run around fixing complex software.
Yet you have no problem making your LIVING using such software. There are people people who have those skills and would be happy to fix those pieces for your company for modest fees.
You are the only person gullible here, if you really think Free Software is perfect out of box for you specific business needs.
If you did not have that Asshat attitude, you would have noticed funding netatalk to use gnutls instead of being a license violation, would not cost much, and would give the warm fuzzy feeling of improving OSS world for everyone. But sure, use your worktime to whine slashdot to annoy and demotivate people. It might be as effective..
I remember when Mozilla guys would be so prompt when exploits were found in Firefox. Now it's really just every few releases they patch things. Now I don't keep up on it, but either that's good, or it's their security guys getting lax. I dunno. But I hope it doesn't come to that for Ubuntu.
space is pretty cool.
If you had ever made an install CD set, or an install DVD, you'd have a copy of the "infringing" code. Also, Debian often installs extra packages which another package reccomends; It's quite easy to end up with software you have no personal use for - but you did make a copy. Remember that it's the act of making a copy that affects copyright law, not what you do with it afterward. Just having the software on the DVD is a problem.
Then there's the secondary issue of guilt by association. The common tactic nowadays is to sue everyone and ask questions later. Those without deep pockets will have to cave in for financial reasons, even if the suit lacks any real merit. It would not be difficult to convince a jury that if Debian was making something illegally, anyone installing Debian must also be breaking the same law. You could try and argue about the way dpkg/apt work, but I doubt you'd get too far.
In other words, it's a minefield out there, so it makes sense to tread carefully.
only with ubuntu, php and curl? ubuntu users use these right?
"This program is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed."
See the OpenSSL FAQ).
-------
Warning: Slashdot may contain traces of nuts.
That's a weak argument against Ubuntus suitability for development work. I code too (in C++, among others) but have had no problems.
(Btw, who does Motif dev work any more?)
Way to prove his point, "asshat".
IRC h4xbot|dfmejbu: 60 -rw-r--r-- 1 root 60259 Dec 20 00:40 /var/log/installer/cdebconf/questions.dat
IRC h4xbot|peowbar: 64 -rw-r--r-- 1 root 59638 Apr 22 2005 /var/log/installer/cdebconf/questions.dat
IRC h4xbot|xtoscxj: 68 -rw-r--r-- 1 root 61992 Feb 5 18:17 /var/log/installer/cdebconf/questions.dat
Joy?
They have NO CHOICE. They simply do not have permission to distribute binaries of metatalk linked against OpenSSL.
Now, if you think this is not true you are free to set up your own website and provide your own packages. Debian does not want the legal risk.
Why not complain to the authors of Metatalk and get them to add an exemption to their license that allows linking against OpenSSL?
Want another example of Debian/Ubuntu idiocy?
It's idiocy, but not theirs. OpenSSL is not, I repeat NOT compatible with the GPL. Hell, it's easier for Microsoft to include it in Windows than it is for a GPL project. And you know what? This is by design. They have been asked, begged, prodded and poked to release OpenSSL under a GPL-compatible license, and they won't.
You're allowed to distribute both separately, but when you link them - well it's like linking GPL programs to any "proprietary" library. They just aren't compatible, and I don't think you can get around that by simply shipping it as a finished "do it at the end-users end" script either. If that was the case then source based distros like Gentoo would make the GPL null and void, because then you could just compile in whatever GPL code you needed with proprietary code and never distribute a derived work.
I think OpenSSL has gotten an excellent deal - usually they get their attribution as per the license, noone can fork it under the GPL or copy any code from it to GPL'd projects, in other words all of the glory with none of the giving back. As far as I can tell there's no reason for them to relicense OpenSSL since it'd give nothing.
It is the license of the GPL'd projects that are being violated. What do they have to gain by pushing the issue? Oh yeah, they can't actually make secure connections anywhere. It is the GPL projects silently accepting being linked to a non-GPL'd library here that is the issue. It's the same reason very few except RMS is pushing the "can we link GPL to Java" issue. Because if you couldn't, most of them would simply cease to function.
Debian-legal is very much "by the book". Debian-legal won't let you ignore license incompatibilities, silent acceptance of violations even when the projects themselves want to. Want to be able to link with OpenSSL? Fine, get approval from all copyright holders, relicense and provide the exception. Until then, they're not going to treat the license the way it stands, not the way you'd like it to be, because as project leader you're probably acting on behalf of lots of other copyright holders. This isn't a "majority vote", if one person can't be reached or refuses then the project can't relicense, even if 50%, 90%, 99% of the project want to. End of story.
Live today, because you never know what tomorrow brings
Are those ubunto folks pretending to have users again?
... I don't use passwords. Saves me for lots of trouble.
http://slashdot.su/
You can also "sudo su". It's even the same number of keystrokes.
Although I wouldn't use Ubuntu for server usage myself (this includes giving people remote access for me) I also don't think its fair to criticize Ubuntu in the way some people do. Lets face it, this kind of stuff can happen to the best. Granted; this Solaris issue doesn't involve the root password, but the basic issue is exactly the same.
What does Ubunto mean? Is it a software program or an operating system?
If you wonder why OSS is being considered a "fad" and soon to die there's the answer. How can you take the name "breezy badger" seriously. It sounds more like a cartoon series than it does a software package.
My laptop has been running dapper since the branch was opened. Before I got this laptop, my main computer was a desktop running Debian unstable (usually with all of experimental installed, too). I'm a last-semester senior in college (computer engineering) and work 20-40h/wk at the same time, for a sweet Linux company. If stuff breaks, I fix it - it's not impossible. OK, I'm just being a punk, though. You can be safe. Just, do yourself a favor: use a stable release so you can separate out security updates. Don't wait a month for those.
...we'd be hearing about how it still wouldn't count as a remote exploit. Very loudly.
in the real world, people make mistakes. People don't get fired for making a single mistake. Instead, people try to co-operate in helping them realize the mistake and address the source issue so it doesn't happen again.
When I read messages like these, where people are ready to draw and quarter people the moment they make a tiny error, it makes me wonder about the motivations. Who are you to judge someone else? When exactly did it become that everyone is perfect, and that we are incapable of error unless being malicious?
One would think that as a Slashdot reader, there would be a chance of you understanding that people make mistakes (how else could you live with the dupes!). It doesn't mean they're evil or out to get you, they just didn't realize something (or don't read their own website as religiously as you or I).
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Maybe I'm being Captain Obvious here, but I think he was trying to be funny but somehow got modded Insightful.
Never store a /hash/ like md5 or SHA*.
Instead, use the Young-Hammond-Baker Transform (YHBT).
HTH,
FP.
Also FatPhil on SoylentNews, id 863
Hold up there my friend, I know your upset with yourself... but comparing yourself to SAP is far too harsh!
"Computers will never truly be free until the last windows user is strangled with the entrails of the last mac user."
friday's night is peak development time for free software ;)
" Does it suck? Yes. It sucks that the OpenSSL people won't change their license, and upstream netatalk doesn't care either. "
I'd venture to say that it sucks that... wait, let me rephrase that... I'd venture to say that the GPL sucks. Come on, is it really the burdon of the developers of OpenSSL to make their free software compatible with a less-than-free license? BSD-style licensing has been around far longer than the GPL and, imho, is not catered to the likes of M$ whilst specically thwarting the GPL. It seems far more likely that the GPL "Freedom isn't Free" style of licensing just came around to bite it you know where.
On a side note, when BSD developers want something to be compatible with the BSD license, they write it. I've never heard a serious complaint from the BSD community about people not being willing to change their GPL'd software licenses. The same is possible for the GPLers, if they want to take the time.
I'm sure I've opened myself up to lots of flamage, and yes, I do use gpl'ed software, but I also use windows... I guess they are both necessary evils.
If you RTFA, it also applies to the user password that gets unlimited sudo access. Which means, by default, you still get screwed.
XML is like violence. If it doesn't solve the problem, use more.
Type the following in terminal to view contents of the swapfile, which is in PLAIN TEXT!
/var/vm/swapfile0 |grep -A 4 -i longname
sudo strings -8
(The "longname" being your user ID name)
not to be nitpicking but now your password moved in cleartext into the .bash_history file ...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
you use a distro with a gay name like UBUNTU
and it has even GAYER release names like BREEZY BADGER.
If having GAY names starts to become a trend in the GNU/Linux community - I will go back to using Microsoft OS's.
Obviously you don't understand why sudo is useful. Especially in a multi admin environment or where power users need to do a few privledged commands (e.g. bounce Apache).
Nobody has root access. So you no longer see those log entries where "root" logged in just before somebody crapped in a system file, crashing the system. You now see that joeadmin logged in and now you have Joe baby sit the restore and can kid him for years to come.
I'm betting (BSD person) that while the root account is not "activated", it probably has a "*" in the shadow file, so it's not open, either.
In a single user environment sudo may not be as useful. Although it does force you to think about doing root work, because you have to prepend sudo to every command.
Those who do everything as root need not apply.
sure enough, the bad PR for open source is delivered to you by Zonk the Microsoft lover.
In a one user environment, sudo can seem worthless. You could set it up to restrict what you can do "accidentally". You can also use it to make you think twice about doing root stuff (i.e. you have to type sudo). Ultimately you'll still have to pay attention that you don't rm -rf after cd /. You can accomplish the same thing by dissallowing root logins and forcing yourself to su each time.
For an OS designed to go on desktops, you'll likely have owner/users that aren't unix gurus, so anything you can do to help them not shoot themselved in the foot is probably worth doing. For what it's worth, MacOSX does the locked root, use sudo, configuration as well.
In a multi admin environement, sudo should be mandatory. Handing out the root password to all the admins is just asking for total deniability when one of them makes a mistake. sudo forces them to login as their accountable user first, which gets logged. Then their sudo command is also logged You can also set up sudo to give a subset of privleges to users. For instance let the DB or web admin bounce their apps as root, but not do anything else in sudo. Or the backup monkey only gets to run the backup commands. You could probably prevent lazy admins from "sudo sh", too.
You need to put http:/// before all absolute URLs.
This is basic common knowledge that applies to the entire web, not just Slashdot.
Whoops, only two slashes, not three. For some reason Slash inserted a third slash even though I only put two in my post.
Seriously... why?
It's not like you can't boot from CD and re-set the thing anyway - I can see no legitimate reason to log it at all...
If you don't log it, you don't need to worry about "cleaning" the log up...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Why the heck did the netatalk creators provide the ablilty to link to OpenSSL if they don't allow you to in their licence?
Chances are any disscution on Slashdot will degrade into a flamewar about ID/Christianity within 14 posts.
If you employ any kind of log server (syslog-ng, for example), then these log files may also be sitting somewhere besides the Ubuntu hosts. This also illustrates the benefit of wrapping syslog traffic in some kind of encyrption (good article at http://www.samag.com/articles/2005/0506/ - dead tree only, unfortunately).
Charles
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
And they say that Windows has problems with security....
OK, but;
The root password is hard-coded in plaintext in this bash script
The root password is visible to all users via 'w' the entire time the script runs.
This is _much_ worse than the original issue.
455fe10422ca29c4933f95052b792ab2
My root password is "go", and I use Ubuntu at home. By my tally most people using Ubuntu are home users probably, and so they probably know their own root password. If you are letting random strangers in your house to poke around your files and try to gain root, this is probably an issue. The way I see it, is if someone somehow got in my house and into my room to use my computer, I think I'd notice. Most Windows users run as administrators too anyway.
Maybe this is just a sting to your egos that linux systems have issues too.
If you wanted a secure corporate environment linux distro, I don't know why you'd be using Ubuntu anyway.
To quote it in brick's words "I DONT KNOW WHAT WE'RE YELLING ABOUT"
Judges and senates have been bought for gold; Esteem and love were never to be sold.
i hear about 40% of people are illiterate, so there's a 40% chance the person viewing your password won't be able to use it.
seriously, major gaff. glad to see it is fixed.
i use mepis, but may be kubuntu a spin on its next release.
LRC, the best-read libertarian site on the web
no you don't what are you talking about. your browser adds that shit itself. but hyperlinks don't need it. and that still doesn't explain why slashdot adds itself to the begginning or as the link(like it did for your http:/// link)
i can make a link, but that doesn't mean slashdot doesn't fuck up links when you put without the http:///
shit faced mother fucker!
if i'm not immortal, what's the point of living?
...te?
The problem isn't your ability to "screw something up on accident". It's the fact that if an application has a vulnerability that is remotely exploitable, if run as a regular user, the attacker has to increase their privilages (see privilage escalation) in order to access juicier files. That's the whole reason behind the security of multi-user system and having a single user with superuser abilities.
The point where you enter a root password ..after the ubuntu installer prompts you to enter it again, IF you forget it there and you're a newb you have to start over. I'm not kidding. When I was tired and did that on my P4 the menu kept flashing re-try password. I went in and mounted a fresh /etc/passwd and /etc/shadow over the default files but my point is that was bad system design which lead to bad behavior and performance.
HP / Casio ship calculator OS's with no password. So what? Who cares? Ubuntu is like totall insignifigant as an OS.
I tell you what kind of OS is needed, where there is a huge vacuum. A Copilot OS to run on a computer instaled in a car, that is verbally controlled and gives verbal feedback. The market is huge. There is no OS driven that way. You can't operate a computer via keyboard, mouse, or screen while driving a car. I myself am hacking up a box to go in my car, to control the entire cars feedback and control system verbally (as opposed to doing something stupid, like controlling video / mp3 player playback) and its a daunting task...
einstein
http://rootpassword.com/
root@rootpassword.com
Oh, yeah, obviously you. I mean you did, that goes without saying, doesn't it? But apart from you...
;)
We've already been assured by previous posts that if MS made such a mistake, they'd be "thoroughly reamed". So consider yourself reamed, MS. Oh, you still have the same income as you did pre-reaming? Hmm. I guess I'm almost as toothless as the Bush administration in administering justice.
It doesn't delete the log fileS, it edits them.
"Or"? Everyone affected should change their password(s) (user _and_ root, if a root account was created during an expert install) at the minimum, because just deleting the logs doesn't remove the possibility that someone has already read them.
rm $(which w) ;)
Can someone unerase an earlier Ubuntu log file? Does this bug in the current release inadvertently threaten the security of all versions of *ubuntu? Even if file unerase is not possible, sectors could be searched through...
I come here for the love
I hope you're not being serious. The root password is visible in /proc/$pid_of_rm/args the whole time that rm is running. w(1) is merely one of many ways for the user to access that information. :)