Slashdot Mirror
Root Password Readable in Clear Text with Ubuntu
BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."
What's the problem? Open source passwords make it more secure.
It came out, it was fixed. There are going to be problems in any project this large, but it shows how much the Ubuntu team cares to respond to a problem this quickly and on a Sunday of all days. Ubuntu really has become a nice distro. It's completely free and polished around the edges. I hope they continue to do well.
Invariably, a lot of the comments to this story are going to commend the team on the incredibly speed with which they've released a patch, and there'll probably be some comments comparing it to closed software. Yet another victory for the open source model!
Yet how long has this massive fault been sitting there waiting for the first person to discover it? How do we know that the public acknowledgement of it was the first actual discovery of it?
I believe Breezy was released in October, so for five months install logs have been sitting, world-readable, often with the root password. Surely in that time someone well less savoury motives did a simple grep of an install looking for the most trivial of faults.
Feeling confident in the speed of the patch relies upon the belief that no one with nefarious motives discovered it before a benevolent bug submitter did.
try sudo bash
The article title isn't entirely correct. There is no root password. But you can set one.
Read the article. The Slashdot summary is incorrect; the password is for the account you create during installation, which has sudo rights and therefore is just as effective as a root account.
Karma: Terrifying (mostly affected by atrocities you've committed)
Information wants to be free
That's a feature. It's so you don't go messing around with root if you don't know what you're doing, as Ubuntu is geared toward being user friendly, and to people who aren't necessarily entirely familiar with the workings of Linux. It's easy enough to activate the root account, just 'sudo passwd'.
see this is why i use windows. there are never security patches to install, just service packs which allow me to get new secutiry features like windows firewall. nothing beats windows security, and there's that helpful blue screen to tell me if something's gone wrong.
No it has a random password, which I assume is the password in the log file.
http://michaelsmith.id.au
30 seconds and my post got a flamebait. I love Slashdot.
Within the same 30 seconds a post appeared following mine comparing the fix (which has the massive complexity of deleting some log files) with Microsoft's WMF fix, exactly as predicted. Beautiful, and so predictable.
Fuuuuck.
I knew I never should have trusted those badgers.
Smiling at me with their big cartoon teeth, eating up all the aspen, wanting to admin their own machines.
I've been a sap, and it's going to cost me.
And now I'm worried about the hedgehogs.
This IS a very serious issue, however it does require some work (accessing log) to obtain root. In comparison to other operating systems which provide default root ("administrator") access, without a password, on installation; this isn't as big of a deal. On top of this, from my understanding, a change of the root password after installation would prevent further issues. Overall this seems to be a problem but certainly not a huge one.
Proof by very large bribes. QED.
Sunday is probably peak development time for free software.
http://michaelsmith.id.au
Or, "sudo -s". Or, "sudo passwd root", and use whatever methods you are more comfortable with to elevate permissions.
Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
He patched it within hours today, and posted to osnews with a description of what happened. He also posted a copy on the ubuntu forums page including details of what happened. It affects clean installs of breezy, and dapper upgrades from a breezy install, but not hoary or a clean dapper. hoary = 5.04 breezy = 5.10 dapper = not officially released yet
But you can get the root password, as the default user has sudo access. 'sudo su -', and that is that.
Freedom would be not to choose between black and white but to abjure such prescribed choices. -Theodor Adorno
Any programmer who doesn't stop themselves and think that writing something like fprintf(logfile, "root password entered is: %s\n", password); is not the best idea should not be writing code for a secure operating system.
All that the operating system/software need to know is how to verify that the password entered is correct. And that can be done without storing the root password at all (encrypted or not) with a hash.
Powered by caffeine and sugar; BSD
Contribute to Open Password comunity - release your passwords under the GPP (General Public Password) license! Because closed passwords are just series of * symbols - it's hard to use, share and modify them freely. :-)
Yeah, because it's approximately an equal effort to delete log files and to change anything about the WMF code, or whatever was causing that bug?
"Quoting yourself is stupid." -Me
$ sudo passwd root
Should ask to reset the root password. You can then use 'su' to evoke a shell as the root user.
Fixing a patch that either simply removes this log file or encrypts the password in it is very simple. I could do this in a few minutes tops.
Microsoft's security issues often are the result of an issue that requires code re-writes and changes. It takes time to do that, compile it, and test it. There is a huge difference between this tiny flaw and a buffer overflow in Windows Media Player.
Deleting a log file isn't quite the same thing as fixing buffer overflows and whatnot in a huge chunk of code. Yeah, it took MS 2 weeks -- and that was too long. It's not like the two bugs were equal in scope, though.
...just what made that distro so "breezy"!
Information wants to be free -- but informants want to be paid.
Ubuntu is poised to become to standard by which Linux distros are judged. I've been running the latest stable release, Breezy Badger 5.10 for awhile and it's rock solid, good looking, and easy to administer. Last night I downloaded Flight 5, the latest development iso for Dapper Drake 6.04, and was immediately impressed. In just one upgrade, they've managed to really go the extra mile with all the new features. I love minimalist simplicity, and Ubuntu gives me just that. Ubuntu is Debian made easy for the masses. You get the bullet-proof Debian core with a great, easy interface. Nothing touches this at the moment. Linux for human being is a great tagline.
Now, let the script kiddies who have nothing better to do flame me for saying Ubuntu is cool. These same script kiddies who think they're 1337 because they have to manually set up their Slackware box. These same wanna-be geeks who are still bootstrapping their Gentoo systems for 12 hours to extract a extra 5 milliseconds of speed from their CPUs. I've done all that and now that I'm almost 40 years old, I just want a quick, stable system to work from.
No, it has -no- root password by default. In Linux, you generally disable an account by removing its password.
The password in the log file was the primary account's password. This account is a member of the sudoers group, so the same password can get you root access.
If your /etc/shadow has something like "root:*:13039:0:99999:7:::", there's no root password.
no need to give them local access to your system, they can easily read it if you have an ssh server set up for example. And no it doesn't display the root password, but it displays a username/password combination which has access to sudo. So just as bad.
being vague is almost as cool as doing that other thing...
I installed the beta of Breezy 5.10 and /var/log/installer/cdebconf/questions.dat *did not* contain my password. Looks like this only affected the final release.
When you have 300,000,000 users things are a little more complicated than when you have 3,000.
Where else am i supposed to store my passwords?
I find it very interesting that the severity of this bug is identical to the severity of the security hole found in OSX last week... yet the difference in attitudes is remarkable.
Look at the slashdot summary. "An extremely critical bug and security threat". Compare with the OSX bug which was written off because it's not remotely exploitable.
Apple hasn't even acknowledged that the OSX privilege escalation exists, let alone patched it.
Guidelines to posting a comment
1. RTFA
2. RTFA
3. Try seeing if TFA is true (ie open questions.dat)
4. Post Comment.
The problem is that all that happens during installation is logged in
And that includes logging of the username / password that the installer creates at time of installation. Of course if the user changes the password after the installation then the log file while not be updated and will still continue the old password.
I love humanity, it is people I hate
open var/log/installer/cdebconf/questions.dat, check at line 2140. Mine is there, individual results may vary
I love humanity, it is people I hate
Apple hasn't even acknowledged that the OSX privilege escalation exists, let alone patched it.
3 382
I agree with you regarding the different attitudes regarding this hole and the OS X holes. But I believe the recent OS X holes were indeed patched with Apple's March 2006 Security Update (though some websites are questioning whether the patches really fixed the underlying problems or merely placed band-aids on them).
http://docs.info.apple.com/article.html?artnum=30
-- "I never gave these stories much credence." - HAL 9000
Ubuntu users, be sure to get the patch right away.
What does this patch fix? The installer? Sorry, but the installer is burned in the installation media, and a patch can be applied only after the installer has been run. So updating the system or even upgrading to Dapper (where it has been fixed) doesn't help. So....patch whAt???
No really, the installation ISO images should be fixed immediately and redistributed.
Also saying that it "only affects The 5.10 Breezy Badger release" may be a bit belittling, as probably most people have installed exactly that release.
It is unimaginable that OpenBSD would ever have an error like this.
http://www.thebricktestament.com/the_law/when_to_
all these comments and noone has yet said it... ..ok...I'll do it, you've forced me..
Is this a "badger hole"?
Hey, someone *had* to say it. Laugh.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
You definitely have a valid point, but you still can't defend Microsoft's slow response to the WMF issue.
Within hours, a member of the SomethingAwful forums had hacked together a patch to the gdi32.dll with a few dozen NOP instructions to render the SetAbortProc call useless. Obviously with just a hex editor and no access to the Windows source code.
And how long did Microsoft take?
Many people know how to generate these special characters but I'll mention anyway: using the ALT/META key and the NUMPAD keys. Having a character map printout handy so you know the DEC (decimal) values of these special characters is a good idea if you decide to implement one of these passwords. Punch in ALT-DecimalValue with number lock on.
They may not work in some situations if special characters and not allowed, but you'd be surprised that they do work most often.
I bet most dictionary attacks don't run through many special characters. The cracker is lazy too and will probably not even consider that you chose a funny character which does not even exist on the keyboard.
Remember not to use NULL (#0) though, for crying out loud.
It DOES have a root account, it's just it sets the root password to some value that you're not trusted enough to be told. I personally fall prey to "bad" sysadmin techniques, and I sudo passwd root first thing. I then log in as root for sysadmin functions. In general, my systems are not intended for multiuser shell access (read - I'm the only user with shell access anyway), and it's a pain to sudo everything. I end up using sudo bash, so I may as well just log in as root to start with. I've never really understood why it's so BAD to log in as root. Yeah, so you can screw stuff up on accident if you're not careful. Typing sudo before the command as a regular user is just as bad. I guess it might make sense if you have multiple sysadmins and want to track who did what. But in my case, I am the only sysadmin, so why bother with the extra "security"?
Don't use a bleeding edge home desktop OS if you want a secure multi-user server.
I'll probably be modded down for this...
http://www.bash.org/?244321
The netatalk package, which provides Appletalk services (most commonly used servies are AFP, ie filesharing, and papd, the printing spooler), isn't compiled in with ANY encrypted password support. If you connect to a debian or debian-based appletalk fileserver, you get a warning you are transmitting your password in clear-text. Yes, we're jumping about 10 years BACKWARDS in security.
Why? Because the legal-circle-jerk that is the debian-legal mailing list, decided that it wasn't "legal" to link netatalk (a GPL project) to OpenSSL (license supposedly incompatible with GPL.) This doesn't stop every other distribution on the planet from compiling netatalk with openssl, and hence supporting encrypted passwords.
They politely suggested that GnuTLS, which isn't even remotely drop-in, be used instead. That was back in 2002...and the issue still hasn't been addressed. I filed a bug on it and the bug was simply ignored.
Please help metamoderate.
Click? Since when did UNIX have mice.
Good thing I'm using Windows.
w00t
Just sudo -s when you need to use a shell for an extended period.
Just use a password that's easy to remember or one you can guess, like your first and last name. Or you can use the old classic "password" - no need to remember anything. When prompted for your password you've got it spelled out right their in the dialogue box!
Netbooks, they come with Linux or a $3 copy of Windows. Either way, Microsoft loses.
/etc/motd?
(Just in case...)
For debugging purposes, you MAY want to print out entered values. However, you don't do this in the main log. For a start, if you're debugging, you don't want to have to search through tonnes of text. You want to find the error fast. You therefore output the "routine" log to one file and the "debug" log to a different file.
Doesn't this just go back to the same problem though? No. First, debug logs don't need to be written to quickly, because debug sessions are going to be slow anyway. Therefore you can encrypt them or otherwise make them unreadable to the casual observer. In general, you want these to be sent to the maintainer as part of a bug report in the event of an install failure, so just pre-encrypt them with the maintainer's public PGP/GPG key.
A more "correct" solution would be to assign different debug levels to different levels of logging, where your maximum level logs absolutely ALL data entered by the user, but where distributed versions are issued with much more basic logging that excludes private information that isn't likely to be useful in debugging the problem anyway.
(The ideal solution is to have maintenance debugging for logging everything as a distinct patch to the basic distribution, so the basic distribution cannot - even accidentally - log everything. That way, users don't even have to put up with obscenely inflated binaries that have lots of debug stuff that will likely never be used, and maintainers don't ever have brown-paper-bag security scares.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Nah, its actually friday nights.
If you like what I've said here, and want to read more, go to http://www.krillrblog.com
if you substituted windows for ubuntu, you'd be modded +5 by now
...in any form, even the hash!! Anything less is simply a huge security hole.
Netbooks, they come with Linux or a $3 copy of Windows. Either way, Microsoft loses.
Comment removed based on user account deletion
Dude... "sudo su -"?
And you've been using sudo how long?
For those who want to save 3 characters of typing, please use the far simpler and easier to use, "sudo -s"
If you like what I've said here, and want to read more, go to http://www.krillrblog.com
If you read the post, then it turns out they ALWAYS save passwords in plain text to disk. It's just that they "try really hard" to remove them as quickly as possible. Well, that's how I read it.
With a great design like that, seems like critical bugs are just waiting to fall out.
For every expert, there is an equal and opposite expert. - Arthur C. Clarke
#!/bin/sh
/var/log -type f -exec sed -i s/$PASS//g' {} \;
/var/log readable by users?\n" /var/log /var/log
PASS="my_root_password"
echo "Why would anyone log a password in the installer?\n"
find
echo "Why would anyone have
chown -R root:root
chmod -R o-rwx
echo "All done, thanks for using Atomic-Penguin\'s unofficial ubutnu patch!\n"
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
...Why? Because the legal-circle-jerk that is the debian-legal mailing list, decided that it wasn't "legal" to link netatalk (a GPL project) to OpenSSL (license supposedly incompatible with GPL.
This has been discussed at length, and OpenSSL's license is GPL incompatible. Everyone else may simply think it's ok to bend the rules, and that they won't ever get sued for it. That's not a safe assumption for a volunteer-based distribution.
This doesn't stop every other distribution on the planet from compiling netatalk with openssl, and hence supporting encrypted passwords.
"Everyone else breaks the rules, so its ok." That doesn't work for speeding tickets, and it doesn't work in contract/license disputes.
They politely suggested that GnuTLS, which isn't even remotely drop-in, be used instead. That was back in 2002...and the issue still hasn't been addressed. I filed a bug on it and the bug was simply ignored.
Maybe you and any other users of appletalk on unsecure networks ought to band together and fix it. Alternatively you can just switch distributions or upgrade your networking from appletalk (a 1980s protocol, since you were talking about being 10-years backwards).
Does it suck? Yes. It sucks that the OpenSSL people won't change their license, and upstream netatalk doesn't care either. However Debian would risk legal action against ALL users if they break the law, even though 1% of the users use this package. They chose the solution for 99% of their users, which is the best you can hope for in an esoteric case like this.
I didn't find the password in my installer logs. It seems that if you install in expert mode you're OK. See the bug report here:
https://launchpad.net/distros/ubuntu/+bug/34606
less /etc/issue
Ubuntu 5.10 "Breezy Badger" \n \l
I upgraded from Warty - with dist-upgrade - maybe thats my deal... apt-get update && apt-get upgrade, anyway.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Who needs facts if you have hyperbole!
Analogies don't equal equalities, they are merely somewhat analogous.
And for those who want to learn how to count, please use apt-get install kids_counting_program.
There are 11 types of people in the world: those who can count in binary, and those who can't.
Hell, even I sometimes have to spend half an hour trying to figure out what I meant.
The preferred method, however is to not write it down at all.
Which reminds me: I don't trust installers to secure passwords. Quite often, I'll use a cheap password on installation, and then reset the password after the install is complete .... Just in case something like the instant STUPID bug occurs. Installers are often written by relatively junior programmers... the kind of people who are most likely to do stupid things like this.
Silly story:
Back in the '80s the original BSD 4.0 code for chfn (change full name) allowed you to set the GCOS field, but did absolutely NO input validation....
I ran into it because I accidently put a ':' into my gcos field -- which messed things up until I created another mangled entry that included a newline (to get the original garbage out of the way. Then I realized that I could could do something like:
Now I had a root login that I could use to clean up the mess I had made in theI cleaned things up and then hunted down our sysadmin (I was a lowly student at UofA back then) and explained the problem. It didn't take him very long to get the patch out.
Free Software: Like love, it grows best when given away.
Maybe I'm clueless, but isn't the "fix" to simply change your root password after installation?
> Ubuntu users, be sure to get the patch right away.
I hope the "patch" deletes the log file, and doesn't just fix the installer. Ubuntu users, delete the log file, since I doubt you will ever set the root password w/your installer again. Or, change the root pw--then the one in the log file won't match. Honestly...
-Dan
Well, don't give strangers local accounts!
Analogies don't equal equalities, they are merely somewhat analogous.
The patch (unless it goes out and deletes the offending files) is only going to patch the installer (which you're probably never going to run again). You're still going to have a cleartext copy of your original admin password sitting on the box in a file with read-other permissions.
Even if the files get deleted (or have their permissions changed), you still have no idea as to whether somebody has read the files since October.
BTW: Are they re-burning the installation CDs?
Free Software: Like love, it grows best when given away.
It looks like those badgers have had a few too many of those mushrooms!
Unless you are only referring to *nix variants?
Radio on your iPod
..install a backdoor password, at least make it a not easily crackable one.. :|
Script kiddie can often gain access to world readable files in the system for example via buggy web apps, at least with the default configuration. But it doesn't help much if they are unable to run any commands and even if they are, they still don't have root privileges before they can exploit some local vulnerability.
In this case if the computer in question has sshd installed and the original password for the first user, there's full root access for any cracker to use for whatever he/she wants. Spamming, using as a lauchpad for future attacks, hosting phishing sites, you name it.
Just having read-only access to files isn't nearly as bad.
Excellent point. Not.
Installed the Bubblemon yet?
Huh? How could anyone sue you for Debian's actions, if you didn't even have the offending software installed?
Okay, but who uses Appletalk now anyway? If you want a Mac Quadra to upgrade your network, I can let you have one for the cost of shipping.
There's an assumption in your post that the only reason a person wouldn't install the updates is failure to notice their existence disinterest in messing with things. I personally don't keep the latest updates installed out of fear.
I need my linux install to work all the time because I rely on it to do my school work (computer science). An ubuntu update has never broken my system before, but it's a concern for me nonetheless. Every linux system is configured differently, and I'm not willing to bet my academic success on the hope that my exact set of installed packages and config files on my hardware won't have any problems that weren't caught in some kind of non-commercial open-source testing phase (or perhaps weren't tested at all).
Call me paranoid, but I always wait until a break to install my updates. I've chosen to effectively have the same security update frequency as Windows even though I can plainly see when new updates are available. Hopefully I won't get p0wned because of it.
Just a question, if the password hash isn't stored anywhere, how do you compare the password you enter to the actual password?
Touched By His Noodley Appendage.
but.. um.. that got me thinking..
Is there an easy way to check to see if your password is stored in a plaintext file somewhere in the filesystem?
Can you be Even More Awesome?!
Comment removed based on user account deletion
Isn't the password in your bash history now (twice)?
When the policeman of the tie, rule you violate, hello punishment of the kitty?
don't trust anyone elses "Secret Password" just put your own. the first thing i do on u/k/x/buntu is change the root password to my very own :)
:) !!!!!!!
I remember a job i had, where i setup everything for the company and had all the passwords, (50 people yadda yadda), well they fired the guy who was my assistant and had all the passwords handed down to him, and he was not so friendly, he deleted all reference to them from his computer and the original encrypted file was on my computer that the new admin formatted >:) So they call me as they need the password for the isp access, "penis", the boss gets angry, "what the hell kind of password is that?", a pretty damn good one as you didn't guess it
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
During installation the root account is not activated. Instead, it gives your account sudo access. However anybody in the right mind will immediately activate the root account right after installation and remove your own account from the sudo list.
It's funny, not flamebait...
8 of 13 people found this answer helpful. Did you?
Whoops! You are of course completely right...
Just goes to show that you can't be half-assed about password security
Mod my [easier] solution into the ground mods!
Open a terminal and type:(if it returns your password, you're vulnerable (wait) (if it doesn't return your password, you're no longer vulnerable)
The 'mypasswd' string grepped for above will immdiately preceed your primary user password
My pics.
Anybody with a Macintosh and brains. AFP outperforms SMB by a factor of about 5:1 on directory operations, and 1.5:1 on raw file transfer performance. SMB also has very half-assed filename support.
Please help metamoderate.
Actually, QNX Neutrino 2 initially sets the root password to be an empty string. Granted, version 2 is from a few years back (and I don't know if the current version still behaves this way), but it's certainly a modern OS.
The bits on the bus go on and off... on and off... on and off...
I'm fed up with people claiming slashdot has some kind of bias. Ever article I read has fanboys and lapdogs bigging up their flavour of the month.
There's no bias, there's just a bias in which people comment/mod which stories. K?
Mod parent down for conspiracy theory, or a poor joke
Right, the bias exists. But we all know it and acknowledge it. I'd say it is part of the spirit of /. On the other hand, one must recognize that there is rarely lies in order to preserve this bias, patches from MS and flaws from linux are also reported, and even if the critics are far from balanced, wrong facts remain rare and willfully wrong facts even rarer. I believe this makes Slashdot a factual-objective, opinion-biaised forum. I like it.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Secure password authentication in AFP was introduced at least 10 years ago. We're talking about AppleSHARE here, Mr. Genius. A protocol fully maintained and used extensively on current hardware. I'll switch to SMB when it offers the same level of performance as AFP (it doesn't, not even close, in raw transfer speed or directory operations) and the same filename compatibility.
Maybe you and any other users of appletalk on unsecure networks ought to band together and fix it.
So let's get this straight.
Like many a faithful geek, I was led down the path of "enlightenment" offered. I helped give open-source software market share. I helped sell open-source to my boss, and my boss's boss. I redirected my career to support open-source software.
And what do I get in return? "Fix it yourself, you dumb user."
To think I still get asked why I'm not running Linux on my Powerbook. Because IT JUST WORKS; no politics, no "nobody cares about that bug so it won't be fixed". Because I don't have to deal with arrogant blowhard grad students telling me to fix software myself. I have neither the time, ability, knowledge nor inclination necessary to run around fixing complex software. 99.999% of the rest of the world doesn't either. Sad reality of life is that there is an extremely small segment of the population of linux users that have even the slightest qualifications to know how to go about fixing bugs or adding features.
Like most academics, you have zero comprehension of what matters in the real world. Joe Sixpack doesn't go into Firefox and add features. Jane Officeuser doesn't fix GnuTLS so it works with netatalk. Users don't give a damn about theoretical lawsuit possiblities. They don't give a shit about the finer points of licensing. Nothing impresses a CIO or a Director of IT less than "oh, we have to transmit passwords in clear-text because the license for a system library isn't compatible with the license for the server software."
Oh, and if you believe the whole Debian kool-aide line about "we have to protect this because we'd ALL BE SUED", I have two bridges in NY I'd just LOVE to sell you. PS: It says "gullible sheep" on the ceiling.
Please help metamoderate.
Surely the reeeeaaaal solution is:
ubuntuuser@ hackedubuntuserver$ sudo passwd
Password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Use history -c to clear the bash history.
Why would an OS installer record the root password you enter except properly encrypted in /etc/shadow?
echo "Why would anyone leave their root password hardcoded in a bash script?"
rm $0
Or before typing sensitive info, then when finished. That way the history file isn't flushed, just the relevant entries.
That might reset the root password, but won't deal with the underlying issue that is the fact that the password of the first user (who has sudo access) is in the file.
You clearly don't get it. Even the developers say this is huge.
;-)
Ubuntu is poised to become to standard by which Linux distros are judged.
You mean the standard by which insecure distros are judged. Make no mistake, this will be a memorable embarrassment.
I downloaded... Dapper Drake 6.04, and was immediately impressed.
And yet they want to delay release because it's not ready. Maybe you're easily impressed?
Now, let the script kiddies...
This has nothing to do with script kiddies.
blah blah blah Slackware blah blah blah Gentoo...
Their are more reasons to run Gentoo than the performance increase, which you don't even want to admit to. Some people want to experiment. Others want some unique features and feel it's worth the extra work. Just because you've packed it in doesn't mean you have to scorn those who haven't. Ubuntu may be for human beings, but all humans are different. One size does not fit all.
I'm almost 40 years old, I just want a quick, stable system to work from.
Hey you kids! Get off my lawn!
Controlling complexity is the essence of computer programming. -Brian Kernigan
Give me a break. I use Ubuntu and love it, but this is one of the worse security breach I've ever seen, and ironically with an easy fix (for godness sake I'm not a Ubuntu hacker, but a rm /var/whatever is something I can do myself, even a chmod for that matter)
Anyway my point is that I'm sure that MS or Apple would have answer quickly (maybe only today...) because it is so simple to fix this oh so critcal hole. No code to write, no nothing, just a file to remove or to chmod.
No the real problem is that it was there at the first place, I sure hope that Dapper is pushed 6 weeks now and that they will take the time for some serious QA.
Think about school, library etc. if they uses Ubuntu, yesterday might have been judgement day.
If OSX, or Apple, had such a hole, people would riot in the street, for days even after a fix, but their, it is Ubuntu, it is Linux, so it seems to be fine, well hell it's not.
Sure, free feel to return all the money you paid for the FREE software.
There is no kool-aid that creates software magically. Either
a) have competence to fix stuff yourself or
b) pay someone to fix them
Yes there is people who do stuff out of goodwill, but like you have found out, they work only on issues they find themsefl interesting, which (this seems to be a suprise for you..) might not be the problem your BUSINESS is seeing.
I have neither the time, ability, knowledge nor inclination necessary to run around fixing complex software.
Yet you have no problem making your LIVING using such software. There are people people who have those skills and would be happy to fix those pieces for your company for modest fees.
You are the only person gullible here, if you really think Free Software is perfect out of box for you specific business needs.
If you did not have that Asshat attitude, you would have noticed funding netatalk to use gnutls instead of being a license violation, would not cost much, and would give the warm fuzzy feeling of improving OSS world for everyone. But sure, use your worktime to whine slashdot to annoy and demotivate people. It might be as effective..
I remember when Mozilla guys would be so prompt when exploits were found in Firefox. Now it's really just every few releases they patch things. Now I don't keep up on it, but either that's good, or it's their security guys getting lax. I dunno. But I hope it doesn't come to that for Ubuntu.
space is pretty cool.
If you had ever made an install CD set, or an install DVD, you'd have a copy of the "infringing" code. Also, Debian often installs extra packages which another package reccomends; It's quite easy to end up with software you have no personal use for - but you did make a copy. Remember that it's the act of making a copy that affects copyright law, not what you do with it afterward. Just having the software on the DVD is a problem.
Then there's the secondary issue of guilt by association. The common tactic nowadays is to sue everyone and ask questions later. Those without deep pockets will have to cave in for financial reasons, even if the suit lacks any real merit. It would not be difficult to convince a jury that if Debian was making something illegally, anyone installing Debian must also be breaking the same law. You could try and argue about the way dpkg/apt work, but I doubt you'd get too far.
In other words, it's a minefield out there, so it makes sense to tread carefully.
"This program is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed."
See the OpenSSL FAQ).
-------
Warning: Slashdot may contain traces of nuts.
You'd want to change your password as well. not just root's. As well, any other users on your system with sudo access, just to be safe. Better yet, disable sudo as it isn't needed for single-user systems and only weakens security.
They have NO CHOICE. They simply do not have permission to distribute binaries of metatalk linked against OpenSSL.
Now, if you think this is not true you are free to set up your own website and provide your own packages. Debian does not want the legal risk.
Why not complain to the authors of Metatalk and get them to add an exemption to their license that allows linking against OpenSSL?
Want another example of Debian/Ubuntu idiocy?
It's idiocy, but not theirs. OpenSSL is not, I repeat NOT compatible with the GPL. Hell, it's easier for Microsoft to include it in Windows than it is for a GPL project. And you know what? This is by design. They have been asked, begged, prodded and poked to release OpenSSL under a GPL-compatible license, and they won't.
You're allowed to distribute both separately, but when you link them - well it's like linking GPL programs to any "proprietary" library. They just aren't compatible, and I don't think you can get around that by simply shipping it as a finished "do it at the end-users end" script either. If that was the case then source based distros like Gentoo would make the GPL null and void, because then you could just compile in whatever GPL code you needed with proprietary code and never distribute a derived work.
I think OpenSSL has gotten an excellent deal - usually they get their attribution as per the license, noone can fork it under the GPL or copy any code from it to GPL'd projects, in other words all of the glory with none of the giving back. As far as I can tell there's no reason for them to relicense OpenSSL since it'd give nothing.
It is the license of the GPL'd projects that are being violated. What do they have to gain by pushing the issue? Oh yeah, they can't actually make secure connections anywhere. It is the GPL projects silently accepting being linked to a non-GPL'd library here that is the issue. It's the same reason very few except RMS is pushing the "can we link GPL to Java" issue. Because if you couldn't, most of them would simply cease to function.
Debian-legal is very much "by the book". Debian-legal won't let you ignore license incompatibilities, silent acceptance of violations even when the projects themselves want to. Want to be able to link with OpenSSL? Fine, get approval from all copyright holders, relicense and provide the exception. Until then, they're not going to treat the license the way it stands, not the way you'd like it to be, because as project leader you're probably acting on behalf of lots of other copyright holders. This isn't a "majority vote", if one person can't be reached or refuses then the project can't relicense, even if 50%, 90%, 99% of the project want to. End of story.
Live today, because you never know what tomorrow brings
Are those ubunto folks pretending to have users again?
There are related versions of this problem. Mis-typed IMAP and POP and SSH logins, where the user accidentally types their password in the user account line, are a fun way to get other people's passwords on a shared server. You really have to think about what you put in logs and who gets access to them on a login capable server.
You can also "sudo su". It's even the same number of keystrokes.
What does Ubunto mean? Is it a software program or an operating system?
If you wonder why OSS is being considered a "fad" and soon to die there's the answer. How can you take the name "breezy badger" seriously. It sounds more like a cartoon series than it does a software package.
My laptop has been running dapper since the branch was opened. Before I got this laptop, my main computer was a desktop running Debian unstable (usually with all of experimental installed, too). I'm a last-semester senior in college (computer engineering) and work 20-40h/wk at the same time, for a sweet Linux company. If stuff breaks, I fix it - it's not impossible. OK, I'm just being a punk, though. You can be safe. Just, do yourself a favor: use a stable release so you can separate out security updates. Don't wait a month for those.
in the real world, people make mistakes. People don't get fired for making a single mistake. Instead, people try to co-operate in helping them realize the mistake and address the source issue so it doesn't happen again.
When I read messages like these, where people are ready to draw and quarter people the moment they make a tiny error, it makes me wonder about the motivations. Who are you to judge someone else? When exactly did it become that everyone is perfect, and that we are incapable of error unless being malicious?
One would think that as a Slashdot reader, there would be a chance of you understanding that people make mistakes (how else could you live with the dupes!). It doesn't mean they're evil or out to get you, they just didn't realize something (or don't read their own website as religiously as you or I).
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Maybe I'm being Captain Obvious here, but I think he was trying to be funny but somehow got modded Insightful.
Never store a /hash/ like md5 or SHA*.
Instead, use the Young-Hammond-Baker Transform (YHBT).
HTH,
FP.
Also FatPhil on SoylentNews, id 863
friday's night is peak development time for free software ;)
'sudo passwd' doesn't change root's password - the sudo does nothing in this case. It will still change yours.
If you wish to change root's pass, you need to 'sudo passwd root' or 'sudo su -;passwd'
If you RTFA, it also applies to the user password that gets unlimited sudo access. Which means, by default, you still get screwed.
XML is like violence. If it doesn't solve the problem, use more.
Type the following in terminal to view contents of the swapfile, which is in PLAIN TEXT!
/var/vm/swapfile0 |grep -A 4 -i longname
sudo strings -8
(The "longname" being your user ID name)
echo PASSWD | grep -rf -
I'm not so sure that's correct.
When I say 'mypassword' above, I mean the literal string 'mypassword' - it will return my actual password in plain text true, but so will your command.
Also, wouldn't your command be a little more like:I don't have a linux box handy to check with atm
My pics.
not to be nitpicking but now your password moved in cleartext into the .bash_history file ...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
"sudo passwd" changes root's password in ubuntu 5.04 and 5.10.
Where does this idea that you need to type "sudo passwd root" come from? I see it repeated in IRC channels and message boards, but it's just not true.
I've been using Ubuntu for a few months now. It's the first distro that I've installed that "just worked".
Virtually every other distribution I'd ever tried drove me back to Windows within a week or so because of all the hastle trying to make everything work correctly.
The Ubuntu guys seem to understand that for Linux to become popular with the masses, that it has to be useable by the masses.
Seriously... why?
It's not like you can't boot from CD and re-set the thing anyway - I can see no legitimate reason to log it at all...
If you don't log it, you don't need to worry about "cleaning" the log up...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Why the heck did the netatalk creators provide the ablilty to link to OpenSSL if they don't allow you to in their licence?
Chances are any disscution on Slashdot will degrade into a flamewar about ID/Christianity within 14 posts.
If you employ any kind of log server (syslog-ng, for example), then these log files may also be sitting somewhere besides the Ubuntu hosts. This also illustrates the benefit of wrapping syslog traffic in some kind of encyrption (good article at http://www.samag.com/articles/2005/0506/ - dead tree only, unfortunately).
Charles
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
OK, but;
The root password is hard-coded in plaintext in this bash script
The root password is visible to all users via 'w' the entire time the script runs.
This is _much_ worse than the original issue.
455fe10422ca29c4933f95052b792ab2
My root password is "go", and I use Ubuntu at home. By my tally most people using Ubuntu are home users probably, and so they probably know their own root password. If you are letting random strangers in your house to poke around your files and try to gain root, this is probably an issue. The way I see it, is if someone somehow got in my house and into my room to use my computer, I think I'd notice. Most Windows users run as administrators too anyway.
Maybe this is just a sting to your egos that linux systems have issues too.
If you wanted a secure corporate environment linux distro, I don't know why you'd be using Ubuntu anyway.
To quote it in brick's words "I DONT KNOW WHAT WE'RE YELLING ABOUT"
Judges and senates have been bought for gold; Esteem and love were never to be sold.
LRC, the best-read libertarian site on the web
i can make a link, but that doesn't mean slashdot doesn't fuck up links when you put without the http:///
shit faced mother fucker!
if i'm not immortal, what's the point of living?
...te?
chameleon@linux:~> sudo grep -r ******* /var/log
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
-- Fuck Beta
Oh, yeah, obviously you. I mean you did, that goes without saying, doesn't it? But apart from you...
;)
"We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility."
/. bug #926803 - Why I can post.
This is not true, since one simply has to type `sudo -s` to spawn a root shell.
.emacs will work for root work while using relative pathing.
This is actually (in some ways) better than switching users since your environment is not that of the root user (eg "cd" will still take you to the home directory of the user, not the root home directory).
It also means my
Can someone unerase an earlier Ubuntu log file? Does this bug in the current release inadvertently threaten the security of all versions of *ubuntu? Even if file unerase is not possible, sectors could be searched through...
I come here for the love
I hope you're not being serious. The root password is visible in /proc/$pid_of_rm/args the whole time that rm is running. w(1) is merely one of many ways for the user to access that information. :)