Slashdot Mirror
Root Password Readable in Clear Text with Ubuntu
BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."
What's the problem? Open source passwords make it more secure.
It came out, it was fixed. There are going to be problems in any project this large, but it shows how much the Ubuntu team cares to respond to a problem this quickly and on a Sunday of all days. Ubuntu really has become a nice distro. It's completely free and polished around the edges. I hope they continue to do well.
Invariably, a lot of the comments to this story are going to commend the team on the incredibly speed with which they've released a patch, and there'll probably be some comments comparing it to closed software. Yet another victory for the open source model!
Yet how long has this massive fault been sitting there waiting for the first person to discover it? How do we know that the public acknowledgement of it was the first actual discovery of it?
I believe Breezy was released in October, so for five months install logs have been sitting, world-readable, often with the root password. Surely in that time someone well less savoury motives did a simple grep of an install looking for the most trivial of faults.
Feeling confident in the speed of the patch relies upon the belief that no one with nefarious motives discovered it before a benevolent bug submitter did.
try sudo bash
The article title isn't entirely correct. There is no root password. But you can set one.
Read the article. The Slashdot summary is incorrect; the password is for the account you create during installation, which has sudo rights and therefore is just as effective as a root account.
Karma: Terrifying (mostly affected by atrocities you've committed)
Information wants to be free
see this is why i use windows. there are never security patches to install, just service packs which allow me to get new secutiry features like windows firewall. nothing beats windows security, and there's that helpful blue screen to tell me if something's gone wrong.
30 seconds and my post got a flamebait. I love Slashdot.
Within the same 30 seconds a post appeared following mine comparing the fix (which has the massive complexity of deleting some log files) with Microsoft's WMF fix, exactly as predicted. Beautiful, and so predictable.
Fuuuuck.
I knew I never should have trusted those badgers.
Smiling at me with their big cartoon teeth, eating up all the aspen, wanting to admin their own machines.
I've been a sap, and it's going to cost me.
And now I'm worried about the hedgehogs.
This IS a very serious issue, however it does require some work (accessing log) to obtain root. In comparison to other operating systems which provide default root ("administrator") access, without a password, on installation; this isn't as big of a deal. On top of this, from my understanding, a change of the root password after installation would prevent further issues. Overall this seems to be a problem but certainly not a huge one.
Proof by very large bribes. QED.
Sunday is probably peak development time for free software.
http://michaelsmith.id.au
He patched it within hours today, and posted to osnews with a description of what happened. He also posted a copy on the ubuntu forums page including details of what happened. It affects clean installs of breezy, and dapper upgrades from a breezy install, but not hoary or a clean dapper. hoary = 5.04 breezy = 5.10 dapper = not officially released yet
But you can get the root password, as the default user has sudo access. 'sudo su -', and that is that.
Freedom would be not to choose between black and white but to abjure such prescribed choices. -Theodor Adorno
Any programmer who doesn't stop themselves and think that writing something like fprintf(logfile, "root password entered is: %s\n", password); is not the best idea should not be writing code for a secure operating system.
Contribute to Open Password comunity - release your passwords under the GPP (General Public Password) license! Because closed passwords are just series of * symbols - it's hard to use, share and modify them freely. :-)
Yeah, because it's approximately an equal effort to delete log files and to change anything about the WMF code, or whatever was causing that bug?
"Quoting yourself is stupid." -Me
Fixing a patch that either simply removes this log file or encrypts the password in it is very simple. I could do this in a few minutes tops.
Microsoft's security issues often are the result of an issue that requires code re-writes and changes. It takes time to do that, compile it, and test it. There is a huge difference between this tiny flaw and a buffer overflow in Windows Media Player.
Deleting a log file isn't quite the same thing as fixing buffer overflows and whatnot in a huge chunk of code. Yeah, it took MS 2 weeks -- and that was too long. It's not like the two bugs were equal in scope, though.
Ubuntu is poised to become to standard by which Linux distros are judged. I've been running the latest stable release, Breezy Badger 5.10 for awhile and it's rock solid, good looking, and easy to administer. Last night I downloaded Flight 5, the latest development iso for Dapper Drake 6.04, and was immediately impressed. In just one upgrade, they've managed to really go the extra mile with all the new features. I love minimalist simplicity, and Ubuntu gives me just that. Ubuntu is Debian made easy for the masses. You get the bullet-proof Debian core with a great, easy interface. Nothing touches this at the moment. Linux for human being is a great tagline.
Now, let the script kiddies who have nothing better to do flame me for saying Ubuntu is cool. These same script kiddies who think they're 1337 because they have to manually set up their Slackware box. These same wanna-be geeks who are still bootstrapping their Gentoo systems for 12 hours to extract a extra 5 milliseconds of speed from their CPUs. I've done all that and now that I'm almost 40 years old, I just want a quick, stable system to work from.
No, it has -no- root password by default. In Linux, you generally disable an account by removing its password.
The password in the log file was the primary account's password. This account is a member of the sudoers group, so the same password can get you root access.
If your /etc/shadow has something like "root:*:13039:0:99999:7:::", there's no root password.
no need to give them local access to your system, they can easily read it if you have an ssh server set up for example. And no it doesn't display the root password, but it displays a username/password combination which has access to sudo. So just as bad.
being vague is almost as cool as doing that other thing...
I installed the beta of Breezy 5.10 and /var/log/installer/cdebconf/questions.dat *did not* contain my password. Looks like this only affected the final release.
When you have 300,000,000 users things are a little more complicated than when you have 3,000.
I find it very interesting that the severity of this bug is identical to the severity of the security hole found in OSX last week... yet the difference in attitudes is remarkable.
Look at the slashdot summary. "An extremely critical bug and security threat". Compare with the OSX bug which was written off because it's not remotely exploitable.
Apple hasn't even acknowledged that the OSX privilege escalation exists, let alone patched it.
open var/log/installer/cdebconf/questions.dat, check at line 2140. Mine is there, individual results may vary
I love humanity, it is people I hate
Apple hasn't even acknowledged that the OSX privilege escalation exists, let alone patched it.
3 382
I agree with you regarding the different attitudes regarding this hole and the OS X holes. But I believe the recent OS X holes were indeed patched with Apple's March 2006 Security Update (though some websites are questioning whether the patches really fixed the underlying problems or merely placed band-aids on them).
http://docs.info.apple.com/article.html?artnum=30
-- "I never gave these stories much credence." - HAL 9000
Ubuntu users, be sure to get the patch right away.
What does this patch fix? The installer? Sorry, but the installer is burned in the installation media, and a patch can be applied only after the installer has been run. So updating the system or even upgrading to Dapper (where it has been fixed) doesn't help. So....patch whAt???
No really, the installation ISO images should be fixed immediately and redistributed.
Also saying that it "only affects The 5.10 Breezy Badger release" may be a bit belittling, as probably most people have installed exactly that release.
Many people know how to generate these special characters but I'll mention anyway: using the ALT/META key and the NUMPAD keys. Having a character map printout handy so you know the DEC (decimal) values of these special characters is a good idea if you decide to implement one of these passwords. Punch in ALT-DecimalValue with number lock on.
They may not work in some situations if special characters and not allowed, but you'd be surprised that they do work most often.
I bet most dictionary attacks don't run through many special characters. The cracker is lazy too and will probably not even consider that you chose a funny character which does not even exist on the keyboard.
Remember not to use NULL (#0) though, for crying out loud.
Don't use a bleeding edge home desktop OS if you want a secure multi-user server.
I'll probably be modded down for this...
The netatalk package, which provides Appletalk services (most commonly used servies are AFP, ie filesharing, and papd, the printing spooler), isn't compiled in with ANY encrypted password support. If you connect to a debian or debian-based appletalk fileserver, you get a warning you are transmitting your password in clear-text. Yes, we're jumping about 10 years BACKWARDS in security.
Why? Because the legal-circle-jerk that is the debian-legal mailing list, decided that it wasn't "legal" to link netatalk (a GPL project) to OpenSSL (license supposedly incompatible with GPL.) This doesn't stop every other distribution on the planet from compiling netatalk with openssl, and hence supporting encrypted passwords.
They politely suggested that GnuTLS, which isn't even remotely drop-in, be used instead. That was back in 2002...and the issue still hasn't been addressed. I filed a bug on it and the bug was simply ignored.
Please help metamoderate.
Good thing I'm using Windows.
w00t
I assume that the OpenBSD installer runs passwd to set the root password during installation, similar to NetBSD.
But if either of these OS's went to a graphical installer they would need to write a graphical passwd command which makes an effort to keep the plain text out of swap files, insecure memory, etc.
That's a big ask, IMHO. Which doesn't mean its ok to print the thing out, just that doing it properly is very hard.
But in this day and age of development frameworks, etc, there is less of a need for a programmer to think about the meaning of what he is reading from the UI. The backend programmer may assume that the UI guy understands about passwords, but he may not, to.
http://michaelsmith.id.au
/etc/motd?
(Just in case...)
For debugging purposes, you MAY want to print out entered values. However, you don't do this in the main log. For a start, if you're debugging, you don't want to have to search through tonnes of text. You want to find the error fast. You therefore output the "routine" log to one file and the "debug" log to a different file.
Doesn't this just go back to the same problem though? No. First, debug logs don't need to be written to quickly, because debug sessions are going to be slow anyway. Therefore you can encrypt them or otherwise make them unreadable to the casual observer. In general, you want these to be sent to the maintainer as part of a bug report in the event of an install failure, so just pre-encrypt them with the maintainer's public PGP/GPG key.
A more "correct" solution would be to assign different debug levels to different levels of logging, where your maximum level logs absolutely ALL data entered by the user, but where distributed versions are issued with much more basic logging that excludes private information that isn't likely to be useful in debugging the problem anyway.
(The ideal solution is to have maintenance debugging for logging everything as a distinct patch to the basic distribution, so the basic distribution cannot - even accidentally - log everything. That way, users don't even have to put up with obscenely inflated binaries that have lots of debug stuff that will likely never be used, and maintainers don't ever have brown-paper-bag security scares.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...in any form, even the hash!! Anything less is simply a huge security hole.
Netbooks, they come with Linux or a $3 copy of Windows. Either way, Microsoft loses.
Insecure memory? Unless I'm missing something huge here, one process can't read another's memory. Can you give an example of how something can end up in "insecure" memory?. Maybe if you have access to /dev/(k)mem. Same goes for swap afaik. If those problems haven't been solved long ago, any Linux distro is swiss cheese.
Which means it's as simple as a GUI prompt for the password, and a pipe to passwd, no writing to disk necessary at all.
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
Since long before MS-DOS had them:
Look..
Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]
#!/bin/sh
/var/log -type f -exec sed -i s/$PASS//g' {} \;
/var/log readable by users?\n" /var/log /var/log
PASS="my_root_password"
echo "Why would anyone log a password in the installer?\n"
find
echo "Why would anyone have
chown -R root:root
chmod -R o-rwx
echo "All done, thanks for using Atomic-Penguin\'s unofficial ubutnu patch!\n"
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
...Why? Because the legal-circle-jerk that is the debian-legal mailing list, decided that it wasn't "legal" to link netatalk (a GPL project) to OpenSSL (license supposedly incompatible with GPL.
This has been discussed at length, and OpenSSL's license is GPL incompatible. Everyone else may simply think it's ok to bend the rules, and that they won't ever get sued for it. That's not a safe assumption for a volunteer-based distribution.
This doesn't stop every other distribution on the planet from compiling netatalk with openssl, and hence supporting encrypted passwords.
"Everyone else breaks the rules, so its ok." That doesn't work for speeding tickets, and it doesn't work in contract/license disputes.
They politely suggested that GnuTLS, which isn't even remotely drop-in, be used instead. That was back in 2002...and the issue still hasn't been addressed. I filed a bug on it and the bug was simply ignored.
Maybe you and any other users of appletalk on unsecure networks ought to band together and fix it. Alternatively you can just switch distributions or upgrade your networking from appletalk (a 1980s protocol, since you were talking about being 10-years backwards).
Does it suck? Yes. It sucks that the OpenSSL people won't change their license, and upstream netatalk doesn't care either. However Debian would risk legal action against ALL users if they break the law, even though 1% of the users use this package. They chose the solution for 99% of their users, which is the best you can hope for in an esoteric case like this.
I didn't find the password in my installer logs. It seems that if you install in expert mode you're OK. See the bug report here:
https://launchpad.net/distros/ubuntu/+bug/34606
less /etc/issue
Ubuntu 5.10 "Breezy Badger" \n \l
I upgraded from Warty - with dist-upgrade - maybe thats my deal... apt-get update && apt-get upgrade, anyway.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
The patch (unless it goes out and deletes the offending files) is only going to patch the installer (which you're probably never going to run again). You're still going to have a cleartext copy of your original admin password sitting on the box in a file with read-other permissions.
Even if the files get deleted (or have their permissions changed), you still have no idea as to whether somebody has read the files since October.
BTW: Are they re-burning the installation CDs?
Free Software: Like love, it grows best when given away.
..install a backdoor password, at least make it a not easily crackable one.. :|
Just a question, if the password hash isn't stored anywhere, how do you compare the password you enter to the actual password?
Touched By His Noodley Appendage.
Isn't the password in your bash history now (twice)?
When the policeman of the tie, rule you violate, hello punishment of the kitty?
Whoops! You are of course completely right...
Just goes to show that you can't be half-assed about password security
Mod my [easier] solution into the ground mods!
Open a terminal and type:(if it returns your password, you're vulnerable (wait) (if it doesn't return your password, you're no longer vulnerable)
The 'mypasswd' string grepped for above will immdiately preceed your primary user password
My pics.
Secure password authentication in AFP was introduced at least 10 years ago. We're talking about AppleSHARE here, Mr. Genius. A protocol fully maintained and used extensively on current hardware. I'll switch to SMB when it offers the same level of performance as AFP (it doesn't, not even close, in raw transfer speed or directory operations) and the same filename compatibility.
Maybe you and any other users of appletalk on unsecure networks ought to band together and fix it.
So let's get this straight.
Like many a faithful geek, I was led down the path of "enlightenment" offered. I helped give open-source software market share. I helped sell open-source to my boss, and my boss's boss. I redirected my career to support open-source software.
And what do I get in return? "Fix it yourself, you dumb user."
To think I still get asked why I'm not running Linux on my Powerbook. Because IT JUST WORKS; no politics, no "nobody cares about that bug so it won't be fixed". Because I don't have to deal with arrogant blowhard grad students telling me to fix software myself. I have neither the time, ability, knowledge nor inclination necessary to run around fixing complex software. 99.999% of the rest of the world doesn't either. Sad reality of life is that there is an extremely small segment of the population of linux users that have even the slightest qualifications to know how to go about fixing bugs or adding features.
Like most academics, you have zero comprehension of what matters in the real world. Joe Sixpack doesn't go into Firefox and add features. Jane Officeuser doesn't fix GnuTLS so it works with netatalk. Users don't give a damn about theoretical lawsuit possiblities. They don't give a shit about the finer points of licensing. Nothing impresses a CIO or a Director of IT less than "oh, we have to transmit passwords in clear-text because the license for a system library isn't compatible with the license for the server software."
Oh, and if you believe the whole Debian kool-aide line about "we have to protect this because we'd ALL BE SUED", I have two bridges in NY I'd just LOVE to sell you. PS: It says "gullible sheep" on the ceiling.
Please help metamoderate.
> So they call me as they need the password for the isp access, "penis",
If you tried this on my system, it wouldn't work, it would say your password is too short.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Why is this a right-minded concept, may I ask? I am truly ignorant of the reasoning, so please enlighten me...
'sudo passwd' doesn't change root's password - the sudo does nothing in this case. It will still change yours.
If you wish to change root's pass, you need to 'sudo passwd root' or 'sudo su -;passwd'
"sudo passwd" changes root's password in ubuntu 5.04 and 5.10.
Where does this idea that you need to type "sudo passwd root" come from? I see it repeated in IRC channels and message boards, but it's just not true.