Root Password Readable in Clear Text with Ubuntu

BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."

Open source

[L505]

What's the problem? Open source passwords make it more secure.

Re:Open source

[themoodykid]

Yes, exactly. If someone screws up your system, somebody else will come along and fix it for you. The many eyes make all bugs shallow or something. Think of it as a Wiki-style OS security.

Saw this on Digg

[Stevyn]

It came out, it was fixed. There are going to be problems in any project this large, but it shows how much the Ubuntu team cares to respond to a problem this quickly and on a Sunday of all days. Ubuntu really has become a nice distro. It's completely free and polished around the edges. I hope they continue to do well.

Re:Saw this on Digg

Oh PLEASE, what a joke of a comment. The fact is, they fucked up BIG TIME. Yeah, it's a nice distro, but so is windows, and had microsoft made this error you'd be on their ass about how crappy windows is.

The bias here on slashdot sometimes makes me sick.

Grow up people!

Re:Saw this on Digg

[Parham]

If Microsoft had made the error, we'd have to wait until the second Tuesday of the month for the fix. If this bug wasn't caught by tomorrow for me, then I'd have to wait an entire month for a fix. Ubuntu put out the patch as soon as it was discovered. There is no bias here, I use Windows just as much as Linux. However, Microsoft's patching cycles simply suck.

Re:Saw this on Digg

[Bacon+Bits]

Nevertheless, AC is right. If it was relvealed that the local Administrator account or the domain Administrator account was stored anywhere as plain text in Windows 2000, XP, or 2003, then MS would be reamed endlessly and very harshly here. Or do you honestly think people would be saying "oh, well, at least MS has a patch!" I'm no fan of Microsoft as a company, but denying that a bias exists on Slashdot about this kind of thing -- apologising for *nix, criticising Windows -- is just outright absurd.

Be honest. Everyone here knows that storing the root password as plain text is a clear program error. And since GNU/Linux is a rather secure OS that doesn't have this vulerability in any other distro, this code was added by the Ubuntu team. If this is the quality of code that the Ubuntu team is developing for it's distro, though, I do have to question why it is so popular. Why was such an obvious mistake missed? Who forgot to check how the root password is stored? Who forgets that kind of thing? Not the kind of developer I'd want to trust with my security, I'll tell you what.

Re:Saw this on Digg

[RzUpAnmsCwrds]

If Microsoft had made the error, we'd have to wait until the second Tuesday of the month for the fix. If this bug wasn't caught by tomorrow for me, then I'd have to wait an entire month for a fix. Ubuntu put out the patch as soon as it was discovered. There is no bias here, I use Windows just as much as Linux. However, Microsoft's patching cycles simply suck.

Patching is quite frankly irrelivent with this bug. While it certainly has to be done to close the hole in the future, there are already hundreds of thousands of Ubuntu systems out there with the password sitting on the disk. How are you to be sure as an administrator that the password has not been compromised already? What about backup copies that might have the password?

The fix is to change the administrator/root password. The bug only affects a system at install-time, and it will continue to affect new installs so long as the broken installer is floating around. Patching it today is hardly more effective than patching it on April 6.

Re:Saw this on Digg

[MobileTatsu-NJG]

"It came out, it was fixed. There are going to be problems in any project this large, but it shows how much the Ubuntu team cares to respond to a problem this quickly and on a Sunday of all days. Ubuntu really has become a nice distro. It's completely free and polished around the edges. I hope they continue to do well."

I know this rationale gives everybody the warm fuzzies, but this is still a really bone-headed mistake. You guys really shouldn't be this forgiving about it.

Re:Saw this on Digg

[xlsior]

Nevertheless, AC is right. If it was relvealed that the local Administrator account or the domain Administrator account was stored anywhere as plain text in Windows 2000, XP, or 2003, then MS would be reamed endlessly and very harshly here.

Interestingly enough Microsoft did make pretty much the same mistake, with Microsoft SQL 7, both servicepack 1 & 2. They wrote the SQL administrator password to the installation log file, which would give you full access to any SQL database on the server. Written to a logfile in the TEMP folder, which by default has full read/write access for any user on the system.

Security bulletin: https://www.microsoft.com/technet/security/bulleti n/MS00-035.mspx

(The 'non-recommended' mode mentioned is using SQL authentication instead of windows NTLM authentication, which much more common then they try to make it sound)

Re:Saw this on Digg

[xlsior]

Actually slightly more elaborate: SQL 7 SP3 was also affected, plus they wrote the password to not one, but two files:

Summary
On May 30, 2000, Microsoft released the original version of this bulletin, to announce the availability of a patch that eliminates a security vulnerability in Microsoft® SQL Server® 7.0 Service Packs 1 and 2 installation routine. When run on a machine that is configured in a non-recommended mode, the routines record the administrator password in a log file, where it could be read by any user who could log onto the server at the keyboard.

On June 15, 2000, the bulletin was updated to note that, under the same conditions as originally reported, the password also is recorded in a second file. A new version of the patch is available that prevents the password from being recorded in either file.

On May 10, 2001, the bulletin was updated to note that Service Pack 3 is also affected by this vulnerability. A new patch is available for SP3 and we are also providing a command line utility (post Service Pack deployment) to remove all instances of the SA password written in either file via Q263968.


So not only did they have a similar problem, it persisted for over a year after initially being found & alledgedly fixed.

Re:Saw this on Digg

[drsmithy]

However, Microsoft's patching cycles simply suck.

Actually they reflect reality and are the result of customer requests.

In managed environments, patches are almost never applied ad-hoc, as they are released. They are collected together then tested and rolled out on a schedule, usually monthly.

Re:Saw this on Digg

[LnxAddct]

Why the hell is everyone trying to downplay the severity of this? This is a serious issue, its worse than most security problems I've seen with *any* operating system, stop the hand waving, and spread the word instead. This *is* serious and shows poorly on the Ubuntu developers. I mean, how many people have set up linux for their parents or family, chosen Ubuntu and now they have to make sure they go in and change that. Updating won't always work (for reasons listed elsewhere), the only sure thing to do is to physically change it (if ssh access is enabled than its easier).

One of Ubuntu's big things is giving out free cd's, in particular targeted to people who don't know what linux is. Me and my roommates actually had a 100 or so Ubuntu CDs, most of which we've given away. We both run Fedora, it fits our needs as "powerusers" better, but give out Ubuntu simply out of convenience and to help the "cause". They are both nice distros, but security is definitely one area where Fedora surpasses all of the other distros.

Fedora makes security transparent to the user, you're running SELinux but would never know it unless you needed to, you're running exec-shield but you'd never know it unless you needed to, all the major services are compiled to randomize memory mappings, but the user is none-the-wiser. That goes for advanced and beginning users. I can install Fedora and be fairly certain that even if somehow my system stopped updating, that any vulnerabilities found would be stopped by these additional measures anyway. The measures in place make most buffer overflows useless and even if you somehow got passed all of the measures to prevent overflows and you got root through an exploit in a vulnerable service (despite that the services don't run as root), SELiux would probably still make your entry pretty pointless.

The point I'm making is, the differece between a secure OS a non-secure OS are ones where even without updates, the security measures in place are foward looking and work to prevent current unknown attacks. Fedora has damn near perfected this, but if any of the users of the Ubuntu CDs I've given out somehow managed to disable updates, they are screwed now. There should never be a situation like that. Bravo on the response time, but seriously the users most likely to be affected don't read /. or digg and if they don't update then they are screwed more than they were before. I don't like knowing that a local user vulnerability will can give out root access
Regards,
Steve

Re:Saw this on Digg

[Canordis]

This is a consequence of Ubuntu's different security model. You can't be root in Ubuntu; you have to consciously make the decision to run software as root by typing 'sudo' before it. (Actually you can run a shell under sudo, but still.) The idea was that since you can't login as root, the system is more secure and resists exploits that try to gain root access. This vulnerability is the kind of stupid mistake people make sometimes. A brain fart. Nothing really malicious, and not the sign of an incompetent programmer. Something you could've done.

Most Windows vulnerabilities are that, too. There's just more of them. And the system is inherently less secure, so it doesn't resist those quite as well. And it's harder to update because it's a monolithic kludge. Of course, some Windows vulnerabilities are just the product of poor design.

And another thing, if this happened, /. would bash Microsoft insanely. True. There is a bias. But still, I highly doubt the issue would be fixed in the same day, on a Sunday, and the update would be availiable quickly and painlessly.

Re:Saw this on Digg

[wertarbyte]

You can't be root in Ubuntu; you have to consciously make the decision to run software as root by typing 'sudo' before it. (Actually you can run a shell under sudo, but still.) The idea was that since you can't login as root, the system is more secure and resists exploits that try to gain root access. This vulnerability is the kind of stupid mistake people make sometimes.

There is another stupid vulnerability I noticed in Ubuntu, which relates directly to the missing root password: If something goes wrong during system startup (e.g. a failed fsck), usually you are prompted for the root password to open the rescue console and fix the issue. Not so with Ubuntu: Since there is not root password, you will be thrown into a root shell without any hesitation. Kind of strange, is it? One could argue that once you have physical access to the system, you have a lot of possibilities to circumvent the system's security, but I found this issue to be rather harsh.

Re:Saw this on Digg

[kasperd]

Fedora makes security transparent to the user, you're running SELinux but would never know it unless you needed to, you're running exec-shield but you'd never know it unless you needed to
But occationally it gets the file labels fucked up causing things to stop working. The Fedora people refuse to acknowledge there is a bug, after all you can just touch /.autorelabel and reboot.

all the major services are compiled to randomize memory mappings, but the user is none-the-wiser.
If you had actually been using Fedora since FC1, and you happened to be using it on a 586 architecture, you would have found out. Because for some reason they decided that on that architecture they would compile glibc with some options making it pretty picky about the location of the stack. This caused programs to crash at random, and the bug was never fixed. They simply wouldn't accept, that there could be a bug in glibc.

I can install Fedora and be fairly certain that even if somehow my system stopped updating
Actually that is not so unlikely to happen. Because on FC4 rhn-applet will always tell you, that there are no updates available. And occationally yum will also say that even when there are updates available. And the Fedora people does not consider this to be a bug.

And while we are at it, do you know what happens to the umask on a Fedora system? If I decide to set my umask to 077 such that other users cannot read by default, then /etc/bashrc is going to change it to 002. That means anything started from a script using bash as interpreter is going to create files with other permissions than intended.

I'm not saying Fedora is a bad distribution, after all I do use it on all my systems. You just shouldn't claim it to be so much more secure than other distributions. Yes, this bug in Ubuntu is very bad, but unfortunately they are not the first to introduce a bug that bad.

Re:Saw this on Digg

[FireFury03]

the only way to protect your machine against attacks by someone with physical access to it is to raise a BIOS password or encrypt your files, not a bad idea in any case.

Encrypting the hard drive is an answer, but then you have the problem of where do you store the key to access it? If it's stored in the bootloader or the kernel then that can be extracted by the attacker if they have physical access to the system. This is basically the same as the DRM problem - you can encrypt the content but you always have to decrypt it to use it so you need the key stored somewhere and that is always a possible attack vector.

Also, you need to think very carefully about the ramifications of encrypting data - if you lose the key you're screwed.

Encrypting the hard drive using keys stored in Palladium is an option but it only protects you from someone removing the drive and installing it in another machine, and again - if you motherboard (with it's Palladium chip) blows up you're buggered.

Time From Discovery to Patch

[ergo98]

Invariably, a lot of the comments to this story are going to commend the team on the incredibly speed with which they've released a patch, and there'll probably be some comments comparing it to closed software. Yet another victory for the open source model!

Yet how long has this massive fault been sitting there waiting for the first person to discover it? How do we know that the public acknowledgement of it was the first actual discovery of it?

I believe Breezy was released in October, so for five months install logs have been sitting, world-readable, often with the root password. Surely in that time someone well less savoury motives did a simple grep of an install looking for the most trivial of faults.

Feeling confident in the speed of the patch relies upon the belief that no one with nefarious motives discovered it before a benevolent bug submitter did.

Re:Time From Discovery to Patch

[MichaelSmith]

I believe Breezy was released in October, so for five months install logs have been sitting, world-readable, often with the root password. Surely in that time someone well less savoury motives did a simple grep of an install looking for the most trivial of faults.

Anybody with an ounce of common sense should know that you never leave a critical password floating around in plain text. Not in memory, not in swap and you never print it to a bloody log file. Who's going to want to check it?

Passwords are supposed to be non-reversable. The NetBSD installer seems to run the passwd command directly during installation, so the installer never sees the password. Did somebody get the bright idea of prompting for the password in their own UI when the graphical installer was done? This should have been caught. The design of the installer is at fault. Not the log file. I wouldn't count this one as fixed until the installer never sees the password. Sorry for the rant.

Re:But Ubuntu has no root account!

[Yosho]

Read the article. The Slashdot summary is incorrect; the password is for the account you create during installation, which has sudo rights and therefore is just as effective as a root account.

The cyberpunk credo comes to mind...

Information wants to be free

windows

[Chimera512]

see this is why i use windows. there are never security patches to install, just service packs which allow me to get new secutiry features like windows firewall. nothing beats windows security, and there's that helpful blue screen to tell me if something's gone wrong.

steenkin batchers

Fuuuuck.

I knew I never should have trusted those badgers.

Smiling at me with their big cartoon teeth, eating up all the aspen, wanting to admin their own machines.

I've been a sap, and it's going to cost me.

And now I'm worried about the hedgehogs.

Re:okay

[MichaelSmith]

A patch in 2 hours for a massive security hole in an OS, on a sunday as mentioned earlier.

Sunday is probably peak development time for free software.

Colin Watson's response was very professional

[zippity8]

He patched it within hours today, and posted to osnews with a description of what happened. He also posted a copy on the ubuntu forums page including details of what happened. It affects clean installs of breezy, and dapper upgrades from a breezy install, but not hoary or a clean dapper. hoary = 5.04 breezy = 5.10 dapper = not officially released yet

So what if this was fixed quickly.

Any programmer who doesn't stop themselves and think that writing something like fprintf(logfile, "root password entered is: %s\n", password); is not the best idea should not be writing code for a secure operating system.

Re:So what if this was fixed quickly.

[strider44]

Come now, do you really think that somewhere in the code there's a manual fprintf writing the root password to the file? You could have at least made a simple attempt at reading the article to find out what it's about and what causes it.

The problem here is that the main user password (Ubuntu doesn't have a root password) is asked through the questions dialogue in the installer. Everything here is automatic and the questions dialogue just simply records everything down in a file called "questions.dat". It's a serious error for a programmer sure, but it's just a lack of thinking of everything when programming, which is what every single security hole is caused by, lets face it. You could just as easily say everyone who doesn't check their arrays every single time no matter what shouldn't be let within ten feet of gcc, but alas even the best make mistakes. Not only this, but someone who doesn't check every array may be letting through a remote exploit, which is much much more serious than this bug.

The mantra of course applies here: Unless you've programmed a totally secure operating system, keep your mouth shut.

Re:So what if this was fixed quickly.

[arrrrg]

In the forum, it was mentioned that there was in fact code in the installer to go back and remove the sensitive information from "questions.dat" after the installer finished. A bug was introduced somewhere in this code in the breezy release, so the password never got removed. So, the error was not nearly as obvious as fprintf (password) or even dump(questions); an attempt was made to do the right thing. Of course, the working condition of this code should definately have been verified before releasing breezy, but both the parent and grandparent make the developers seem more negligent than is actually the case.

Re:So what if this was fixed quickly.

[cjwatson]

For the record:

• The code mentioned that was supposed to clear out the password from the database wasn't "a script to fix it after the fact"; it was in the same bit of code that dealt with asking the password, and had it worked as intended the password would never have ended up in cleartext in any file on disk in the first place;
• A better solution was also in place (making sure that passwords were stored in a separate database never copied to disk) but this failed to work due to a subtle cdebconf bug;
• The first user account is created after the base system is installed;
• I had a conversation with Joey Hess about this bug last night, and far from being scathing, he was somewhat relieved that Debian escaped this particular manifestation of the bug essentially by luck, and acknowledged responsibility for one of the original design decisions in base-config that meant we weren't as well-defended against this sort of error as we might have been.

I'm happy to take responsibility for the lack of testing that meant we didn't spot this earlier, but it's not quite the trivial stupid mistake that people are making it out to be.

Open Password!

[aurb]

Contribute to Open Password comunity - release your passwords under the GPP (General Public Password) license! Because closed passwords are just series of * symbols - it's hard to use, share and modify them freely. :-)

Re:Open Password!

[AuMatar]

But my root password really is ********. I mean really, who the hell is going to guess that?

Re:Open Password!

[Brandybuck]

I actually used ***** as a backdoor password for a system I once worked on. Really! The service department demanded a backdoor password to give the service people, so that they wouldn't be calling in all the time for passwords. I fought and fought, but the lure of a continuing paycheck was too much, so I finally relented. My second choice was eight spaces.

Re:okay

[Aranth+Brainfire]

Yeah, because it's approximately an equal effort to delete log files and to change anything about the WMF code, or whatever was causing that bug?

Re:okay

[ralph+alpha]

Deleting a log file isn't quite the same thing as fixing buffer overflows and whatnot in a huge chunk of code. Yeah, it took MS 2 weeks -- and that was too long. It's not like the two bugs were equal in scope, though.

Re:okay

[The+Bungi]

When you have 300,000,000 users things are a little more complicated than when you have 3,000.

Interesting juxtaposition

[prockcore]

I find it very interesting that the severity of this bug is identical to the severity of the security hole found in OSX last week... yet the difference in attitudes is remarkable.

Look at the slashdot summary. "An extremely critical bug and security threat". Compare with the OSX bug which was written off because it's not remotely exploitable.

Apple hasn't even acknowledged that the OSX privilege escalation exists, let alone patched it.

Solution

[itismike]

1. open a terminal and type:

   sudo apt-get update

2. wait for it to finish
3. click the Red update icon in the upper-right corner
4. click through the update
5. locate the file and verify that it is unreadable by a non-privileged user

Re:Solution

[itismike]

Wait, so the fix leaves the cleartext root password on the hard disk?

No, the patch both removes the PW from the log file and chmod's the log file itself to 600.

Re:Solution

[1u3hr]

1. Change your password.

(Only passwords used during the install are written to the file in question.)

Re:Solution

[Uber+Banker]

With every ubuntu installation the first thing I did was setting a root password, even if you don't have any intention of using it, in my opinion having a password you don't know about is worse than having a password only you know.

Make sure you remove permissions for users to change the root password though. On a default Ubuntu install all a user need do is sudo passwd and enter root's new password (no need to enter the old one).

Re:Solution

[swillden]

I asked them (again and again) "surely you are setting this to something?" and they all said no. It is now perfectly clear that the people answering my questions had no clue... having a password you don't know about is worse than having a password only you know.

No. The default Ubuntu install sets *no* root password. None. Not "one you don't know".

As others mentioned, the password under discussion here is a user account password (for an account with full sudo privileges, so it's effectively root).

What does patch help?

[magi]

Ubuntu users, be sure to get the patch right away.

What does this patch fix? The installer? Sorry, but the installer is burned in the installation media, and a patch can be applied only after the installer has been run. So updating the system or even upgrading to Dapper (where it has been fixed) doesn't help. So....patch whAt???

No really, the installation ISO images should be fixed immediately and redistributed.

Also saying that it "only affects The 5.10 Breezy Badger release" may be a bit belittling, as probably most people have installed exactly that release.

Re:Despite this little pasword issue...

[MichaelSmith]

Ubuntu is Debian made easy for the masses. You get the bullet-proof Debian core with a great, easy interface. Nothing touches this at the moment.

I run Ubuntu on my laptop and FC4 on my workstation. Ubuntu is great for office type stuff: word processing and email. A surprising number of printers work out of the box.

But I also want to use the laptop for development and here I have struck a few problems. Development libraries are not installed by default (fair enough) but I got into loops trying to install Motif development libraries thorugh apt. I tried to copmpile motif but hit significant dependency problems in the process.

In general I don't think Ubuntu is suited to development work. I am considering dual booting the laptop with another OS for that purpose. But I do continue to recommend it to non-technical people who need to reinstall their systems.

Choose strong obscure passwords

[L505]

Using special characters not available on the keyboard is another strong security measure..

Many people know how to generate these special characters but I'll mention anyway: using the ALT/META key and the NUMPAD keys. Having a character map printout handy so you know the DEC (decimal) values of these special characters is a good idea if you decide to implement one of these passwords. Punch in ALT-DecimalValue with number lock on.

They may not work in some situations if special characters and not allowed, but you'd be surprised that they do work most often.

I bet most dictionary attacks don't run through many special characters. The cracker is lazy too and will probably not even consider that you chose a funny character which does not even exist on the keyboard.

Remember not to use NULL (#0) though, for crying out loud.

Re:Choose strong obscure passwords

...still more proof that NUL-terminated strings are the work of the devil. C'mon -- give up two bytes at the front of the string to tell how long the damned thing is. It's not fucking 1974 where the loss of a couple of bytes is gonna crap out the system. Prepend the length -- and reserve a value like 0xFFFF to mean "at the end of this string find another string with its own length encoded there..." -- Yes, I know, there's the potential for collision with a string that's actually 0xFFFF bytes long - but hey, the problem was solved to everyones satisfaction by pretty much every RLE encoding scheme.

Null termination is evil. Every buffer overflow you read about is a side-effect of null termination which could be avoided -- at the cost of two bytes per every sixty-five-thousand bytes of string.

Re:Choose strong obscure passwords

[ajs318]

Only two bytes? That's a limitation of 65536 chars -- not that much really when you think about it. For crying out loud, we have 64-bit processors now. Please, let's think of the future, and reserve eight bytes for string length -- just in case somebody ever wants to put the entire addressable space into a scalar.

Re:Choose strong obscure passwords

[grahamlee]

Hey, if we're thinking of the future, let's not use a fixed-width length field for the string at all! That way, we can never generate a string longer than the permitted length field. Let's just terminate the string by a known character sequence, and guarantee that that sequence doesn't appear in the string itself. We could use the \0 character as the terminator.

Re:Place it in context of surroundings

[damiam]

In comparison to other operating systems which provide default root ("administrator") access, without a password, on installation; this isn't as big of a deal.

WTF are you smoking? No modern OS sets up an unpassworded root account by default, especially on a multiuser system. And if they did, there would be no expectation of security. Here, there is the expectation of security, and it is violated.

In fact, this attack is even worse than the average privilege escalation vulnerability, because a) it's amazingly stupid on the part of the programmer and b) the attacker gains not just root priveleges but the root password, which is often reused by less-paranoid users for other purposes.

Use the right tool...

[MarkByers]

Don't use a bleeding edge home desktop OS if you want a secure multi-user server.

Re:Use the right tool...

[kestasjk]

True, it's also worth bearing in mind that the server install of Ubuntu 5.10 doesn't suffer from this vulnerability.

Legal before security-the openssl vs netatalk mess

[SuperBanana]

Want another example of Debian/Ubuntu idiocy?

The netatalk package, which provides Appletalk services (most commonly used servies are AFP, ie filesharing, and papd, the printing spooler), isn't compiled in with ANY encrypted password support. If you connect to a debian or debian-based appletalk fileserver, you get a warning you are transmitting your password in clear-text. Yes, we're jumping about 10 years BACKWARDS in security.

Why? Because the legal-circle-jerk that is the debian-legal mailing list, decided that it wasn't "legal" to link netatalk (a GPL project) to OpenSSL (license supposedly incompatible with GPL.) This doesn't stop every other distribution on the planet from compiling netatalk with openssl, and hence supporting encrypted passwords.

They politely suggested that GnuTLS, which isn't even remotely drop-in, be used instead. That was back in 2002...and the issue still hasn't been addressed. I filed a bug on it and the bug was simply ignored.

Re:UNIX mouse driver released

[Pogue+Mahone]

Since when did UNIX have mice.

Since long before MS-DOS had them:

Look..

Re:Legal before security-the openssl vs netatalk m

[SnowZero]

...Why? Because the legal-circle-jerk that is the debian-legal mailing list, decided that it wasn't "legal" to link netatalk (a GPL project) to OpenSSL (license supposedly incompatible with GPL.

This has been discussed at length, and OpenSSL's license is GPL incompatible. Everyone else may simply think it's ok to bend the rules, and that they won't ever get sued for it. That's not a safe assumption for a volunteer-based distribution.

This doesn't stop every other distribution on the planet from compiling netatalk with openssl, and hence supporting encrypted passwords.

"Everyone else breaks the rules, so its ok." That doesn't work for speeding tickets, and it doesn't work in contract/license disputes.

They politely suggested that GnuTLS, which isn't even remotely drop-in, be used instead. That was back in 2002...and the issue still hasn't been addressed. I filed a bug on it and the bug was simply ignored.

Maybe you and any other users of appletalk on unsecure networks ought to band together and fix it. Alternatively you can just switch distributions or upgrade your networking from appletalk (a 1980s protocol, since you were talking about being 10-years backwards).

Does it suck? Yes. It sucks that the OpenSSL people won't change their license, and upstream netatalk doesn't care either. However Debian would risk legal action against ALL users if they break the law, even though 1% of the users use this package. They chose the solution for 99% of their users, which is the best you can hope for in an esoteric case like this.

Real Solution: CHANGE YOUR PASSWORD

[Stephen+Samuel]

Anybody who's done a breezy install and allowed any sort of remote or non-admin access should be changing their password .... NOW! .

The patch (unless it goes out and deletes the offending files) is only going to patch the installer (which you're probably never going to run again). You're still going to have a cleartext copy of your original admin password sitting on the box in a file with read-other permissions.

Even if the files get deleted (or have their permissions changed), you still have no idea as to whether somebody has read the files since October.

BTW: Are they re-burning the installation CDs?

Re:[easier] Solution

[tpgp]

Isn't the password in your bash history now (twice)?

Whoops! You are of course completely right...

Just goes to show that you can't be half-assed about password security :-)

Mod my [easier] solution into the ground mods!

  Open a terminal and type:

sudo grep -r mypasswd /var/log

(if it returns your password, you're vulnerable

sudo apt-get update
sudo passwd base-config

(wait)

sudo grep -r mypasswd /var/log

(if it doesn't return your password, you're no longer vulnerable)

The 'mypasswd' string grepped for above will immdiately preceed your primary user password

"you should fix it" is elitist bullshit

[SuperBanana]

Alternatively you can just switch distributions or upgrade your networking from appletalk (a 1980s protocol, since you were talking about being 10-years backwards).

Secure password authentication in AFP was introduced at least 10 years ago. We're talking about AppleSHARE here, Mr. Genius. A protocol fully maintained and used extensively on current hardware. I'll switch to SMB when it offers the same level of performance as AFP (it doesn't, not even close, in raw transfer speed or directory operations) and the same filename compatibility.

Maybe you and any other users of appletalk on unsecure networks ought to band together and fix it.

So let's get this straight.

• Linux software authors tell us how wonderful Linux is, how great "open source" is. We won't be locked into anything, blah blah.
• We switch over. Things are good; it's free, it's fast, it's mostly stable and somewhat bug-free. Until we discover problems.
• We report the problems- even filing those nice bug reports in Bugzilla.
• We notice nobody's giving our problems any attention (over the course of years) and we complain about the delay.
• We get told "it's a matter of principle" and to go fuc...sorry, I mean...fix it ourselves.

Like many a faithful geek, I was led down the path of "enlightenment" offered. I helped give open-source software market share. I helped sell open-source to my boss, and my boss's boss. I redirected my career to support open-source software.

And what do I get in return? "Fix it yourself, you dumb user."

To think I still get asked why I'm not running Linux on my Powerbook. Because IT JUST WORKS; no politics, no "nobody cares about that bug so it won't be fixed". Because I don't have to deal with arrogant blowhard grad students telling me to fix software myself. I have neither the time, ability, knowledge nor inclination necessary to run around fixing complex software. 99.999% of the rest of the world doesn't either. Sad reality of life is that there is an extremely small segment of the population of linux users that have even the slightest qualifications to know how to go about fixing bugs or adding features.

Like most academics, you have zero comprehension of what matters in the real world. Joe Sixpack doesn't go into Firefox and add features. Jane Officeuser doesn't fix GnuTLS so it works with netatalk. Users don't give a damn about theoretical lawsuit possiblities. They don't give a shit about the finer points of licensing. Nothing impresses a CIO or a Director of IT less than "oh, we have to transmit passwords in clear-text because the license for a system library isn't compatible with the license for the server software."

Oh, and if you believe the whole Debian kool-aide line about "we have to protect this because we'd ALL BE SUED", I have two bridges in NY I'd just LOVE to sell you. PS: It says "gullible sheep" on the ceiling.

Re:first rule

[Vo0k]

> So they call me as they need the password for the isp access, "penis",

If you tried this on my system, it wouldn't work, it would say your password is too short.

Re:Patch mirror

[cortana]

Well done, you just took out the ability for most daemons to write to their log files.