Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Root Password Readable in Clear Text with Ubuntu

Zonk posted more than 8 years ago | from the that's-a-big-oops dept.

520

BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."

cancel ×

520 comments

Sorry! There are no comments related to the filter you selected.

ubuntu sucks!!! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14905307)

u are teh loser hippies.

get out of the basement.

vanilla ice 4eva, yos!!!!!!!

Re:ubuntu sucks!!! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14905311)

word

Re:ubuntu sucks!!! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14905493)

mars.google.com [slashdot.org] omg! teh mars!

Open source (5, Funny)

L505 (884811) | more than 8 years ago | (#14905312)

What's the problem? Open source passwords make it more secure.

The cyberpunk credo comes to mind... (5, Funny)

Anonymous Coward | more than 8 years ago | (#14905339)

Information wants to be free

Open Password! (5, Funny)

aurb (674003) | more than 8 years ago | (#14905362)

Contribute to Open Password comunity - release your passwords under the GPP (General Public Password) license! Because closed passwords are just series of * symbols - it's hard to use, share and modify them freely. :-)

Re:Open Password! (4, Funny)

AuMatar (183847) | more than 8 years ago | (#14905420)

But my root password really is ********. I mean really, who the hell is going to guess that?

Re:Open Password! (5, Interesting)

Brandybuck (704397) | more than 8 years ago | (#14905438)

I actually used ***** as a backdoor password for a system I once worked on. Really! The service department demanded a backdoor password to give the service people, so that they wouldn't be calling in all the time for passwords. I fought and fought, but the lure of a continuing paycheck was too much, so I finally relented. My second choice was eight spaces.

Choose strong obscure passwords (5, Interesting)

L505 (884811) | more than 8 years ago | (#14905475)

Using special characters not available on the keyboard is another strong security measure..

Many people know how to generate these special characters but I'll mention anyway: using the ALT/META key and the NUMPAD keys. Having a character map printout handy so you know the DEC (decimal) values of these special characters is a good idea if you decide to implement one of these passwords. Punch in ALT-DecimalValue with number lock on.

They may not work in some situations if special characters and not allowed, but you'd be surprised that they do work most often.

I bet most dictionary attacks don't run through many special characters. The cracker is lazy too and will probably not even consider that you chose a funny character which does not even exist on the keyboard.

Remember not to use NULL (#0) though, for crying out loud.

Re:Open source (3, Funny)

themoodykid (261964) | more than 8 years ago | (#14905444)

Yes, exactly. If someone screws up your system, somebody else will come along and fix it for you. The many eyes make all bugs shallow or something. Think of it as a Wiki-style OS security.

Solution (5, Informative)

itismike (582070) | more than 8 years ago | (#14905452)

  1. open a terminal and type:
    sudo apt-get update
  2. wait for it to finish
  3. click the Red update icon in the upper-right corner
  4. click through the update
  5. locate the file and verify that it is unreadable by a non-privileged user

UNIX mouse driver released (2, Funny)

L505 (884811) | more than 8 years ago | (#14905498)

Click? Since when did UNIX have mice.

Re:Open source (1)

KnightStalker (1929) | more than 8 years ago | (#14905517)

Just another demonstration of the failure of security through obscurity!

Saw this on Digg (3, Insightful)

Stevyn (691306) | more than 8 years ago | (#14905314)

It came out, it was fixed. There are going to be problems in any project this large, but it shows how much the Ubuntu team cares to respond to a problem this quickly and on a Sunday of all days. Ubuntu really has become a nice distro. It's completely free and polished around the edges. I hope they continue to do well.

Re:Saw this on Digg (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14905328)

Oh PLEASE, what a joke of a comment. The fact is, they fucked up BIG TIME. Yeah, it's a nice distro, but so is windows, and had microsoft made this error you'd be on their ass about how crappy windows is.

The bias here on slashdot sometimes makes me sick.

Grow up people!

Re:Saw this on Digg (1)

JFitzsimmons (764599) | more than 8 years ago | (#14905345)

People make mistakes. The folks at ubuntu were nice enough to release a 0-day patch. While it isn't as good as never having the vulnerability in the first place, it is the next best thing.

Re:Saw this on Digg (5, Insightful)

Bacon Bits (926911) | more than 8 years ago | (#14905395)

Nevertheless, AC is right. If it was relvealed that the local Administrator account or the domain Administrator account was stored anywhere as plain text in Windows 2000, XP, or 2003, then MS would be reamed endlessly and very harshly here. Or do you honestly think people would be saying "oh, well, at least MS has a patch!" I'm no fan of Microsoft as a company, but denying that a bias exists on Slashdot about this kind of thing -- apologising for *nix, criticising Windows -- is just outright absurd.

Be honest. Everyone here knows that storing the root password as plain text is a clear program error. And since GNU/Linux is a rather secure OS that doesn't have this vulerability in any other distro, this code was added by the Ubuntu team. If this is the quality of code that the Ubuntu team is developing for it's distro, though, I do have to question why it is so popular. Why was such an obvious mistake missed? Who forgot to check how the root password is stored? Who forgets that kind of thing? Not the kind of developer I'd want to trust with my security, I'll tell you what.

Re:Saw this on Digg (5, Interesting)

xlsior (524145) | more than 8 years ago | (#14905450)

Nevertheless, AC is right. If it was relvealed that the local Administrator account or the domain Administrator account was stored anywhere as plain text in Windows 2000, XP, or 2003, then MS would be reamed endlessly and very harshly here.

Interestingly enough Microsoft did make pretty much the same mistake, with Microsoft SQL 7, both servicepack 1 & 2. They wrote the SQL administrator password to the installation log file, which would give you full access to any SQL database on the server. Written to a logfile in the TEMP folder, which by default has full read/write access for any user on the system.

Security bulletin: https://www.microsoft.com/technet/security/bulleti n/MS00-035.mspx [microsoft.com]

(The 'non-recommended' mode mentioned is using SQL authentication instead of windows NTLM authentication, which much more common then they try to make it sound)

Re:Saw this on Digg (5, Informative)

xlsior (524145) | more than 8 years ago | (#14905468)

Actually slightly more elaborate: SQL 7 SP3 was also affected, plus they wrote the password to not one, but two files:

Summary
On May 30, 2000, Microsoft released the original version of this bulletin, to announce the availability of a patch that eliminates a security vulnerability in Microsoft® SQL Server® 7.0 Service Packs 1 and 2 installation routine. When run on a machine that is configured in a non-recommended mode, the routines record the administrator password in a log file, where it could be read by any user who could log onto the server at the keyboard.

On June 15, 2000, the bulletin was updated to note that, under the same conditions as originally reported, the password also is recorded in a second file. A new version of the patch is available that prevents the password from being recorded in either file.

On May 10, 2001, the bulletin was updated to note that Service Pack 3 is also affected by this vulnerability. A new patch is available for SP3 and we are also providing a command line utility (post Service Pack deployment) to remove all instances of the SA password written in either file via Q263968.



So not only did they have a similar problem, it persisted for over a year after initially being found & alledgedly fixed.

Re:Saw this on Digg (1)

masterzora (871343) | more than 8 years ago | (#14905466)

You know why Microsoft would get flack for it? It has nothing to do with them being Microsoft (except to the zealots and trolls). It's because they wouldn't have the patch out the same day it was discovered.

The strength in OSS has never been that the code is inherently more secure in any way. The strength is that the average time to patch is several times smaller than that of CSS.

But is it fixed right? (0)

Anonymous Coward | more than 8 years ago | (#14905476)

Based on the FPP, it sounds like the solution was to delete the install log. But that means the password was stored on the hard drive in clear text at some point. A deleted file doesn't go away automatically. Especially in this case where it is surrounded by predicatable ASCII characters... a "strings" on the partition and a grep -B2 -A2 or similar should locate it. Of course that requires root, but then what's the point of encrypting it if you are going to also store it in clear text.

Re:Saw this on Digg (4, Insightful)

Parham (892904) | more than 8 years ago | (#14905379)

If Microsoft had made the error, we'd have to wait until the second Tuesday of the month for the fix. If this bug wasn't caught by tomorrow for me, then I'd have to wait an entire month for a fix. Ubuntu put out the patch as soon as it was discovered. There is no bias here, I use Windows just as much as Linux. However, Microsoft's patching cycles simply suck.

Re:Saw this on Digg (5, Insightful)

RzUpAnmsCwrds (262647) | more than 8 years ago | (#14905409)

If Microsoft had made the error, we'd have to wait until the second Tuesday of the month for the fix. If this bug wasn't caught by tomorrow for me, then I'd have to wait an entire month for a fix. Ubuntu put out the patch as soon as it was discovered. There is no bias here, I use Windows just as much as Linux. However, Microsoft's patching cycles simply suck.

Patching is quite frankly irrelivent with this bug. While it certainly has to be done to close the hole in the future, there are already hundreds of thousands of Ubuntu systems out there with the password sitting on the disk. How are you to be sure as an administrator that the password has not been compromised already? What about backup copies that might have the password?

The fix is to change the administrator/root password. The bug only affects a system at install-time, and it will continue to affect new installs so long as the broken installer is floating around. Patching it today is hardly more effective than patching it on April 6.

Re:Saw this on Digg (1)

anagama (611277) | more than 8 years ago | (#14905512)

The bug only affects a system at install-time, and it will continue to affect new installs so long as the broken installer is floating around. Patching it today is hardly more effective than patching it on April 6.
It's been a while since I installed an Ubuntu system, but I believe that during the install you have the option of instaling updates. If you refuse, once you're logged in you'll see the red icon saying updates are available. At that point, it's the user's fault if the file with the PW is still in the system. If you don't have internet access then of course you can't get the updates -- this would then only be an issue if you had a multiuser system without internet access that stored sensitive data in which case you're probably not using a bleeding edge linux distro anyway. So in reality, it doesn't really matter how many broken installers there are. Except for the negative publicity of course.

Re:Saw this on Digg (4, Informative)

drsmithy (35869) | more than 8 years ago | (#14905516)

However, Microsoft's patching cycles simply suck.

Actually they reflect reality and are the result of customer requests.

In managed environments, patches are almost never applied ad-hoc, as they are released. They are collected together then tested and rolled out on a schedule, usually monthly.

Re:Saw this on Digg (0)

slugstone (307678) | more than 8 years ago | (#14905389)

And how many days would it take for Microsoft to get it fixed? Or should I say monthes this way microsoft might be able to say 1.

What makes me sick is people like you who defened microsoft even if they do not fix security problems.

Re:Saw this on Digg (4, Interesting)

MobileTatsu-NJG (946591) | more than 8 years ago | (#14905445)

"It came out, it was fixed. There are going to be problems in any project this large, but it shows how much the Ubuntu team cares to respond to a problem this quickly and on a Sunday of all days. Ubuntu really has become a nice distro. It's completely free and polished around the edges. I hope they continue to do well."

I know this rationale gives everybody the warm fuzzies, but this is still a really bone-headed mistake. You guys really shouldn't be this forgiving about it.

Re:Saw this on Digg (1, Funny)

Anonymous Coward | more than 8 years ago | (#14905491)

Although ironically how many people now have...


grep -ir myrootpass /*

...in their .bash_history file from checking their own system for this mistake?

I believe this is a feature (-1)

Anonymous Coward | more than 8 years ago | (#14905319)

To be honest, I am new to Ubuntu. I was getting tired of SUDO'ing to do every command in the terminal. Getting the actual root password would be nice. ... unless there's an obvious linux way to do it (how could you reset it if you didn't set it?) I might just have to check my own log for it.

Re:I believe this is a feature (2, Informative)

Anonymous Coward | more than 8 years ago | (#14905332)

try sudo bash

Re:I believe this is a feature (2, Informative)

dtfinch (661405) | more than 8 years ago | (#14905335)

The article title isn't entirely correct. There is no root password. But you can set one.

Re:I believe this is a feature (2, Informative)

killeena (794394) | more than 8 years ago | (#14905357)

But you can get the root password, as the default user has sudo access. 'sudo su -', and that is that.

Re:I believe this is a feature (0)

Anonymous Coward | more than 8 years ago | (#14905349)

sudo su -
passwd

Re:I believe this is a feature (1)

JFitzsimmons (764599) | more than 8 years ago | (#14905353)

Or, "sudo -s". Or, "sudo passwd root", and use whatever methods you are more comfortable with to elevate permissions.

Re:I believe this is a feature (1)

brsmith4 (567390) | more than 8 years ago | (#14905367)

$ sudo passwd root

Should ask to reset the root password. You can then use 'su' to evoke a shell as the root user.

Re:I believe this is a feature (0)

Anonymous Coward | more than 8 years ago | (#14905464)

If you're spending a lot of time in the shell "sudo -s". Otherwise I actually find sudo handy because it keeps its state for a certain timeout perioud where you don't need to type the root password again. In this case it's nice when you're switching between user and root commands.

Security Audit (0, Redundant)

RunFatBoy.net (960072) | more than 8 years ago | (#14905320)

A thanks to Teotihacan for finding this. I'm sure that eventually several sysadmins would have failed security audits because of this. -- Jim http://www.runfatboy.net/ [runfatboy.net]

Just in case (0)

dtfinch (661405) | more than 8 years ago | (#14905323)

You give someone local access to your system, and are worried about them reading your user password (Ubuntu has no root password by default), but not worried about them just copying all your files.

Re:Just in case (1)

MichaelSmith (789609) | more than 8 years ago | (#14905342)

Ubuntu has no root password by default

No it has a random password, which I assume is the password in the log file.

Re:Just in case (2, Informative)

Andrew Tanenbaum (896883) | more than 8 years ago | (#14905404)

No, it has -no- root password by default. In Linux, you generally disable an account by removing its password.

The password in the log file was the primary account's password. This account is a member of the sudoers group, so the same password can get you root access.

Probably affects Edubuntu, too (0)

Anonymous Coward | more than 8 years ago | (#14905463)

Edubuntu has a neat installation of a Linux terminal server so this thing could have made a backdoor in school labs, etc. where it would have been a multi-simultaneous-user system. On a single-user system it would have been no problem because you can always be yourself.

Re:Just in case (2, Informative)

dtfinch (661405) | more than 8 years ago | (#14905408)

If your /etc/shadow has something like "root:*:13039:0:99999:7:::", there's no root password.

Re:Just in case (2, Interesting)

miro f (944325) | more than 8 years ago | (#14905417)

no need to give them local access to your system, they can easily read it if you have an ssh server set up for example. And no it doesn't display the root password, but it displays a username/password combination which has access to sudo. So just as bad.

But Ubuntu has no root account! (-1)

diablo-d3 (175104) | more than 8 years ago | (#14905326)

That password seems to be quite useless, because you cannot log in as root! Ubuntu has no root account!

Re:But Ubuntu has no root account! (5, Informative)

Yosho (135835) | more than 8 years ago | (#14905337)

Read the article. The Slashdot summary is incorrect; the password is for the account you create during installation, which has sudo rights and therefore is just as effective as a root account.

Re:But Ubuntu has no root account! (1)

n.e.watson (835126) | more than 8 years ago | (#14905340)

That's a feature. It's so you don't go messing around with root if you don't know what you're doing, as Ubuntu is geared toward being user friendly, and to people who aren't necessarily entirely familiar with the workings of Linux. It's easy enough to activate the root account, just 'sudo passwd'.

Re:But Ubuntu has no root account! (0)

Anonymous Coward | more than 8 years ago | (#14905368)

This is for Breezy, which, I believe, had a root account which couldn't be used for login, just for sudo. Later versions disabled that password as well, only allowing a special non-root user to sudo by reentering his password.

Re:But Ubuntu has no root account! (1)

dartarrow (930250) | more than 8 years ago | (#14905435)

Guidelines to posting a comment
1. RTFA
2. RTFA
3. Try seeing if TFA is true (ie open questions.dat)
4. Post Comment.
The problem is that all that happens during installation is logged in
And that includes logging of the username / password that the installer creates at time of installation. Of course if the user changes the password after the installation then the log file while not be updated and will still continue the old password.

Re:But Ubuntu has no root account! (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14905483)

It DOES have a root account, it's just it sets the root password to some value that you're not trusted enough to be told. I personally fall prey to "bad" sysadmin techniques, and I sudo passwd root first thing. I then log in as root for sysadmin functions. In general, my systems are not intended for multiuser shell access (read - I'm the only user with shell access anyway), and it's a pain to sudo everything. I end up using sudo bash, so I may as well just log in as root to start with. I've never really understood why it's so BAD to log in as root. Yeah, so you can screw stuff up on accident if you're not careful. Typing sudo before the command as a regular user is just as bad. I guess it might make sense if you have multiple sysadmins and want to track who did what. But in my case, I am the only sysadmin, so why bother with the extra "security"?

Re:But Ubuntu has no root account! (1)

intangible (252848) | more than 8 years ago | (#14905508)

Just sudo -s when you need to use a shell for an extended period.

Time From Discovery to Patch (5, Insightful)

ergo98 (9391) | more than 8 years ago | (#14905330)

Invariably, a lot of the comments to this story are going to commend the team on the incredibly speed with which they've released a patch, and there'll probably be some comments comparing it to closed software. Yet another victory for the open source model!

Yet how long has this massive fault been sitting there waiting for the first person to discover it? How do we know that the public acknowledgement of it was the first actual discovery of it?

I believe Breezy was released in October, so for five months install logs have been sitting, world-readable, often with the root password. Surely in that time someone well less savoury motives did a simple grep of an install looking for the most trivial of faults.

Feeling confident in the speed of the patch relies upon the belief that no one with nefarious motives discovered it before a benevolent bug submitter did.

Awesome (2, Insightful)

ergo98 (9391) | more than 8 years ago | (#14905344)

30 seconds and my post got a flamebait. I love Slashdot.

Within the same 30 seconds a post appeared following mine comparing the fix (which has the massive complexity of deleting some log files) with Microsoft's WMF fix, exactly as predicted. Beautiful, and so predictable.

Re:Awesome (1)

pilkul (667659) | more than 8 years ago | (#14905510)

Yeah, and the WMF bug I can understand --- it's legacy code written back in a time when no one cared about security. Leaving the root password in a plaintext file, though, is a colossal, inexcusable fuckup, and I don't care that they fixed it quickly. Whoever designed that installer should be ashamed of themselves.

Re:Time From Discovery to Patch (5, Insightful)

MichaelSmith (789609) | more than 8 years ago | (#14905373)

I believe Breezy was released in October, so for five months install logs have been sitting, world-readable, often with the root password. Surely in that time someone well less savoury motives did a simple grep of an install looking for the most trivial of faults.

Anybody with an ounce of common sense should know that you never leave a critical password floating around in plain text. Not in memory, not in swap and you never print it to a bloody log file. Who's going to want to check it?

Passwords are supposed to be non-reversable. The NetBSD installer seems to run the passwd command directly during installation, so the installer never sees the password. Did somebody get the bright idea of prompting for the password in their own UI when the graphical installer was done? This should have been caught. The design of the installer is at fault. Not the log file. I wouldn't count this one as fixed until the installer never sees the password. Sorry for the rant.

And patching the patch? (0)

Anonymous Coward | more than 8 years ago | (#14905436)

What I've read so far indicates the patches/corrections just remove the
file that had the password in cleartext. Where the password was
written in cleartext to a world readable file, at minimum, the password
should also be considered compromised, or likely to have been
compromised. Should force a password change, or at minimum strongly
advise (e.g. via security advisory) changing the password. Running
integrity check would also be advisable.

okay (-1, Redundant)

gcnaddict (841664) | more than 8 years ago | (#14905334)

A patch in 2 hours for a massive security hole in an OS, on a sunday as mentioned earlier. Class, let's do a comparison:

Ubuntu devs fix a massive hole in a few hours, tops
Microsoft devs fix a massive hole (WMF security bug) in two weeks-ish...

Which group put more people at risk and why? I want a 5000 word essay by this thursday explaining your views. :P

Re:okay (3, Funny)

MichaelSmith (789609) | more than 8 years ago | (#14905351)

A patch in 2 hours for a massive security hole in an OS, on a sunday as mentioned earlier.

Sunday is probably peak development time for free software.

Re:okay (4, Informative)

Aranth Brainfire (905606) | more than 8 years ago | (#14905363)

Yeah, because it's approximately an equal effort to delete log files and to change anything about the WMF code, or whatever was causing that bug?

Valid point, but... (1)

evilgrug (915703) | more than 8 years ago | (#14905471)

You definitely have a valid point, but you still can't defend Microsoft's slow response to the WMF issue.

Within hours, a member of the SomethingAwful forums had hacked together a patch to the gdi32.dll with a few dozen NOP instructions to render the SetAbortProc call useless. Obviously with just a hex editor and no access to the Windows source code.

And how long did Microsoft take?

Re:Valid point, but... (1)

Aranth Brainfire (905606) | more than 8 years ago | (#14905521)

True, I won't even try to argue in Microsoft's favor, but the post I replied to was just too tempting to take down to resist.

You're an idiot (2)

Kasracer (865931) | more than 8 years ago | (#14905369)

Fixing a patch that either simply removes this log file or encrypts the password in it is very simple. I could do this in a few minutes tops.

Microsoft's security issues often are the result of an issue that requires code re-writes and changes. It takes time to do that, compile it, and test it. There is a huge difference between this tiny flaw and a buffer overflow in Windows Media Player.

Re:okay (3, Insightful)

ralph alpha (956305) | more than 8 years ago | (#14905377)

Deleting a log file isn't quite the same thing as fixing buffer overflows and whatnot in a huge chunk of code. Yeah, it took MS 2 weeks -- and that was too long. It's not like the two bugs were equal in scope, though.

Re:okay (0)

Anonymous Coward | more than 8 years ago | (#14905400)

Ubuntu devs fix a massive hole in a few hours, tops Microsoft devs fix a massive hole (WMF security bug) in two weeks-ish...

This should read:

Ubuntu devs fix a massive hole in a few MONTHS, tops

I give props to them providing a fix so soon after the found it, but come on folks, this distro has been out for MONTHS now.

This is just going to give Bill an excuse to bash Linux even more.

Re:okay (4, Insightful)

The Bungi (221687) | more than 8 years ago | (#14905424)

When you have 300,000,000 users things are a little more complicated than when you have 3,000.

windows (3, Funny)

Chimera512 (910750) | more than 8 years ago | (#14905341)

see this is why i use windows. there are never security patches to install, just service packs which allow me to get new secutiry features like windows firewall. nothing beats windows security, and there's that helpful blue screen to tell me if something's gone wrong.

Re:windows (0)

Anonymous Coward | more than 8 years ago | (#14905371)

Why do you bother?

steenkin batchers (5, Funny)

Anonymous Coward | more than 8 years ago | (#14905346)

Fuuuuck.

I knew I never should have trusted those badgers.

Smiling at me with their big cartoon teeth, eating up all the aspen, wanting to admin their own machines.

I've been a sap, and it's going to cost me.

And now I'm worried about the hedgehogs.

Ubuntu on 17" MacBook Pro? (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14905348)

I wonder if Ubuntu will run on the upcoming 17" MacBook Pro, described here in full detail: http://shadowconflict.blogspot.com/2006/03/apple-1 7-macbook-pro-predictions.html [blogspot.com]

Place it in context of surroundings (2, Insightful)

slashbob22 (918040) | more than 8 years ago | (#14905350)

This IS a very serious issue, however it does require some work (accessing log) to obtain root. In comparison to other operating systems which provide default root ("administrator") access, without a password, on installation; this isn't as big of a deal. On top of this, from my understanding, a change of the root password after installation would prevent further issues. Overall this seems to be a problem but certainly not a huge one.

Re:Place it in context of surroundings (5, Insightful)

damiam (409504) | more than 8 years ago | (#14905484)

In comparison to other operating systems which provide default root ("administrator") access, without a password, on installation; this isn't as big of a deal.

WTF are you smoking? No modern OS sets up an unpassworded root account by default, especially on a multiuser system. And if they did, there would be no expectation of security. Here, there is the expectation of security, and it is violated.

In fact, this attack is even worse than the average privilege escalation vulnerability, because a) it's amazingly stupid on the part of the programmer and b) the attacker gains not just root priveleges but the root password, which is often reused by less-paranoid users for other purposes.

Re:Place it in context of surroundings (0)

Anonymous Coward | more than 8 years ago | (#14905522)

No modern OS sets up an unpassworded root account by default, especially on a multiuser system.

Interesting... it hasn't been long since I last accessed an unpassworded default Administrator account on a clean WinXP install. I think I see a flaw in your arguement, unless you don't consider WinXP a "modern OS" (don't blame you for that, either).

Colin Watson's response was very professional (3, Informative)

zippity8 (446412) | more than 8 years ago | (#14905354)

He patched it within hours today, and posted to osnews with a description of what happened. He also posted a copy on the ubuntu forums [ubuntuforums.org] page including details of what happened. It affects clean installs of breezy, and dapper upgrades from a breezy install, but not hoary or a clean dapper. hoary = 5.04 breezy = 5.10 dapper = not officially released yet

So what if this was fixed quickly. (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14905359)

Any programmer who doesn't stop themselves and think that writing something like fprintf(logfile, "root password entered is: %s\n", password); is not the best idea should not be writing code for a secure operating system.

MOD PARENT UP (0)

Anonymous Coward | more than 8 years ago | (#14905391)

Way up.

Never ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever EVER under ANY circumstances put a plaintext password in *ANY* file. Ever.

Re:MOD PARENT UP (1)

LOTHAR, of the Hill (14645) | more than 8 years ago | (#14905431)

Where else am i supposed to store my passwords?

Re:MOD PARENT UP (1)

hvatum (592775) | more than 8 years ago | (#14905514)

Just use a password that's easy to remember or one you can guess, like your first and last name. Or you can use the old classic "password" - no need to remember anything. When prompted for your password you've got it spelled out right their in the dialogue box!

Re:So what if this was fixed quickly. (1)

Brandybuck (704397) | more than 8 years ago | (#14905426)

Actually, they shouldn't be writing code for any system.

Re:So what if this was fixed quickly. (0)

Anonymous Coward | more than 8 years ago | (#14905458)

Have anyone been able to find the name of the culprit who did this? So we can ensure that we deny him or her access to any projects *we* are in charge of?
This was NOT a mistake -- it was criminally negligent ignorance, and whoever LET this code be submitted into the distro should pack up and leave, but at the very least let's get the name of the idiot whodunnit.

Legal before security-the openssl vs netatalk mess (4, Interesting)

SuperBanana (662181) | more than 8 years ago | (#14905489)

Want another example of Debian/Ubuntu idiocy?

The netatalk package, which provides Appletalk services (most commonly used servies are AFP, ie filesharing, and papd, the printing spooler), isn't compiled in with ANY encrypted password support. If you connect to a debian or debian-based appletalk fileserver, you get a warning you are transmitting your password in clear-text. Yes, we're jumping about 10 years BACKWARDS in security.

Why? Because the legal-circle-jerk that is the debian-legal mailing list, decided that it wasn't "legal" to link netatalk (a GPL project) to OpenSSL (license supposedly incompatible with GPL.) This doesn't stop every other distribution on the planet from compiling netatalk with openssl, and hence supporting encrypted passwords.

They politely suggested that GnuTLS, which isn't even remotely drop-in, be used instead. That was back in 2002...and the issue still hasn't been addressed. I filed a bug on it and the bug was simply ignored.

Re:So what if this was fixed quickly. (1)

hvatum (592775) | more than 8 years ago | (#14905503)

Any programmer who doesn't stop themselves and think that writing something like fprintf(logfile, "root password entered is: %s\n", password); is not the best idea should not be writing code for a secure operating system.

Isn't that redundant? A programmer that dumb can never work on a "secure" operating system, it's logically impossible. As soon as they begin coding they'll jack things up so the operating system is no longer secure.

Better said, "A programmer like that can't be allowed to compromise a secure operating system."

Re:So what if this was fixed quickly. (3, Insightful)

strider44 (650833) | more than 8 years ago | (#14905505)

Come now, do you really think that somewhere in the code there's a manual fprintf writing the root password to the file? You could have at least made a simple attempt at reading the article to find out what it's about and what causes it.

The problem here is that the main user password (Ubuntu doesn't have a root password) is asked through the questions dialogue in the installer. Everything here is automatic and the questions dialogue just simply records everything down in a file called "questions.dat". It's a serious error for a programmer sure, but it's just a lack of thinking of everything when programming, which is what every single security hole is caused by, lets face it. You could just as easily say everyone who doesn't check their arrays every single time no matter what shouldn't be let within ten feet of gcc, but alas even the best make mistakes. Not only this, but someone who doesn't check every array may be letting through a remote exploit, which is much much more serious than this bug.

The mantra of course applies here: Unless you've programmed a totally secure operating system, keep your mouth shut.

Root password should never be recorded, ever (1)

Zweideutig (900045) | more than 8 years ago | (#14905360)

All that the operating system/software need to know is how to verify that the password entered is correct. And that can be done without storing the root password at all (encrypted or not) with a hash.

Re:Root password should never be recorded, ever (2, Interesting)

MichaelSmith (789609) | more than 8 years ago | (#14905513)

All that the operating system/software need to know is how to verify that the password entered is correct. And that can be done without storing the root password at all (encrypted or not) with a hash.

I assume that the OpenBSD installer runs passwd to set the root password during installation, similar to NetBSD.

But if either of these OS's went to a graphical installer they would need to write a graphical passwd command which makes an effort to keep the plain text out of swap files, insecure memory, etc.

That's a big ask, IMHO. Which doesn't mean its ok to print the thing out, just that doing it properly is very hard.

But in this day and age of development frameworks, etc, there is less of a need for a programmer to think about the meaning of what he is reading from the UI. The backend programmer may assume that the UI guy understands about passwords, but he may not, to.

Well, now at least we know... (1)

Anonymous Covard (140827) | more than 8 years ago | (#14905393)

...just what made that distro so "breezy"!

Despite this little pasword issue... (2, Insightful)

Anonymous Coward | more than 8 years ago | (#14905399)

Ubuntu is poised to become to standard by which Linux distros are judged. I've been running the latest stable release, Breezy Badger 5.10 for awhile and it's rock solid, good looking, and easy to administer. Last night I downloaded Flight 5, the latest development iso for Dapper Drake 6.04, and was immediately impressed. In just one upgrade, they've managed to really go the extra mile with all the new features. I love minimalist simplicity, and Ubuntu gives me just that. Ubuntu is Debian made easy for the masses. You get the bullet-proof Debian core with a great, easy interface. Nothing touches this at the moment. Linux for human being is a great tagline.
Now, let the script kiddies who have nothing better to do flame me for saying Ubuntu is cool. These same script kiddies who think they're 1337 because they have to manually set up their Slackware box. These same wanna-be geeks who are still bootstrapping their Gentoo systems for 12 hours to extract a extra 5 milliseconds of speed from their CPUs. I've done all that and now that I'm almost 40 years old, I just want a quick, stable system to work from.

Re:Despite this little pasword issue... (3, Informative)

MichaelSmith (789609) | more than 8 years ago | (#14905474)

Ubuntu is Debian made easy for the masses. You get the bullet-proof Debian core with a great, easy interface. Nothing touches this at the moment.

I run Ubuntu on my laptop and FC4 on my workstation. Ubuntu is great for office type stuff: word processing and email. A surprising number of printers work out of the box.

But I also want to use the laptop for development and here I have struck a few problems. Development libraries are not installed by default (fair enough) but I got into loops trying to install Motif development libraries thorugh apt. I tried to copmpile motif but hit significant dependency problems in the process.

In general I don't think Ubuntu is suited to development work. I am considering dual booting the laptop with another OS for that purpose. But I do continue to recommend it to non-technical people who need to reinstall their systems.

Ehh (0, Troll)

cosmotron (900510) | more than 8 years ago | (#14905407)

This was probably just some way for the Ubuntu developers to steal passwords. But, since someone noticed they had to act like it was an accident and release a patch.

Preview of 5.10 Not Affected (2, Informative)

InViViD (960764) | more than 8 years ago | (#14905421)

I installed the beta of Breezy 5.10 and /var/log/installer/cdebconf/questions.dat *did not* contain my password. Looks like this only affected the final release.

Interesting juxtaposition (5, Insightful)

prockcore (543967) | more than 8 years ago | (#14905434)

I find it very interesting that the severity of this bug is identical to the severity of the security hole found in OSX last week... yet the difference in attitudes is remarkable.

Look at the slashdot summary. "An extremely critical bug and security threat". Compare with the OSX bug which was written off because it's not remotely exploitable.

Apple hasn't even acknowledged that the OSX privilege escalation exists, let alone patched it.

Apple did patch the recent OS X holes (2, Informative)

I'm Don Giovanni (598558) | more than 8 years ago | (#14905453)

Apple hasn't even acknowledged that the OSX privilege escalation exists, let alone patched it.

I agree with you regarding the different attitudes regarding this hole and the OS X holes. But I believe the recent OS X holes were indeed patched with Apple's March 2006 Security Update (though some websites are questioning whether the patches really fixed the underlying problems or merely placed band-aids on them).
http://docs.info.apple.com/article.html?artnum=303 382 [apple.com]

For Ubuntu 5.10 users: (2, Informative)

dartarrow (930250) | more than 8 years ago | (#14905442)

open var/log/installer/cdebconf/questions.dat, check at line 2140. Mine is there, individual results may vary

What does patch help? (3, Insightful)

magi (91730) | more than 8 years ago | (#14905454)

Ubuntu users, be sure to get the patch right away.

What does this patch fix? The installer? Sorry, but the installer is burned in the installation media, and a patch can be applied only after the installer has been run. So updating the system or even upgrading to Dapper (where it has been fixed) doesn't help. So....patch whAt???

No really, the installation ISO images should be fixed immediately and redistributed.

Also saying that it "only affects The 5.10 Breezy Badger release" may be a bit belittling, as probably most people have installed exactly that release.

Re:What does patch help? (2, Informative)

prockcore (543967) | more than 8 years ago | (#14905501)


What does this patch fix? The installer?


No, the patch removes that key from the file, and chmod's it 600.

OpenBSD (1)

putko (753330) | more than 8 years ago | (#14905461)

It is unimaginable that OpenBSD would ever have an error like this.

I can't believe.... (1)

BlueStrat (756137) | more than 8 years ago | (#14905465)

all these comments and noone has yet said it... ..ok...I'll do it, you've forced me..

Is this a "badger hole"?

Hey, someone *had* to say it. Laugh.

Strat

Use the right tool... (5, Insightful)

MarkByers (770551) | more than 8 years ago | (#14905486)

Don't use a bleeding edge home desktop OS if you want a secure multi-user server.

Ubuntu? (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14905492)

Ubuntu? What kind of a nigged out name is that? It sounds like something that smelly hippy Stallman would come up with. UBUNTU? I don't think so. I can smell it from here. The smell of an unwashed, uncivilized, 'alternative' OS.

Whew! (2, Funny)

cciRRus (889392) | more than 8 years ago | (#14905507)

Good thing I'm using Windows.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>