What is Digg?Sponsored by Dragon Age: Origins
Follow the Dragon Age: Origins development team on Twitter view!
twitter.com/DragonAge - EA presents BioWare's new dark fantasy epic Dragon Age: Origins. '9/10' from Game Informer.
161 Comments
- manfesto, on 10/12/2007, -2/+15For the record, this only affects Ubuntu Breezy - not any other release of Ubuntu. Much less does this affect Linux at large - ah, the advantages of having a number of distros out there in the wild.
Moreover, this mistake can only really be exploited if you've enabled SSH-ing into your machine, or if a nefarious character has physical access to your computer. - coredump0x01, on 10/12/2007, -1/+13Quick fix: 'sudo rm /var/log/installer/cdebconf/questions.dat && sudo rm /var/log/debian-installer/cdebconf/questions.dat' (execute as one command without the two ' ) This is a major problem, What's worse is the file is readable from any user account. It's confirmed that both the server install and desktop install are equally affected, kubuntu also. +Digg because ubuntu users need to know about this. We won't likely see another bug like this (in ubuntu anyway) since it's a consequence of a dumb installer.
- coredump0x01, on 10/12/2007, -3/+15It's a fault in the design of the installer script, the way it sounds, the developers did not think there was a problem. From bug report page, Colin Watson (ubuntu dev) wrote "I don't see how this is happening, because we deliberately db_set those questions to empty after retrieving the password to avoid this problem." So I don't think it was laziness at play, I think it was a combination of careless oversight and lack of testing. I can't say i'm surprised this is coming from ubuntu, but I was not expecting something this huge. I'm sure glad my Arch Linux box dosen't have this type of bug!
- rokka, on 10/12/2007, -0/+10This is a better solution:
1) Install "wipe" from universe.
2) sudo wipe /var/log/installer/cdebconf/questions.dat && sudo wipe /var/log/debian-installer/cdebconf/questions.dat - seattle98104, on 10/12/2007, -5/+14i think you meant, so much for security on the ubuntu linux distro.
- chris302, on 10/12/2007, -4/+13wow, thats a big hole.
im going to go check the ubuntu server @ school if it has it - Yoshi39, on 10/12/2007, -2/+10"please note that this is NOT a Linux bug, It is an installer bug UNIQUE to ubuntu. And let me be the first to say, Windows XP passwords are so much of a minor inconvenience, all it takes to change them is a boot to an ntpassword floppy disk, a reboot, a skip of the security descripter check, and you're in. Try doing THAT to Linux."
Actually all you have to do is bring your fovorite live distro ie knoppix boot and do mount /dev/hda /mnt/hda && chroot /mnt/hda /bin/bash and you have full controll over the linux system installed to the hard drive. FYI im posting this from linux and i love linux im just saying this to show that linux is far from perfect. - zeth, on 10/12/2007, -1/+8That is one reason for the long release cycles in the regular Debian distribution.
Come on, sing with me: "Quality assurance".
Good, thanks. - gookie, on 10/12/2007, -0/+7OMFG. I tried viewing the .dat file and saw my password in plain text!!!
-rw-r--r-- 1 root root 61228 2006-01-21 15:12 /var/log/installer/cdebconf/questions.dat
On dapper it's not there tho. - coredump0x01, on 10/12/2007, -0/+6Try doing a vi /var/log/installer/cdebconf/questions.dat against Arch, or Debian, or any other distro, like I said, this is an UBUNTU bug, it does not translate to a bug in all the world's Linux distributions.
"i can easily boot into single user mode in linux and change the root password to what ever i please anyway."
You still need a root password to access single-user mode.
"well that would pretty much cover anyway i can think of accessing a pc, so it doesn't negiate the risk one little bit now does it?"
Yes it does, it negates the risk of remote exploitation, go read a nice security book and come back when you know what you are talking about. - coredump0x01, on 10/12/2007, -1/+7how's ssh going to get installed without user interaction? and more importantly, how is a malicious user going to initially log into the ssh server to view /var/log/installer/cdebconf/questions.dat without already knowing the password? as far as I know, ssh clients don't have a --please-just-let-me-in-without-a-password-mr-nice-ssh-server-i'll-be-good option. And if an ubuntu user is creating a user account for some random person on the net (and who would?) then he has signed his security away anyhow.
- batfink, on 10/12/2007, -0/+6I wonder if this effects those on 4.10 and 5.04 as well!!
What a massive hole! - peerk, on 10/12/2007, -0/+6" And let me be the first to say, Windows XP passwords are so much of a minor inconvenience, all it takes to change them is a boot to an ntpassword floppy disk, a reboot, a skip of the security descripter check, and you're in. Try doing THAT to Linux."
Ok, very easily done.
1) Boot using a linux CD.
2) mount the drive
3) navigate to /etc/shadow and delete roots encrypted password
4) reboot and log into root with no password - coredump0x01, on 10/12/2007, -2/+7Well, I suppose careless oversight and lack of testing does translate into laziness.
- xNaquada, on 10/12/2007, -1/+6everyone needs to stfu about windows on this one.
Im the first to criticize M$, but theres nopthing easier than READING a file, and getting to it form a simple command line (by all users no less, and remote access too)
Hotfix quick! - inactive, on 10/12/2007, -20/+25it is a pretty major over sight and embaressing, but incridebly easy to fix.
so much for that linux security huh. if this was MS there would be 5000000 linux fan boys screaming like banshees - theholycow, on 10/12/2007, -1/+6If you grep your /var directory for other occurences of your pw, be sure to clear your history...and if your editor saves backup files, and you use it to edit the pw out of a file, be sure to delete the backup file.
- coredump0x01, on 10/12/2007, -9/+14please note that this is NOT a Linux bug, It is an installer bug UNIQUE to ubuntu. And let me be the first to say, Windows XP passwords are so much of a minor inconvenience, all it takes to change them is a boot to an ntpassword floppy disk, a reboot, a skip of the security descripter check, and you're in. Try doing THAT to Linux.
- Edogz, on 10/12/2007, -0/+4wow. I just tried that and can confirm it. I'm going to go ahead and fix that up. I'm glad to hear that somebody said it's not there on dapper. Wow...
Thanks for bringing this to our attention.. - briguy, on 10/12/2007, -0/+4Couldn't find it in my questions.dat file. Perhaps it only affected earlier release candidates?
- riczho, on 10/12/2007, -0/+4Physical access = root access, but this can be exploited through any program (physical or remote) that allows a user to see the contents of a file (anything from ssh to some poorly coded web app).
- MyBotPiko, on 10/12/2007, -1/+5If someone is allowed to grep though your physical device you have a HIGHLY insecure system, just a small user space filesystem reader like debug2fs can read any file on your filesystem regardless of permission in that case.
If your /dev/hd?? is readable by a user you're asking for big trouble. - MasterDwarf, on 10/12/2007, -0/+4They ALREADY have it PATCHED up:
http://www.ubuntuforums.org/showthread.php?t=143334&page=7
Nice. Very nice. and quick! - geminitojanus, on 10/12/2007, -1/+4From the looks of it, the installer script logged the password instead of deleting it. Probably good for debugging, but when it went primetime the developer forgot it was even there.
- inactive, on 10/12/2007, -4/+7"boot to an ntpassword floppy disk, a reboot, a skip of the security descripter check"
that sounds a ***** load harder to me then vi /var/log/installer/cdebconf/questions.dat, needs pyshical access, and if i have that then i can easily boot into single user mode in linux and change the root password to what ever i please anyway.
"Moreover, this mistake can only really be exploited if you've enabled SSH-ing into your machine, or if a nefarious character has physical access to your computer."
well that would pretty much cover anyway i can think of accessing a pc, so it doesn't negiate the risk one little bit now does it? - deeek, on 10/12/2007, -0/+3There is already a security update to this problem. Case closed.
- coredump0x01, on 10/12/2007, -4/+7We find one hole in one linux distribution that does not affect every linux distribution and we get comments like these, windows gets countless viruses and worms that exploit holes much larger than this on an unacceptible time base and it's just business as usual, wait till next month for ms to release a patch. When was the last time you heard of something this big happening to any other linux distribution? I only wish a real disrtibution could have acclaimed the popularity of ubuntu.
- kelvie, on 10/12/2007, -2/+5Just rm'ing the files is futile, anyone grepping through the physical block device may very easily find the password, even after it is gone (assuming a non encrypted filesystem, which is most often the case). A program like 'shred' will work on non-journalled FS's, but if you do have one (most of us do), it looks like you are SOL.
This is a huge screw up on the part of the devs. - gookie, on 10/12/2007, -0/+3dude, i do acknowledge that you like ubuntu so much. but shouting here that this bug is a hoax is just plain stupid. I use ubuntu and yes, I did see my password in plain text on the said log file...and so did LOTS of users from this comments from here, the forum, and on the bug report. My log file was generated at 2006-01-21 (the time of installation). Prolly on later release of the ISO's the log file format was changed.
- riczho, on 10/12/2007, -1/+3Actually, the source isn't necessary to see this bug.. all the discoverer probably did is.. view the file and recognize their password in plaintext (the same could/would probably have happened in a closed source OS).
(Although I'd say that this will probably be fixed faster than it would have in a closed-source OS) - gookie, on 10/12/2007, -1/+3FROM: https://launchpad.net/distros/ubuntu/+bug/34606
by Colin Watson at 2006-03-12 23:01:48 UTC
"Security updates are heading in the direction of breezy-security and dapper right now."
Good. Fast. Wondring though what's there to fix on dapper... - lego, on 10/12/2007, -0/+2Explanation: http://www.ubuntuforums.org/showpost.php?p=818037&postcount=61
- inactive, on 10/12/2007, -0/+2ouch, that's a big bug.
But, in the OSS community bugs like this are found and patched quickly and easily :-) - inactive, on 10/12/2007, -1/+3The update is already out, patched my system already. For those who are afraid of ubuntu, its ok. Ubuntu cares about YOU and your machine. Ran the update manager, three updates, including one called Passwd (I believe). Done and done.
- Xiol, on 10/12/2007, -1/+3@thecoolestcow
I think coredump just forgot to bring his sarcasm detector. - inactive, on 10/12/2007, -1/+3Just checked, and yeah, my root password is there. Crazy.
But there should be a fix released in the update manager in the next 60 seconds, so this is basicly a non-issue. Big hole, easy fix. I'm not scared.
*dugg for letting me know - vh1`, on 10/12/2007, -0/+2no files named "questions.dat" exist on my system. I'm running a 5.10 install, and haven't updated since they released the securty update
but then again, I did remove the packages ubuntu-desktop (for kubuntu-desktop) and installation-report
instead of removing the files, why not just chmod 600 them? the owner is already root:root, so if someone wants to see it, they'd already have to have root permissions - drizek, on 10/12/2007, -0/+2Ubuntu =! linux. ubuntu, especially at this early stage, is not meant for mission critical tasks and in areas where security is really important. For those things, you should be running red hat, suse or debian instead.
Also, ssh is turned off by default in ubuntu, so for hte majority of people this will only be a problem if someone actually sits down at their desk and then starts snooping around for their password.
This is nothing when compared to windows exploits.. This is a bug, its already been fixed, and when it is all said and done, the number of people affected will more than likely add up to 0. No need to really make a huge deal out of it. - gookie, on 10/12/2007, -1/+3This is really stupid and compromises big time.
I can use any live CD and i have physical access to a Breezy box (ie, friends, dorm mates, etc), i can read the log file and know their password INSTANTLY and can log in and be root any time using sudo.
CRAZY, CRAZY, CRAZY.
Even if it's gone in dapper...how can they overlook such thing? Who knows if eventually something will be discovered on Dapper? I'm really hoping tho it's the end of this. - Chakz, on 10/12/2007, -3/+5Exactly what I was thinking. Personally, I use Windows XP, Vista and Mandriva 2006 PowerPack. Every OS has it's pros and cons and I don't see myself ever using just 1. As of right now I think Windows XP is the Operating System with the most features. I used nLite before installing it so it has no extra crap in it. It's very stable. You can't compare OS's if they aren't relatively the same. One of my programs might crash on Windows from time to time, but thats not really a con seeing as how that program might not ever run on linux.
- cypre$$, on 10/12/2007, -0/+1just change your root password after installing.
- predius, on 10/12/2007, -1/+2Just like the Mac priviledge escalation which had everyone going up in arms saying that it wasn't a security risk?
- Kyoushu, on 10/12/2007, -0/+1Even with this bug found in Ubuntu, Im still going to install it on all of my computers. Overall, Ubuntu is still much better then Windows, especially security wise.
- nbx909, on 10/12/2007, -0/+1you could just chmod it to root only and then change your root password...
- eqisow, on 10/12/2007, -0/+1I'm running Dapper flight 5 and it's there... but then again I used dist-upgrade. I wonder if it's safe to erase the lines....
- replica, on 10/12/2007, -2/+3You could drive a truck through that massive hole.
- afrazkhan, on 10/12/2007, -0/+1This is going to sound retarded, but how do I find out which version of Ubuntu I'm using? All I know is that the codename is "Hoary Hedgehog", is there a version number associated with that?
Debian versioning was so much easier to follow.
I can't see my password in that file, but then I've changed my password so many times since the install I'm not sure what it used to be. - link470, on 10/12/2007, -2/+3smooth....
- mabino, on 10/12/2007, -0/+1@drizek
That's not an adequate answer if the user with elevated privileges has used those privileges to replace the passwd command. -
Show 51 - 100 of 163 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is