Someone found this out. Just a heads up for everyone who might be running Ubuntu.
https://launchpad.net/distros/ubuntu/+bug/34606
Bug #34606 in Ubuntu: "Administrator root password readable in cleartext on Breezy"
I can confirm it, just done so.
-
Cybermagellan
Live for nothing, or die for everything
-
As was said on the bug report, this is the initial password of the user who can use sudo. It's not actually the root password and if the user has changed the password any time since install it no longer works. This is also a local exploit so the person must have shell access to the box. Fortunately 'chmod 700 questions.dat' will fix the issue.
That said, it's still a fairly big issue and apparently this has already been fixed in the next release. -
Karim
Trapped in a world he never made!
My favorite comment on the Digg story:
so much for that linux security huh. if this was MS there would be 5000000 linux fan boys screaming like banshees
I don't think they're going to catch you....
Can we assume the entire Googleplex is affected by this bug? -
Cairo
I want my waffle sundae, give me my carbs!
Karim wrote:
Can we assume the entire Googleplex is affected by this bug?
Google uses RedHat...
-
Cybermagellan
Live for nothing, or die for everything
Karim wrote:
Everytime I see this picture I keep thinking about
"I can see down your shirt!" -
rjdohnert
You will never know success until you know failure
Actually Google uses a lot of different Linux distros
Cairo wrote:
Karim wrote:
Can we assume the entire Googleplex is affected by this bug?
Google uses RedHat...
-
rjdohnert
You will never know success until you know failure
One of the good Linux distros, what a shame it has a flaw. Does this mean Linux aint hacker proof?
-
Cairo
I want my waffle sundae, give me my carbs!
It's been fixed.
http://www.ubuntu.com/usn/usn-262-1
Relevant Ubuntu forum post:
http://www.ubuntuforums.org/showpost.php?p=818037&postcount=61
So, er, yeah. This one sucked. As others have said, security updates are now making their way ASAP to both Breezy and Dapper (the latter for Breezy installs upgraded to Dapper). Here's the comment I just posted to OSNews about this:
Fast response and a public mea culpa by the developer responsible. Yeah, open source sucks.
I'm the Ubuntu installer maintainer, so obviously this bug is ultimately my fault. I'm sorry for that - it's clear it shouldn't have sneaked past QA. (We'll be updating our testing processes to be rather more careful about this sort of thing.) Now that I've spent the evening doing security updates to clean up the mess, I thought I might take a moment to explain how this happened, and why it wasn't noticed as an issue in Breezy at the same time as it was fixed in Dapper.
-
Karim
Trapped in a world he never made!
Cairo wrote:Fast response and a public mea culpa by the developer responsible. Yeah, open source sucks.
That's awesome. I'm impressed not just by the speed and the transparency -- though I guess "transparency" usually goes along with open source -- but by the fact this guy took OWNERSHIP of a security issue and said, "Yeah, that was my fault."
You rarely see people owning problems these days. Everyone wants the credit if it works; no one wants the blame if it blows up.
I also liked that he didn't minimize the problem -- didn't claim it only affected a small number of customers or the usual BS.
Kudos.
-
rjdohnert
You will never know success until you know failure
Microsoft would never have gotten that problem fixed in the matter of hours it took the Ubuntu guy. It would have been released as part of patch Tuesday 6 months from now. OMFG, Open Source is just so, well its just so awesome.
-
Cybermagellan
Live for nothing, or die for everything
Wow this thread contains so much signal it's hurting my ears
Yeah great to see they got it resolved so fast. True it was only under certain circumstances howevere sadly the Ubuntu Forums alot of people met those circumstances so say what you will it's still was/is an issue.
I'm really glad to see people equally accepting that this happened and being open to the fact that none of us are perfect. Mark Shuttleworth (Ubuntu Diety) asked to postpone the next release for a few weeks, I think this gives him enough reason to.
All in all I'd have to agree, Microsoft would have never had gotten this out so fast, however I wonder how many parts of Windows hold the password in Plain Text for it even to have became an issue? -
rjdohnert
You will never know success until you know failure
Yeah I was partially joking. I agree with what you just said.
jaylittle wrote:rjdohnert wrote: Microsoft would never have gotten that problem fixed in the matter of hours it took the Ubuntu guy. It would have been released as part of patch Tuesday 6 months from now. OMFG, Open Source is just so, well its just so awesome.
I think you are partially joking but I also partially agree with you. Microsoft would've required that their testing department signed a dozen forms in triplicate before they rolled the patch into their monthly release schedule. Nonetheless, this was a rather nasty security hole and though it's been fixed in short order, it just goes to show you that security is something everybody needs to improve regardless of how accessible their source code is or isn't.
-
Harlequin
http://twitter.com/TrueHarlequin
rjdohnert wrote:Microsoft would never have gotten that problem fixed in the matter of hours it took the Ubuntu guy. It would have been released as part of patch Tuesday 6 months from now. OMFG, Open Source is just so, well its just so awesome.
I'm sure if/when Ubuntu is used on half a billion desktops, there is some sort of testing press before delivering a patch. Was there? -
rjdohnert
You will never know success until you know failure
As if they dont have one now? One of the good things about the Linux approach (Everyone set your watches and remember this moment Im actually going to say something good about the Linux community) is that with Linux designed the way it is they can make changes and not have to worry about the whole system falling apart. If Microsoft makes a change to Internet Explorer, thats tied into Windows Explorer and it screws up, the entire OS is gonna go down.
Harlequin wrote:rjdohnert wrote: Microsoft would never have gotten that problem fixed in the matter of hours it took the Ubuntu guy. It would have been released as part of patch Tuesday 6 months from now. OMFG, Open Source is just so, well its just so awesome.
I'm sure if/when Ubuntu is used on half a billion desktops, there is some sort of testing press before delivering a patch. Was there? -
rjdohnert
You will never know success until you know failure
How easy is it to get wireless working with Ubuntu, do I have to french kiss an alligator and swim a maze with 10 great white sharks just to get it configured?
-
I know quite a few people using wifi on their laptops with Ubuntu so I doubt it's too much hassle. Gentoo on the other hand...
-
Harlequin
http://twitter.com/TrueHarlequin
But, as was bought up in another thread; how do you know that this fix didn't wreck something else? No test process or anything of the sort?
-
Sven Groot
I'm Commander Shepard and this is my favourite store on the Citadel.
jaylittle wrote:Cybermagellan wrote: All in all I'd have to agree, Microsoft would have never had gotten this out so fast, however I wonder how many parts of Windows hold the password in Plain Text for it even to have became an issue?
Crappy Lanman hashes aren't too far off from plaintext. </half sarcasm>
That's the first thing I do when I install a Windows domain controller (which doesn't happen that often, I admit ): go into the default domain policy, set the authentication level at "Send NTLMv2 only - refuse LM" and set "Don't store LANManager hashes at
next password change" to enabled. Quite frankly I'm surprised this still isn't the default, even on Win2k3.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.