For anyone thinking about trying Ubuntu, heres a link about installing Ubuntu software that appeared on digg - I had a quick read and it seems to be quite comprehensive, though straight forward.

regards

John

Nice link. I will pin it for now.

It seems a bit mixed

Which isn't strictly true ... sure WinAmp can be installed from a .exe BUT Windows has many deps as well.

I was recently surprised just how crazy some of them are like Omnipage pro requires Internet Explorer and a specific version up because they have used the MS dev kit....

..and wait for it you need a specific version of the installer ....

In Linux you have a choice of thousands of packages and all you need to do is ask the installer to install them and it will go off and find them, download, configure and everything .. the only reason people find it confusing is they think in Windows terms...

From the article POV it seems written well but from the standpoint of being a windows user?

In other words a more apt title (scuse the pun) might be discover linux through Ubuntu for windows users....

However the information itself seems very nicely put... once you read it as a article on how to start using ubuntu from a windows perspective.

I downloaded the Ubuntu from their site a few days ago and I must say that the install was pretty nice and user friendly. did not take long to figure out how to use the partition parameters (think it was grub if I am not mistake).

When it was done however I did not like the fact that it went over on my resolutions settings. I had to lower it back down to a stable 1024 x 768 to get rid of the lines crossing my screen.

Also too what bothered me at the time was the fact that I had to use sudo to do anything and that root was blocked out from logging in the gui. This is because I had no idea what my root password was and if I tried to do a passwd root command it would ask me for my existing root pass which I had no idea what it was. However it was simple to get it going, just log in to gui with the account I created in setup and then go to the user & groups applet and change the password there. but then I realized that I had to learn some commands to get updates and install appz.

But overall I did and do like it. with webmin I was able to find what packages were built for it and get them with no problem. Being a console man myself I must say that the gui too was nice. simple, uncluttered and nicely colored. For a 2nd distro I am impressed and will continue to have it as part of my network.

Now to check out Devil-linux ....
PS --- Still gonna be a drake head 4 life...... when are we gonna re-vote for those new banners?

I downloaded the Ubuntu from their site a few days ago and I must say that the install was pretty nice and user friendly. did not take long to figure out how to use the partition parameters (think it was grub if I am not mistaken).

When it was done however I did not like the fact that it went over on my resolutions settings. I had to lower it back down to a stable 1024 x 768 to get rid of the lines crossing my screen.

Also too what bothered me at the time was the fact that I had to use sudo to do anything and that root was blocked out from logging in the gui. This is because I had no idea what my root password was and if I tried to do a passwd root command it would ask me for my existing root pass which I had no idea what it was. However it was simple to get it going, just log in to gui with the account I created in setup and then go to the user & groups applet and change the password there. but then I realized that I had to learn and get used to the new commands to get updates and install appz.

But overall I did and do like it. with webmin I was able to find what packages were built for it and get them with no problem. Being a console man myself I must say that the gui too was nice. Simple, uncluttered and nicely colored. For a 2nd distro I am impressed and will continue to have it as part of my network. Just need to find a nice wallpaper for the brown.

Now to check out Devil-linux ....
PS --- Still gonna be a drake head 4 life...... when are we gonna re-vote for those new banners?

i had ubuntu dapper drake on all 5 of my systems up until a couple weeks ago when i came across mandriva one. have that on all 5 now.

think i'm going back to dapper though. this mandriva just seems to be to far behind the times now that i've used it.

I love Ubuntu. It's on all of my machines, even my ibook

It looks nice, but I hate the way they enforce sudo on you, and not give you a root account that you can easily use "su" with.

Yeah that is a pain, and the fact that the expert installer mucked up my volumes for fedora, rendering my fedora install unusable

yeah, but you can set that up.

if i need a sudo terminal, i typically do a sudo bash or something similar. i'm impressed with it. i'm a little weirded out that with edgy they've moved the info in the formerly /etc/inittab file elsewhere.

IIRC Edgy Eft uses upstart, which might explain why /etc/inittab has changed

You can easily enable the root account:

sudo passwd root

Couldn't be easier, indeed a cleverly crafted web page can change the root password on ubuntu since your browser is running is you and you have root privs in sudoers ... and it doesn't even need your user password...

Very unsecure in my opinion.

Its scarily insecure....
setting a root password helps because as default there is no root password so a user can change it exactly as above. At least if you set the root password then you need the root password to change it but in the default you don't need any password...

This is really my basic prob with Ubuntu... I could put up with the other stuff since every distro has good and bad sides but this part is so fundamentally flawed and embedded into Ubuntu as to make it almost impossible to purge.
Its obviously not impossible you can download every package as src and edit it but if your doing that why not just run Debian? but the major problem is the number of win converts who don't see why this is bad and the refusal of the devs to discuss it.

Its almost like a single thing that spoils the rest... because Ubuntu has a lot of good stuff... but this makes it a "do not pass go" distro IMHO..

Is that really true, that a web page can change the root password on ubuntu, or is that your own speculation?

I have never heard/read/seen something like that happening on ANY Linux system. Sure, Ubuntu has its flaws but it is not THAT bad.

Just my two cents.

To an extent, yes, but really, probably not. What Gowator is referring to is if there is a security hole in the browser or one of it's plugins which could be exploited to run arbitrary code as your regular user (most commonly done via buffer overflow). This could basically give them access to a command line as your user. You could feasibly attempt to change the password from there, however, IIRC, Ubuntu has it set so that anytime you sudo you have to enter your own password. The hacker would have to crack this password first - but that's nothing new. On any other system you would have to crack a password or two unless you exploited a flaw in a program that was running as root or gave root permissions. So, while there is a nugget of truth to Gowator's claim, the fact of the matter is it really doesn't make it any easier because you have to crack a password either way - either roots (which doesn't exist in Ubuntu), or the users.

However (this just popped into my head, I'm adding it after what I wrote above) since they would be running as the user, they could change that users password, and once that was done they could sudo to root using the new password they set - and bam, root access attained.

Don't you need to know the user's password in order to change it? passwd always asks me for the current password before letting me enter a new one.
However from the little I've played with the live versions of Ubuntu and Kubuntu, it's never asked me for a password when I do sudo. Perhaps the user password in the live version is empty too.

Thanks for the explanation though, that's not nearly as scary as Gowator's comment appeared.

I am more concerned with Ubuntu leaving sudo active for 15 minutes once it gets activated. It leaves the system open to crackers and most users don't know how to deactivate / reduce the timespan in order to increase system-security.

I don't remember having to give it before, but I could be wrong. If you do, then we're just back to my initial assertion - that it's of equal security.
There usually isn't a password for live versions, and if there is it's very weak. Don't expect security from a livecd - first, the packages can't be updated unless you get the latest and greatest all the time (so security holes stay in it) and second...if you are on a livecd, you shouldn't be on long, and you shouldn't be doing anything with risky data (i.e. logging into your bank account). Some people say they use a livecd because they don't think XP is secure enough, so they keep it with them. Personally, I'd rather use XP than boot into a livecd with outdated packages and no password (when doing "risky transactions")Yes, this is another way they could gain access. All they'd have to do is get a shell and wait for you to sudo - but this could take a lot of patience and most crackers would probably have moved on, or maybe left a program running that waits for you to sudo and then runs the malicious content. I believe this could be possible, though I've never heard of such an attack actually occurring. Besides, a cracker could do this on any system to which they have user access.

The truth is, once a cracker has user access you're pretty much done for. It doesn't matter what distro you're running, once a cracker has user it's only a matter of when and how he'll escalate to root - unless he loses his connection or you catch him.

This answers both really,
If your password is cached then they don't need your password....

At some point my sudoers file said ALL:ALL ...
whether this was installed that way I don't know or if a package managed it....

My webserver was hacked using Ubuntu and I didn't do too many forensics since I was more concerned in getting a new server running... what I did find is that the account hacked had used a non-login user and this user had switched the password...

AFAIK the crackers were relatively harmless .. that is they used my disk for storing their MP3's,..

but what I did do is track the attacks from the apache log...which I saved before wiping the whole disk...
I then checked out several of these boxes used to stage the attacks and in each time they were running Ubuntu.

So in a way a its partly speculative but based on known cracking methodology but Im fairly confident given time and an ubuntu install I could do it... the sudoers policy makes it much easier but you still need a badly written program but that too is much easier in Ubuntu because many of the packages are hacked especially to work with the sudo policy... and most of the programs (if not all) are originally written to work in a normal *nix environment with a clear root account... having the global sudo policy means much of the normal sanity methodolgy doesn't work finding security flaws.. that is when its security audited (as i debian) it is done so with tools looking to set a SUID bit etc. but Ubuntu bypasses this...

Of course the easiest way is to get you to run the program in any distro...
its just easier when that program can be run as root by asking for the users own password (if its not cached)

Given time and any distro, it can be cracked. From all the research I've done, Ubuntu isn't inherently flawed. I think our discussions here have revealed the only real flaw, which is the length that sudo stays active. Other than that I see no reason to think Ubuntu is more susceptible to attack than any other Linux distribution (ok, 'cept maybe debian stable).

I'm not sure I understand your logic here - are you saying that, because these tools don't cover all possible means of entry, Ubuntu is somehow flawed? SUID is only necessary if the program requires it. Using SUID can actually be insecure, because a cracker could use a program with an SUID bit set to root to gain root access immediately. You're actually better off not setting SUID and instead sudo'ing when you need to run something as root. Nothing really insecure about that.

I'm a little confused as I've never used Ubuntu or Kubuntu. Are you saying you just can't su to root? I've never used sudo because I don't like it. Do you have to use it?

By default it uses sudo. You can activate a root account but once you have done that, most administration tools will still ask you for the sudo password which is the password of the first user account you set up.
https://help.ubuntu.com/community/RootSudo

although the command:
Acts just as su would, dropping you into a shell. It's just a few extra letters, and you could even take a few seconds to mask su to sudo -s so you just do it as you normally would.

Well #1 we are having the discussion which would never take place on Ubuntu forums ....anyone asking is basically told "you don't understand Linux go back to windows" or "The devs wouldn't do it if it was a risk"
I didn't see any of them ended without someone getting banned eventually... after retaliating to being called an idiot...


Sorry didn't explain myself fully....
What I meant is after some research I did for a friend (which made me look into the Debian security audit procedure - something I'd kinds taken for granted before) for his presentation ....

Lots of security flaws concentrate on say a prog setting a SUID but (which as you say is insecure) so the auditers zoom into that code for instance to check it... in general the security procedure is

If prog running as root then <check a long list>
else
<check a shorter list>

The same goes if you follow guidelines for writing secure progs different rules exist if the prog will be run as root or not. This includes many p2p progs for instance... and many simply refuse to start as root... but if you wanna create a user called something else and give it all privs it'll probably run....

In other words the security is only good with "sane options"... and 90% of programs are designed to be run either as a unpriv'd user OR as root... if you wanna force it you probably can but then you are missing the security because you are not running it as it was audited or designed.

The huge difference with Ubuntu is that these modifications are system wide ..not one off workarounds.
The packages are modified to use the sudo policy... and these rely on other libs... which are then modified to work with the modified app... which then effects other progs running these libs. Ubuntu is always just one step from the user being root... or the user actually being root while the password is cached...

You really notice this if you use Ubuntu and try disabling this...as you start hacking the sudo and remove your user lots of unexpected stuff won't work...

perhaps the simplest way to demonstrate this is the comment from sudoers


Why? because its the sane way.... you must be root to edit sudoers... except ubuntu has no root.... so you need to edit it using sudo visudo except that's not how it was designed!

your not meant to be able to
sudo su mysql
for instance

Aha, that's neat. I only knew about sudo -i but that mysteriously changes the working directory too.

Im not sure that works on Ubuntu... (not saying it doesn't but as arctic just said )

This was basically my starting point for problems... I set out trying to disable this (basically hacking in the proper sense) but it was like chasing ghosts... you follow one thing to the next etc. etc. actually taking my user from sudoers just broke things...

sudo, su, sudo -s, su -i, visudo........... My head hurts now...

So, I suppose your real problem with it is that, you expected it to act like some other distribution, and didn't except it for what it was designed to be like?

Any user in the admin group can sudo

Pretty much Yes....

Perhaps in some ways that's because I'm a stubborn stick in the mud.... but its also justified in that the most secure is what you know... and what you can get experts to help you with... and also what you can actually discuss pro's and con's with.

Now the problem for me is... just like someone posted here ... sudo passwd will set the root password... BUT it doesn't remove the sudo permissions. If you post the question "How do I disable sudo and leave the system still working" on the Ubuntu forums you will get any number of answers showing how to set the root password ... quite a few telling you to go back to Windows but none telling you how to remove sudo from the integration...

As mysty demonstrated she just wants to do it the "normal way"... but you are unlikely to find that on the Ubuntu forums and like arctic said even when you do it doesn't behave "normally"... normally being how the developers of sudu intended...

This has quite a lot of consequences.... I prefer on the whole to leave package management to the distro tools, be that Debian or Mandriva or Ubuntu but sometimes you can't... for example there is a bug in mysql-admin in several versions and the only way to get round it is downloading from CVS... so I have my own .deb for mysql-admin .. which I made myself... using CVS sources...

Now obviously mysql-admin is fairly important security wise... you are accessing mysql as the mysql priv user...
but ... when I compile it I compile it in the way the folks at mysql intended and I can be reasonably confident that they have security in mind... their livelihood depends on it...

Now if I start hacking mysql-admin to work with the sudo policy in Ubuntu then I will probably reduce the security of the application because I know a lot less about mysql than the devels... (and equally the Ubuntu maintainers know far less than the mysql devels)

This in itself is a chain reaction... if I use db based identification then I compromise that... etc.

What Im saying is the Ubuntu maintainers and packages know far less about mysql than the mysql devels... and less about sudu than the sudo devels.. etc. and equally the developers for mysql, KDE, Gnome, <insert here> know far more about their application(s) than Ubuntu devs (or Debian ones for that matter) ... and that by having to hack each package they are compromising the security work of the original developers... (and in the case of a commercial company like mysql that is a lot of work and taken very seriously)

The more "sensitive" the application the more likely the consequences are ... and the less predictable they will be... and just as importantly the less relevant information on security alerts is... going back to what mysti said...
I just want it to work like that... like any other distro... because that is what I am comfortable with but it is also what the developers had in mind... and I think the developers in most cases understand their application much better than I do!

If you set up root by launching

sudo passwd root

then root is not in the admin group, iirc, or at least not the default password-requested user. How shall a newcomer to Ubuntu know about it? How is he supposed to know which config files need to be hacked in order to change that so there is a "normal" behaviour? And: How shall he know that he must remove the normal user from the admin group? And why do the GUI tools prefer the user password over the root password, even if both are in the admin group? That is imho highly irritating.

My old request is still there: Please ask the user during install if he wants sudo or a traditional root account. It cannot be that hard. E.g. Debian has this option and it is only ONE simple question you have to answer. Come on... porting that over from Debian cannot be that difficult (as Ubuntu is based on Debian).

Any user in sudoers can sudo.... and if this says ALL:ALL then any user password-less or not can sudo...
this includes user http or others... like mail etc.

Arctic, my experience from trying to achieve this is that its no longer that simple....
Debian packages are built around a conventional model... but Ubuntu packages are already hacked to work with the Ubuntu sudo model....
I tried to implement this then found that packages edit sudo... themselves and expect it to be there and set up in the Ubuntu way...

I don't think this was the intention of Ubuntu... I think its something that has happened... and the solution to a problem that was somehow self created.

I think the bottom line is it was something set as an ideal that looked easily achievable and turned out to be a bit more involved than they thought...

As a parallel .. I once worked on a remote access project for branch offices from round the world...
The guy "selling" the project made a statement that ALL users would have the same desktop .... as if they were in the local office.
Now users from the US or UK to France, this worked fine ... for branch offices in Africa with a 6 second latency and 64 kb/s via satellite it could NEVER work...

They could run the apps... fine.. what they couldn't do was run the desktop and the apps...

This one sticking point was never relinquished ... I spent a lot of time testing and actually built a test rig that introduced latency and BW restrictions... and proved this beyond any doubt but they guy who had stood in front of managers asking for money for the project simply refused to listen... or even read the results.

It was all or nothing for him and all simply wasn't possible...
This is where I think Ubuntu went wrong... someone said "users will never have to type a root password" and had an idea how to do it... that idea turned out to be flawed because it involved far more work than was thought and involved far more than just a few apps and noone will admit it turned out to be a money pit.

You missed out kdesu, gksu, ...

Ubuntu isn't really aimed at experienced Linux users, it's aimed at Linux newbies coming from Windows. For that it's perfect - confusing Windows users with questions about root would take away from the point of Ubuntu, which is to make Linux "easier" than most standard distributions. Not less secure, just less confusing.

Like I said before, if you don't like the philosophy of one Linux distribution, use a different one - Ubuntu will do things the way they see fit, and IMHO the people who made these decisions probably know more about Linux than any of us could ever hope to

Well, they definitely know more about it than I do. I am a noob compared to them, although I was part of a distro-devel team. And I forgot most things very soon after I have quit my work on the project.

I'm always gonna be a noob.

Alright, I tried Ubuntu for about the last 3 weeks, two box's laptop and one desktop. It's ok, seems a little slower response wise that FC6. Other than the same sudo complaints others have it "would" make a nice desktop, however both of my box's programs crashed left and right, I couldn't believe how many times the bug buddy stepped up to the plate. I've ran/tested Ubuntu before, but WOW, the bugs over took me, I started filling some, but after last night when nothing but BUG BUG BUG flashed on my screen for 5 minutes with all types, I happyily went back to Fedora

YMMV, but 2, thats 1, 2 Box's bugged all over the place, thats good enough for me to say bai bai....

Never experienced any bugs considering all kind of stuff I ran on it. Other than Beryl which are non-official an are in alpha stage. But alot of new stuff are being tested in Edgy also things that are marked beta. Mark have the devs free hands on edgy to play around with it to test all kind of new stuff.


About the sudo issue people here are complaining about; I have both used su and sudo and prefer sudo alot more, but I think it's a habit issue mostly and what people are used to.

Far as I know I've never ran into any bugs.

What progs were you running cybr to get these? Kind of curious.

Firefox, at least once a day.
xchat several times
gnome-terminal....
chaning themes/gnome-theme-manager
rhythmbox several times
banshee dialy

Pretty much a lot of the apps I use daily.

Strange....out of curiousity, did you do dist-upgrade or clean install?

I've used same apps like you listed (except firefox, epiphany user here ), and never had a crash.

Clean install.

I read somewhere that changing the color depth from 16 to 24 should solve firefox crashes.

I had it on 24, I'm happy in fedora land, just giving ubuntu a try again.

Okay, no problem.

Thanks though, I know my way around pretty well, it was just extremly weird how two systems were all bugged out. Tested my RAM too and it was fine.

I'm just a bit baffled. I know Firefox 2.x is bugged (afterall it was a beta they put in edgy). But I havn't seen any posts about the other issue you have.