arctic Posted November 21, 2006 Report Share Posted November 21, 2006 I have never heard/read/seen something like that happening on ANY Linux system. Sure, Ubuntu has its flaws but it is not THAT bad. Just my two cents. Quote Link to comment Share on other sites More sharing options...
tyme Posted November 21, 2006 Report Share Posted November 21, 2006 ...indeed a cleverly crafted web page can change the root password on ubuntu since your browser is running is you and you have root privs in sudoers ... and it doesn't even need your user password... Is that really true, that a web page can change the root password on ubuntu, or is that your own speculation? To an extent, yes, but really, probably not. What Gowator is referring to is if there is a security hole in the browser or one of it's plugins which could be exploited to run arbitrary code as your regular user (most commonly done via buffer overflow). This could basically give them access to a command line as your user. You could feasibly attempt to change the password from there, however, IIRC, Ubuntu has it set so that anytime you sudo you have to enter your own password. The hacker would have to crack this password first - but that's nothing new. On any other system you would have to crack a password or two unless you exploited a flaw in a program that was running as root or gave root permissions. So, while there is a nugget of truth to Gowator's claim, the fact of the matter is it really doesn't make it any easier because you have to crack a password either way - either roots (which doesn't exist in Ubuntu), or the users. However (this just popped into my head, I'm adding it after what I wrote above) since they would be running as the user, they could change that users password, and once that was done they could sudo to root using the new password they set - and bam, root access attained. Quote Link to comment Share on other sites More sharing options...
neddie Posted November 21, 2006 Report Share Posted November 21, 2006 ... since they would be running as the user, they could change that users password, and once that was done they could sudo to root using the new password they set - and bam, root access attained. Don't you need to know the user's password in order to change it? passwd always asks me for the current password before letting me enter a new one. However from the little I've played with the live versions of Ubuntu and Kubuntu, it's never asked me for a password when I do sudo. Perhaps the user password in the live version is empty too. Thanks for the explanation though, that's not nearly as scary as Gowator's comment appeared. Quote Link to comment Share on other sites More sharing options...
arctic Posted November 21, 2006 Report Share Posted November 21, 2006 I am more concerned with Ubuntu leaving sudo active for 15 minutes once it gets activated. It leaves the system open to crackers and most users don't know how to deactivate / reduce the timespan in order to increase system-security. Quote Link to comment Share on other sites More sharing options...
tyme Posted November 21, 2006 Report Share Posted November 21, 2006 Don't you need to know the user's password in order to change it? passwd always asks me for the current password before letting me enter a new one.I don't remember having to give it before, but I could be wrong. If you do, then we're just back to my initial assertion - that it's of equal security.However from the little I've played with the live versions of Ubuntu and Kubuntu, it's never asked me for a password when I do sudo. Perhaps the user password in the live version is empty too.There usually isn't a password for live versions, and if there is it's very weak. Don't expect security from a livecd - first, the packages can't be updated unless you get the latest and greatest all the time (so security holes stay in it) and second...if you are on a livecd, you shouldn't be on long, and you shouldn't be doing anything with risky data (i.e. logging into your bank account). Some people say they use a livecd because they don't think XP is secure enough, so they keep it with them. Personally, I'd rather use XP than boot into a livecd with outdated packages and no password (when doing "risky transactions")I am more concerned with Ubuntu leaving sudo active for 15 minutes once it gets activated. It leaves the system open to crackers and most users don't know how to deactivate / reduce the timespan in order to increase system-security.Yes, this is another way they could gain access. All they'd have to do is get a shell and wait for you to sudo - but this could take a lot of patience and most crackers would probably have moved on, or maybe left a program running that waits for you to sudo and then runs the malicious content. I believe this could be possible, though I've never heard of such an attack actually occurring. Besides, a cracker could do this on any system to which they have user access. The truth is, once a cracker has user access you're pretty much done for. It doesn't matter what distro you're running, once a cracker has user it's only a matter of when and how he'll escalate to root - unless he loses his connection or you catch him. Quote Link to comment Share on other sites More sharing options...
Gowator Posted November 21, 2006 Report Share Posted November 21, 2006 I am more concerned with Ubuntu leaving sudo active for 15 minutes once it gets activated. It leaves the system open to crackers and most users don't know how to deactivate / reduce the timespan in order to increase system-security. This answers both really, If your password is cached then they don't need your password.... At some point my sudoers file said ALL:ALL ... whether this was installed that way I don't know or if a package managed it.... My webserver was hacked using Ubuntu and I didn't do too many forensics since I was more concerned in getting a new server running... what I did find is that the account hacked had used a non-login user and this user had switched the password... AFAIK the crackers were relatively harmless .. that is they used my disk for storing their MP3's,.. but what I did do is track the attacks from the apache log...which I saved before wiping the whole disk... I then checked out several of these boxes used to stage the attacks and in each time they were running Ubuntu. So in a way a its partly speculative but based on known cracking methodology but Im fairly confident given time and an ubuntu install I could do it... the sudoers policy makes it much easier but you still need a badly written program but that too is much easier in Ubuntu because many of the packages are hacked especially to work with the sudo policy... and most of the programs (if not all) are originally written to work in a normal *nix environment with a clear root account... having the global sudo policy means much of the normal sanity methodolgy doesn't work finding security flaws.. that is when its security audited (as i debian) it is done so with tools looking to set a SUID bit etc. but Ubuntu bypasses this... Of course the easiest way is to get you to run the program in any distro... its just easier when that program can be run as root by asking for the users own password (if its not cached) Quote Link to comment Share on other sites More sharing options...
tyme Posted November 21, 2006 Report Share Posted November 21, 2006 Given time and any distro, it can be cracked. From all the research I've done, Ubuntu isn't inherently flawed. I think our discussions here have revealed the only real flaw, which is the length that sudo stays active. Other than that I see no reason to think Ubuntu is more susceptible to attack than any other Linux distribution (ok, 'cept maybe debian stable). it is done so with tools looking to set a SUID bit etc. but Ubuntu bypasses this...I'm not sure I understand your logic here - are you saying that, because these tools don't cover all possible means of entry, Ubuntu is somehow flawed? SUID is only necessary if the program requires it. Using SUID can actually be insecure, because a cracker could use a program with an SUID bit set to root to gain root access immediately. You're actually better off not setting SUID and instead sudo'ing when you need to run something as root. Nothing really insecure about that. Quote Link to comment Share on other sites More sharing options...
mystified Posted November 21, 2006 Report Share Posted November 21, 2006 I'm a little confused as I've never used Ubuntu or Kubuntu. Are you saying you just can't su to root? I've never used sudo because I don't like it. Do you have to use it? Quote Link to comment Share on other sites More sharing options...
arctic Posted November 21, 2006 Report Share Posted November 21, 2006 By default it uses sudo. You can activate a root account but once you have done that, most administration tools will still ask you for the sudo password which is the password of the first user account you set up. https://help.ubuntu.com/community/RootSudo Quote Link to comment Share on other sites More sharing options...
tyme Posted November 21, 2006 Report Share Posted November 21, 2006 although the command: sudo -s Acts just as su would, dropping you into a shell. It's just a few extra letters, and you could even take a few seconds to mask su to sudo -s so you just do it as you normally would. Quote Link to comment Share on other sites More sharing options...
Gowator Posted November 21, 2006 Report Share Posted November 21, 2006 Given time and any distro, it can be cracked. From all the research I've done, Ubuntu isn't inherently flawed. I think our discussions here have revealed the only real flaw, which is the length that sudo stays active. Other than that I see no reason to think Ubuntu is more susceptible to attack than any other Linux distribution (ok, 'cept maybe debian stable).Well #1 we are having the discussion which would never take place on Ubuntu forums ....anyone asking is basically told "you don't understand Linux go back to windows" or "The devs wouldn't do it if it was a risk"I didn't see any of them ended without someone getting banned eventually... after retaliating to being called an idiot... it is done so with tools looking to set a SUID bit etc. but Ubuntu bypasses this...I'm not sure I understand your logic here - are you saying that, because these tools don't cover all possible means of entry, Ubuntu is somehow flawed? SUID is only necessary if the program requires it. Using SUID can actually be insecure, because a cracker could use a program with an SUID bit set to root to gain root access immediately. You're actually better off not setting SUID and instead sudo'ing when you need to run something as root. Nothing really insecure about that. Sorry didn't explain myself fully.... What I meant is after some research I did for a friend (which made me look into the Debian security audit procedure - something I'd kinds taken for granted before) for his presentation .... Lots of security flaws concentrate on say a prog setting a SUID but (which as you say is insecure) so the auditers zoom into that code for instance to check it... in general the security procedure is If prog running as root then <check a long list> else <check a shorter list> The same goes if you follow guidelines for writing secure progs different rules exist if the prog will be run as root or not. This includes many p2p progs for instance... and many simply refuse to start as root... but if you wanna create a user called something else and give it all privs it'll probably run.... In other words the security is only good with "sane options"... and 90% of programs are designed to be run either as a unpriv'd user OR as root... if you wanna force it you probably can but then you are missing the security because you are not running it as it was audited or designed. The huge difference with Ubuntu is that these modifications are system wide ..not one off workarounds. The packages are modified to use the sudo policy... and these rely on other libs... which are then modified to work with the modified app... which then effects other progs running these libs. Ubuntu is always just one step from the user being root... or the user actually being root while the password is cached... You really notice this if you use Ubuntu and try disabling this...as you start hacking the sudo and remove your user lots of unexpected stuff won't work... perhaps the simplest way to demonstrate this is the comment from sudoers # This file MUST be edited with the "visudo" command as root. Why? because its the sane way.... you must be root to edit sudoers... except ubuntu has no root.... so you need to edit it using sudo visudo except that's not how it was designed! your not meant to be able to sudo su mysql for instance Quote Link to comment Share on other sites More sharing options...
neddie Posted November 21, 2006 Report Share Posted November 21, 2006 sudo -s Aha, that's neat. I only knew about sudo -i but that mysteriously changes the working directory too. Quote Link to comment Share on other sites More sharing options...
Gowator Posted November 21, 2006 Report Share Posted November 21, 2006 although the command: sudo -s Acts just as su would, dropping you into a shell. It's just a few extra letters, and you could even take a few seconds to mask su to sudo -s so you just do it as you normally would. Im not sure that works on Ubuntu... (not saying it doesn't but as arctic just said ) By default it uses sudo. You can activate a root account but once you have done that, most administration tools will still ask you for the sudo password which is the password of the first user account you set up. This was basically my starting point for problems... I set out trying to disable this (basically hacking in the proper sense) but it was like chasing ghosts... you follow one thing to the next etc. etc. actually taking my user from sudoers just broke things... Quote Link to comment Share on other sites More sharing options...
FX Posted November 21, 2006 Report Share Posted November 21, 2006 sudo, su, sudo -s, su -i, visudo........... My head hurts now... Quote Link to comment Share on other sites More sharing options...
tyme Posted November 21, 2006 Report Share Posted November 21, 2006 This was basically my starting point for problems... I set out trying to disable this (basically hacking in the proper sense) but it was like chasing ghosts... you follow one thing to the next etc. etc. actually taking my user from sudoers just broke things...So, I suppose your real problem with it is that, you expected it to act like some other distribution, and didn't except it for what it was designed to be like? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.