OS and Software > All Things Unix > Attention Ubuntu Users!

Attention Ubuntu Users!

Oh wow that is major! I just checked both of my breezy installs and sure enough...password is shown.

reply to pflog
I installed Ubuntu with a Warty disc, upgraded to Breezy from that and now I'm using Dapper. My password isn't in that file.

reply to pflog
from what I read over at the forums yock it doesnt affect dapper, my password was not in my dapper install either. It seems to be just breezy.

reply to pflog
Hmm not on any of my boxes.

reply to pflog
The machines we installed Breezy on 2 months ago are affected.

Name: passwd/user-password
Template: passwd/user-password
Value: (obfuscated for obvious reasons)

Name: passwd/user-password-again
Template: passwd/user-password-again
Value: (obfuscated for obvious reasons)

reply to pflog
Interesting I don't have such a line. Instead I have

passwd/user-password-crypted

and no values.
This is on 3 installs.

reply to pflog
Well... this is kinda scary.

reply to pflog
Security update heading to the servers already....

reply to pflog
Unbelievable.

I regretted installing Ubuntu on my server immediately when I was trying to figure out the package manger. I went to the site for documentation, and the best I got was "Click on System, Administration..." Gee, how helpful. What a shame that the box doesn't even have a monitor, let alone X and GNOME installed.

Something like this makes me want to switch back to Slack or Gentoo.

Edit: my system was affected.

reply to digital k

said by digital k:

from what I read over at the forums yock it doesnt affect dapper, my password was not in my dapper install either. It seems to be just breezy.

reply to pflog
I don't see any of the user passwords exposed in the questions.dat file on dapper kubuntu from a flight3 install that's fully updated. I did the standard install.

This hit digg, and probably slashdot soon too so if you have any public or just multi-user systems under your control you know what to do.

Also keep in mind your bash_history if you searched for your password from the command line.

Oh and be aware you will soon see a flood of intelligent comments from the other OS fans.
--
Location: +48° 5' 23.40", -119° 48' 30.00"

reply to pflog
Wow: what if Microsoft did that?

reply to pflog

said by Colin Watson,Ubuntu installer maintainer :

---

So, er, yeah. This one sucked. As others have said, security updates are now making their way ASAP to both Breezy and Dapper (the latter for Breezy installs upgraded to Dapper). Here's the comment I just posted to OSNews about this:

I'm the Ubuntu installer maintainer, so obviously this bug is ultimately my fault. I'm sorry for that - it's clear it shouldn't have sneaked past QA. (We'll be updating our testing processes to be rather more careful about this sort of thing.) Now that I've spent the evening doing security updates to clean up the mess, I thought I might take a moment to explain how this happened, and why it wasn't noticed as an issue in Breezy at the same time as it was fixed in Dapper.

The Ubuntu installer (like Debian) uses a framework called debconf to do all its user interaction; that framework has a backend database which stores all the answers, which is where passwords ended up being stored for this vulnerability. Naturally, when you're asking for passwords using debconf, you take a lot of care to clean them out of the database afterwards: we explicitly clear them out in the password-asking code pretty much as soon as we can, and we have a separate database for the answers to password questions which isn't copied to the directory of installer log files in the final installed system. This had all been working well for some time (e.g. in Hoary).

Unfortunately, the way we arranged for the password question to be asked in the first stage of the Breezy installer meant that two debconf databases were involved rather than one, and the passwords only got cleared out of one of those databases. Even this would have been OK if it weren't for the fact that some changes we needed to make in cdebconf for other reasons in Breezy (I've yet to track down the exact changesets involved, but never mind) broke the mechanism that was supposed to make sure that passwords ended up in a separate database. Sigh.

As for why we didn't notice the problem in Breezy when this was fixed in Dapper, well, that's because the fix in Dapper was part of a massive installer reorganisation (»riva.ucam.org/~cjwatson/blog/ubu···ler.html) and it was really just fixed by accident. So it goes.

Anyhow, I've fixed this just about as soon as was humanly possible for me, and take it extremely seriously. While perhaps for some of you it's too little too late, we'll do everything we can to install better defences against this kind of thing in future.

---

reply to firephoto

said by firephoto:

Oh and be aware you will soon see a flood of intelligent comments from the other OS fans.

said by Steve:

Wow: what if Microsoft did that?

reply to pflog
I am by far, NOT the best Linux techno geek there, but I will say, stay away from Ubuntu. Over the years, I have played with Red Hat, SuSe, Mandrake, and the original Unix. I am putting together another machine out of spare parts. This is being used just for some distributing computing such as Helix or other medical research. Very simple stuff.

Went to a used local computer shop to pick up an ATX case and power supply, and when I mentioned linux he handed me Ubuntu and said it was great and I just had to try it. I figured, what the hell. It's a virgin setup and for my uses, it could run DOS and I wouldn't care.

What a pain in the @ss. Hell, even Windows doesn't take this much time to get working stable. Don't care to get into details, just realize that after a couple hours of trying to get it stable, I nuked the bastard and had an old copy of SuSe 9.3 put back on in about a half hour.

As computers advance, they are suppose to get simpler to use. I grew up with this evolution. I had to write my own programs in the 1970's for the government and myself because you couldn't BUY a program. Throughout the evolution of the "PC" I have evolved with it. I'll be damned if I'm going to go backwards in order to get software to work. That is not an OPTION.

I like tinkering with Linux becuase it uses less drive space, and can be an all inclusive operating system and associated programs. Especially for the non gamer type computer.

If Linux is what you want, stick with SuSe or Mandriva. You don't need to go backwards in technology. I can't say that Ubuntu was a total waste of my time. It did make me learn that I won't ever waste time with it again. That's worth the 2-3 hours I spent on it. Later... Mike...

reply to pflog
Fixed in a just a few hours. That is some quick work by the Ubuntu folks and on a Sunday too. Nice work.

»www.ubuntu.com/usn/usn-262-1

"Karl Øie discovered that the Ubuntu 5.10 installer failed to clean
passwords in the installer log files. Since these files were
world-readable, any local user could see the password of the first
user account, which has full sudo privileges by default.

The updated packages remove the passwords and additionally make the
log files readable only by root."

reply to pflog
I'm impressed that Colin Watson, using his real name, came forward and took responsibility for the error, as well as fixing it.

That's refreshing.

I agree, it takes a lot of guts to admit something publicly like that. People shy away from accountability, but everyone makes mistakes. Kudos to this guy for the "my bad"
--
The question isn't "what are we going to do," the question is "what aren't we going to do?" - Ferris