Monday, March 13, 2006

The root of all security

Anyone who reads the Tech news regularly have probably heard about the latest announcement that a flaw in the Ubuntu 5.10 installation process leaves the default user password saved as plain text on the harddrive. As Ubuntu doesn't (by default) allow for a root password to be created and instead gives the first user root abilities by way of 'sudo', this means the de-facto root password is left in plain view as plain text (pun not intended, at least not originally...), allowing other users access to the First User password.

No, scratch that, I'll however in the next paragraph.
What's most surprising here isn't that Ubuntu has a security flaw, software isn't perfect, and since every new version of Ubuntu have rewrote the installer, installation flaws might appear. Actually, what's supervising here is that it took so long to locate it. A lot of the open source "evangelists" claim that those kind of bugs tend to surface more easily due to the large amount of users/developers, the access to the code, the better method of communication, the community etc. etc. This didn't happen here. Until now.

What did happen is that this was patched in hours. What did happen is that this doesn't allow outside users to have root access, only local users (and users connected remotely through SSH). It also emphasised the fact that security practices are still the best way to ensure that your system is safe from outside attacks. Meaning, users who installed the OS through the "expert" mode, and have created a root password were not in any danger, or users that following the installation have enabled root, or a root-like user (meaning creating a second user that has the sudo-root privileges , and making the First User a limited, non-sudo user) wouldn't have been compromised by this flaw.

Also interesting is the question regarding the whole sudo model. Ubuntu's decision to use sudo instead of root has brought many complaints from veteran Gnu/Linux users. Many people feel that this practice compromise the system's inherent security model and is a very good example how Ubuntu, in its attempt to be more "accessible" broke the security model.

I don't subscribe to this concept. The danger of working with a root terminal are very known, as the user might not close the terminal, or logout from root, after completing the operation. With the sudo model, leaving open a superuser terminal minimizes this by forcing you to enter a password for each root operation. Adding a second layer of distancing the default user from the root operations, by creating an "admin" user with sudo privileges is even better than the normal user/root model, as logging into "admin" would still demand the sudo password to be entered, and forgetting to close the "admin" terminal won't compromise the system.

In a similar note, I wrote in the past regarding the faulty concept that a products security is measured by the number of officially disclosed flaws. I'm happy to see that there seem to be some changes in this way of thinking.


At 15 March, 2006 03:33, Anonymous Uri said...

I'll start with a note on that other note of yours about security. You wrote there that :"The reason UNIX/GNU/Linux, as well as every other Open-Source software, has more REPORTED security vulnerabilities is because THESE ARE EASIER TO LOCATE ONCE YOU HAVE ACCESS TO THE SOURCE CODE."
People don't find those security holes by reading the source code, they find them either by chance or by attempting tried and true methods of attack.
The availability of the source code means that once the flaw is known, there are a hell of a lot more people available to figure out where it is and how to fix it.
It has to do with the way people use open source. As long as you're happy with the way the program works, you're unlikely to ever look at the code. Only if you're unhappy, either because you want to change something, or fix a bug (security or otherwise), only then you have a reason to look at the code.
Closed source security holes are found the same way. Computers have been around for a long time, and some methods just work.
The non-disclosure camp simply lulls itself into a false sense of confidence thinking that "if we don't tell anyone, nobody else will find out about it." That is nothing more than another version of "security by obscurity."

At 16 March, 2006 17:18, Blogger Erez said...

I stand corrected, then.

I assumed that the open-source nature of such products allow for an added mean of identifying flaws.
To be more exact, the open-ness and communitee nature of the FOSS products does goes a long way to ensure that those flaws are reported and disclosed properly (and resolved in a very short period of time, as well).


Post a Comment

Links to this post:

Create a Link

<< Home

eXTReMe Tracker