Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
more often than not, update manager does not ask for authorization when I click the 'install updates' button.
is there a possibility that the update manager can be compromised and 'infected' code will be installed?
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
As far as I recall the default behaviour for sudo (and GKSU etc.) is to remember your password for something like 10 minutes after you enter it so if you've done anything requiring super user permissions and entered your password in the last ten minutes you won't be asked for your password again.
Why do people always suspect "hacking" before reading up on these things?
Whilst of course it is possible to hack package management systems it seems strange that somebody would do so and remove the need for the root password. Seems a good way to let a victim know there's something wrong and seems also to serve no other purpose.
Before assuming "hacking" learn how a system works as most of the posts I have read here and other forums seem to be the user misunderstanding how things are supposed to work.
Sorry, yes, 5 minutes. I changed my settings so I couldn't remember.
Whilst of course it is possible to hack package management systems it seems strange that somebody would do so and remove the need for the root password. Seems a good way to let a victim know there's something wrong and seems also to serve no other purpose.
Before assuming "hacking" learn how a system works as most of the posts I have read here and other forums seem to be the user misunderstanding how things are supposed to work.
I posted the links because they're related to package management security, not that because they're the reason for him not requiring to enter the root password... The first site was posted in 2008, and I would hope much of the problems were fixed by now, but unfortunately attackers are creative in coming up with new ways to bypass security, and defenders often repeat mistakes so history often repeats itself. So yes, update managers can be compromised...
thanks 273, 5 minutes or 10 minutes...not an issue.
as for hacking, I blindly install all updates that update manager sends me.
sometimes the changes it makes to my system do not appear obvious and any changes that are glaringly obvious are still accepted and become the new normal.
how do I know that the password requirments for updates did not change and if so, are the changes authorized.
every change cannot be investigated so they are accepted, but a change in password requirements should raise a few flags.
now if sudo privileges are open for five minutes, does that open a window of opportunity for someone to access my system from the internet?
(how would you search for that answer before posting the question to this forum?)
forgive me for getting off topic
to paraphrase, it is better to light a candle than curse the darkness, it is better to ask a question than cruise the internet.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by OlRoy
I posted the links because they're related to package management security, not that because they're the reason for him not requiring to enter the root password... The first site was posted in 2008, and I would hope much of the problems were fixed by now, but unfortunately attackers are creative in coming up with new ways to bypass security, and defenders often repeat mistakes so history often repeats itself. So yes, update managers can be compromised...
Sorry, yes, the links add some information to the thread. I came across a little critical but I didn't mean to. Must have my grumpy head on today.
how do I know that the password requirments for updates did not change and if so, are the changes authorized.
every change cannot be investigated so they are accepted, but a change in password requirements should raise a few flags.
The password policies are never changed, since they are inherent to the Linux system. If you want to make system wide changes on your system (which includes updating software) you always need root privileges for that. There may be the possibility to change the update system to get root privileges without asking for a password, but in this case you have no other choice as to trust the developers of your distribution or to inspect any package that is to be installed/updated for such changes.
Quote:
now if sudo privileges are open for five minutes, does that open a window of opportunity for someone to access my system from the internet?
Yes and no. Having that 5 minutes were the system does not ask for a password (this behavior can be disabled, by the way) will not enable people to log into your account and do malicious things. But there may be the (I would think rare) coincidence that in that five minutes an attacker uses an exploit in for example your browser and be able to change things on your system. That would be really a coincidence and I know not of one case where that happened.
Quote:
(how would you search for that answer before posting the question to this forum?)
Since I know that the questions you are asking are about authentication with using sudo I would search for sudo security risks and sudo time out risk or something similar.
OlRoy, your link to 'linux update problems' was worth reading but like you say, needs updating since it was posted in 2008.
and 273, I apologize for not mentioning in my original post what I had done to find an answer before resorting to this forum. I had just read the suggestions for asking good questions yesterday, but for the life of me it I could not follow (remember) those guidelines 24 hours later.
my bad.
My Smart questions will hopefully improve but I have noticed that I also need to work on smart searches. Sometimes a simple search leads me down multiple rabbit holes and I have to hop over to this forum.
no luck
turned on my computer this morning and had 146 updates on Update Manager.
checked my email and surfed the web for awhile
ignored the update message for about half an hour and actually left the computer idle for 6 or 7 minutes
clicked on the update manager icon
clicked on the install updates button
install started with no password requested...
back to finding out why
*wait for next update then wait 20 minutes before testing?
I tried to view my sudo settings in a terminal: sudo visudo
there is no line for setting the timeout
my settings appear to be the basic default settings as shown on ubuntu's site.
I can accept the 15 minute timeout default, just trying to figure out why password not required if I have not invoked it after the timeout.
Note: 146 updates, less than 10 were for security reasons
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I think there may be a setting along the lines of "do not ask for a password" where it's stored in your Gnome Keyring (or similar). I don't have an Ubuntu instance to test at the moment and it's too late here to install a VM but if you don't find anything I'll likely have time tomorrow to try it out.
Far as I know the timeouts for sudo and gksu [and other graphical sudos] are set differently so setting hte timeout for sudo may achieve nothing.
thanks 273
I do not recall changing my password requirements and at the momemt it is not a big deal for me but I was curious as to why a password is required only sometimes in Update Manager.
I came across 'sudo -k' which will force passwords thereafter.
I will invoke it the next time this occurs.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
If I'm right it's just a tick box that comes up when you are asked to enter your password for Update Manager or similar and it could be possible to tick the box by mistake simply by catching a couple keys or a mouse button before typing in your password.
Ah, sorry, I forgot I run Update manager on Debian and it behaves the same. It is a tick box marked "remember password" when Update manager is invoked and it's easy to tick it if you're not watching carefully.
re 273:
no tickbox, I have to go into settings to change anything and only security updates can be set to automatically download.
All settings are currently set to "Display".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.