LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-18-2012, 04:10 PM   #1
pandanuma
Member
 
Registered: May 2005
Location: greatwhitenorth
Distribution: mint 17
Posts: 59
Blog Entries: 7

Rep: Reputation: 19
can ubuntu's update manager be hacked?


more often than not, update manager does not ask for authorization when I click the 'install updates' button.
is there a possibility that the update manager can be compromised and 'infected' code will be installed?
 
Old 09-18-2012, 04:17 PM   #2
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 3,571

Rep: Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805
As far as I recall the default behaviour for sudo (and GKSU etc.) is to remember your password for something like 10 minutes after you enter it so if you've done anything requiring super user permissions and entered your password in the last ten minutes you won't be asked for your password again.
Why do people always suspect "hacking" before reading up on these things?
 
Old 09-18-2012, 05:17 PM   #3
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Linux update problems
Windows update problems
 
Old 09-18-2012, 05:33 PM   #4
pandanuma
Member
 
Registered: May 2005
Location: greatwhitenorth
Distribution: mint 17
Posts: 59
Blog Entries: 7

Original Poster
Rep: Reputation: 19
'sudo remembers your password for 10 minutes'...makes sense.

I did try to research the problem but went off in the wrong direction
(update manager instead of sudo)

found this link after you mentioned sudo:
https://help.ubuntu.com/community/Ro...t_sudo_timeout
default timeout is 5 minutes and can be changed.

now to see if this holds true next time I get an update...
 
Old 09-18-2012, 05:48 PM   #5
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 3,571

Rep: Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805
Sorry, yes, 5 minutes. I changed my settings so I couldn't remember.
Quote:
Originally Posted by OlRoy View Post
Whilst of course it is possible to hack package management systems it seems strange that somebody would do so and remove the need for the root password. Seems a good way to let a victim know there's something wrong and seems also to serve no other purpose.

Before assuming "hacking" learn how a system works as most of the posts I have read here and other forums seem to be the user misunderstanding how things are supposed to work.

Last edited by 273; 09-18-2012 at 05:55 PM.
 
Old 09-18-2012, 06:40 PM   #6
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Quote:
Originally Posted by 273 View Post
Sorry, yes, 5 minutes. I changed my settings so I couldn't remember.
Whilst of course it is possible to hack package management systems it seems strange that somebody would do so and remove the need for the root password. Seems a good way to let a victim know there's something wrong and seems also to serve no other purpose.

Before assuming "hacking" learn how a system works as most of the posts I have read here and other forums seem to be the user misunderstanding how things are supposed to work.
I posted the links because they're related to package management security, not that because they're the reason for him not requiring to enter the root password... The first site was posted in 2008, and I would hope much of the problems were fixed by now, but unfortunately attackers are creative in coming up with new ways to bypass security, and defenders often repeat mistakes so history often repeats itself. So yes, update managers can be compromised...
 
Old 09-18-2012, 06:51 PM   #7
pandanuma
Member
 
Registered: May 2005
Location: greatwhitenorth
Distribution: mint 17
Posts: 59
Blog Entries: 7

Original Poster
Rep: Reputation: 19
thanks 273, 5 minutes or 10 minutes...not an issue.

as for hacking, I blindly install all updates that update manager sends me.
sometimes the changes it makes to my system do not appear obvious and any changes that are glaringly obvious are still accepted and become the new normal.
how do I know that the password requirments for updates did not change and if so, are the changes authorized.
every change cannot be investigated so they are accepted, but a change in password requirements should raise a few flags.

now if sudo privileges are open for five minutes, does that open a window of opportunity for someone to access my system from the internet?
(how would you search for that answer before posting the question to this forum?)

forgive me for getting off topic
to paraphrase, it is better to light a candle than curse the darkness, it is better to ask a question than cruise the internet.
 
Old 09-18-2012, 06:52 PM   #8
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 3,571

Rep: Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805
Quote:
Originally Posted by OlRoy View Post
I posted the links because they're related to package management security, not that because they're the reason for him not requiring to enter the root password... The first site was posted in 2008, and I would hope much of the problems were fixed by now, but unfortunately attackers are creative in coming up with new ways to bypass security, and defenders often repeat mistakes so history often repeats itself. So yes, update managers can be compromised...
Sorry, yes, the links add some information to the thread. I came across a little critical but I didn't mean to. Must have my grumpy head on today.
 
Old 09-18-2012, 07:23 PM   #9
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,653
Blog Entries: 2

Rep: Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095
Quote:
Originally Posted by pandanuma View Post
how do I know that the password requirments for updates did not change and if so, are the changes authorized.
every change cannot be investigated so they are accepted, but a change in password requirements should raise a few flags.
The password policies are never changed, since they are inherent to the Linux system. If you want to make system wide changes on your system (which includes updating software) you always need root privileges for that. There may be the possibility to change the update system to get root privileges without asking for a password, but in this case you have no other choice as to trust the developers of your distribution or to inspect any package that is to be installed/updated for such changes.

Quote:
now if sudo privileges are open for five minutes, does that open a window of opportunity for someone to access my system from the internet?
Yes and no. Having that 5 minutes were the system does not ask for a password (this behavior can be disabled, by the way) will not enable people to log into your account and do malicious things. But there may be the (I would think rare) coincidence that in that five minutes an attacker uses an exploit in for example your browser and be able to change things on your system. That would be really a coincidence and I know not of one case where that happened.

Quote:
(how would you search for that answer before posting the question to this forum?)
Since I know that the questions you are asking are about authentication with using sudo I would search for sudo security risks and sudo time out risk or something similar.
 
1 members found this post helpful.
Old 09-18-2012, 08:15 PM   #10
pandanuma
Member
 
Registered: May 2005
Location: greatwhitenorth
Distribution: mint 17
Posts: 59
Blog Entries: 7

Original Poster
Rep: Reputation: 19
thanks TobiSGD, most informative.

OlRoy, your link to 'linux update problems' was worth reading but like you say, needs updating since it was posted in 2008.

and 273, I apologize for not mentioning in my original post what I had done to find an answer before resorting to this forum. I had just read the suggestions for asking good questions yesterday, but for the life of me it I could not follow (remember) those guidelines 24 hours later.
my bad.

My Smart questions will hopefully improve but I have noticed that I also need to work on smart searches. Sometimes a simple search leads me down multiple rabbit holes and I have to hop over to this forum.

thank you all.
 
Old 09-19-2012, 05:16 PM   #11
pandanuma
Member
 
Registered: May 2005
Location: greatwhitenorth
Distribution: mint 17
Posts: 59
Blog Entries: 7

Original Poster
Rep: Reputation: 19
Unhappy

no luck
turned on my computer this morning and had 146 updates on Update Manager.
checked my email and surfed the web for awhile
ignored the update message for about half an hour and actually left the computer idle for 6 or 7 minutes
clicked on the update manager icon
clicked on the install updates button
install started with no password requested...
back to finding out why

https://help.ubuntu.com/community/RootSudoTimeout
this page says: By default sudo remembers your password for 15 minutes. If you want to change that you can do so by: sudo visudo

*wait for next update then wait 20 minutes before testing?

I tried to view my sudo settings in a terminal: sudo visudo
there is no line for setting the timeout
my settings appear to be the basic default settings as shown on ubuntu's site.
I can accept the 15 minute timeout default, just trying to figure out why password not required if I have not invoked it after the timeout.

Note: 146 updates, less than 10 were for security reasons
 
Old 09-19-2012, 05:24 PM   #12
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 3,571

Rep: Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805
I think there may be a setting along the lines of "do not ask for a password" where it's stored in your Gnome Keyring (or similar). I don't have an Ubuntu instance to test at the moment and it's too late here to install a VM but if you don't find anything I'll likely have time tomorrow to try it out.
Far as I know the timeouts for sudo and gksu [and other graphical sudos] are set differently so setting hte timeout for sudo may achieve nothing.
 
Old 09-19-2012, 05:45 PM   #13
pandanuma
Member
 
Registered: May 2005
Location: greatwhitenorth
Distribution: mint 17
Posts: 59
Blog Entries: 7

Original Poster
Rep: Reputation: 19
thanks 273
I do not recall changing my password requirements and at the momemt it is not a big deal for me but I was curious as to why a password is required only sometimes in Update Manager.

I came across 'sudo -k' which will force passwords thereafter.
I will invoke it the next time this occurs.
 
Old 09-19-2012, 05:53 PM   #14
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 3,571

Rep: Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805
If I'm right it's just a tick box that comes up when you are asked to enter your password for Update Manager or similar and it could be possible to tick the box by mistake simply by catching a couple keys or a mouse button before typing in your password.
Ah, sorry, I forgot I run Update manager on Debian and it behaves the same. It is a tick box marked "remember password" when Update manager is invoked and it's easy to tick it if you're not watching carefully.
 
Old 09-19-2012, 07:11 PM   #15
pandanuma
Member
 
Registered: May 2005
Location: greatwhitenorth
Distribution: mint 17
Posts: 59
Blog Entries: 7

Original Poster
Rep: Reputation: 19
re 273:
no tickbox, I have to go into settings to change anything and only security updates can be set to automatically download.
All settings are currently set to "Display".
 
  


Reply

Tags
sudo, updatemanager


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ubuntu software center in ubuntu 11.10 not running and update manager error quazisaad Linux - Newbie 2 11-30-2011 12:43 PM
I cannot update manager of Ubuntu 9.04 gsalzberg Linux - Newbie 8 10-26-2009 11:50 PM
Ubuntu 9.04 Error when using Update Manager rahowill Linux - Newbie 6 09-08-2009 07:39 PM
Update Manager Help with Ubuntu 8.04 MikRose Ubuntu 6 03-10-2009 01:56 PM
Unable to upgrade to ubuntu 7.10, update manager fails to update.... jonbvgood Linux - Software 2 02-05-2008 04:58 PM


All times are GMT -5. The time now is 10:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration