LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   can ubuntu's update manager be hacked? (http://www.linuxquestions.org/questions/linux-security-4/can-ubuntus-update-manager-be-hacked-4175427885/)

pandanuma 09-18-2012 03:10 PM

can ubuntu's update manager be hacked?
 
more often than not, update manager does not ask for authorization when I click the 'install updates' button.
is there a possibility that the update manager can be compromised and 'infected' code will be installed?

273 09-18-2012 03:17 PM

As far as I recall the default behaviour for sudo (and GKSU etc.) is to remember your password for something like 10 minutes after you enter it so if you've done anything requiring super user permissions and entered your password in the last ten minutes you won't be asked for your password again.
Why do people always suspect "hacking" before reading up on these things?

OlRoy 09-18-2012 04:17 PM

Linux update problems
Windows update problems

pandanuma 09-18-2012 04:33 PM

'sudo remembers your password for 10 minutes'...makes sense.

I did try to research the problem but went off in the wrong direction
(update manager instead of sudo)

found this link after you mentioned sudo:
https://help.ubuntu.com/community/Ro...t_sudo_timeout
default timeout is 5 minutes and can be changed.

now to see if this holds true next time I get an update...

273 09-18-2012 04:48 PM

Sorry, yes, 5 minutes. I changed my settings so I couldn't remember.
Quote:

Originally Posted by OlRoy (Post 4783659)

Whilst of course it is possible to hack package management systems it seems strange that somebody would do so and remove the need for the root password. Seems a good way to let a victim know there's something wrong and seems also to serve no other purpose.

Before assuming "hacking" learn how a system works as most of the posts I have read here and other forums seem to be the user misunderstanding how things are supposed to work.

OlRoy 09-18-2012 05:40 PM

Quote:

Originally Posted by 273 (Post 4783687)
Sorry, yes, 5 minutes. I changed my settings so I couldn't remember.
Whilst of course it is possible to hack package management systems it seems strange that somebody would do so and remove the need for the root password. Seems a good way to let a victim know there's something wrong and seems also to serve no other purpose.

Before assuming "hacking" learn how a system works as most of the posts I have read here and other forums seem to be the user misunderstanding how things are supposed to work.

I posted the links because they're related to package management security, not that because they're the reason for him not requiring to enter the root password... The first site was posted in 2008, and I would hope much of the problems were fixed by now, but unfortunately attackers are creative in coming up with new ways to bypass security, and defenders often repeat mistakes so history often repeats itself. So yes, update managers can be compromised...

pandanuma 09-18-2012 05:51 PM

thanks 273, 5 minutes or 10 minutes...not an issue.

as for hacking, I blindly install all updates that update manager sends me.
sometimes the changes it makes to my system do not appear obvious and any changes that are glaringly obvious are still accepted and become the new normal.
how do I know that the password requirments for updates did not change and if so, are the changes authorized.
every change cannot be investigated so they are accepted, but a change in password requirements should raise a few flags.

now if sudo privileges are open for five minutes, does that open a window of opportunity for someone to access my system from the internet?
(how would you search for that answer before posting the question to this forum?)

forgive me for getting off topic
to paraphrase, it is better to light a candle than curse the darkness, it is better to ask a question than cruise the internet. :)

273 09-18-2012 05:52 PM

Quote:

Originally Posted by OlRoy (Post 4783711)
I posted the links because they're related to package management security, not that because they're the reason for him not requiring to enter the root password... The first site was posted in 2008, and I would hope much of the problems were fixed by now, but unfortunately attackers are creative in coming up with new ways to bypass security, and defenders often repeat mistakes so history often repeats itself. So yes, update managers can be compromised...

Sorry, yes, the links add some information to the thread. I came across a little critical but I didn't mean to. Must have my grumpy head on today.

TobiSGD 09-18-2012 06:23 PM

Quote:

Originally Posted by pandanuma (Post 4783717)
how do I know that the password requirments for updates did not change and if so, are the changes authorized.
every change cannot be investigated so they are accepted, but a change in password requirements should raise a few flags.

The password policies are never changed, since they are inherent to the Linux system. If you want to make system wide changes on your system (which includes updating software) you always need root privileges for that. There may be the possibility to change the update system to get root privileges without asking for a password, but in this case you have no other choice as to trust the developers of your distribution or to inspect any package that is to be installed/updated for such changes.

Quote:

now if sudo privileges are open for five minutes, does that open a window of opportunity for someone to access my system from the internet?
Yes and no. Having that 5 minutes were the system does not ask for a password (this behavior can be disabled, by the way) will not enable people to log into your account and do malicious things. But there may be the (I would think rare) coincidence that in that five minutes an attacker uses an exploit in for example your browser and be able to change things on your system. That would be really a coincidence and I know not of one case where that happened.

Quote:

(how would you search for that answer before posting the question to this forum?)
Since I know that the questions you are asking are about authentication with using sudo I would search for sudo security risks and sudo time out risk or something similar.

pandanuma 09-18-2012 07:15 PM

thanks TobiSGD, most informative.

OlRoy, your link to 'linux update problems' was worth reading but like you say, needs updating since it was posted in 2008.

and 273, I apologize for not mentioning in my original post what I had done to find an answer before resorting to this forum. I had just read the suggestions for asking good questions yesterday, but for the life of me it I could not follow (remember) those guidelines 24 hours later.
my bad.

My Smart questions will hopefully improve but I have noticed that I also need to work on smart searches. Sometimes a simple search leads me down multiple rabbit holes and I have to hop over to this forum.

thank you all.

pandanuma 09-19-2012 04:16 PM

no luck
turned on my computer this morning and had 146 updates on Update Manager.
checked my email and surfed the web for awhile
ignored the update message for about half an hour and actually left the computer idle for 6 or 7 minutes
clicked on the update manager icon
clicked on the install updates button
install started with no password requested...:scratch:
back to finding out why

https://help.ubuntu.com/community/RootSudoTimeout
this page says: By default sudo remembers your password for 15 minutes. If you want to change that you can do so by: sudo visudo

*wait for next update then wait 20 minutes before testing?

I tried to view my sudo settings in a terminal: sudo visudo
there is no line for setting the timeout
my settings appear to be the basic default settings as shown on ubuntu's site.
I can accept the 15 minute timeout default, just trying to figure out why password not required if I have not invoked it after the timeout.

Note: 146 updates, less than 10 were for security reasons

273 09-19-2012 04:24 PM

I think there may be a setting along the lines of "do not ask for a password" where it's stored in your Gnome Keyring (or similar). I don't have an Ubuntu instance to test at the moment and it's too late here to install a VM but if you don't find anything I'll likely have time tomorrow to try it out.
Far as I know the timeouts for sudo and gksu [and other graphical sudos] are set differently so setting hte timeout for sudo may achieve nothing.

pandanuma 09-19-2012 04:45 PM

thanks 273
I do not recall changing my password requirements and at the momemt it is not a big deal for me but I was curious as to why a password is required only sometimes in Update Manager.

I came across 'sudo -k' which will force passwords thereafter.
I will invoke it the next time this occurs.

273 09-19-2012 04:53 PM

If I'm right it's just a tick box that comes up when you are asked to enter your password for Update Manager or similar and it could be possible to tick the box by mistake simply by catching a couple keys or a mouse button before typing in your password.
Ah, sorry, I forgot I run Update manager on Debian and it behaves the same. It is a tick box marked "remember password" when Update manager is invoked and it's easy to tick it if you're not watching carefully.

pandanuma 09-19-2012 06:11 PM

re 273:
no tickbox, I have to go into settings to change anything and only security updates can be set to automatically download.
All settings are currently set to "Display".


All times are GMT -5. The time now is 03:04 AM.