LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Ubuntu
User Name
Password
Ubuntu This forum is for the discussion of Ubuntu Linux.

Notices

Reply
 
Search this Thread
Old 03-14-2012, 10:31 AM   #1
Zssfssz
Member
 
Registered: Sep 2011
Location: Las Vegas!
Distribution: Ubuntu n' Flavors, ReactOS, MINIX3, FreeDOS, Arch
Posts: 339

Rep: Reputation: Disabled
Is having everything be so easy a good thing?


The other day my grandma forgot the password to her lubuntu account (a wonder she didn't forget where the power button was) and called me and asked me to find it. In under 3 minutes I got the password reset without any prior Knowalge of the accounts, setup a new administrator account found the other username and reset te password. Is it really good to have this kind of stuff be easy?
 
Old 03-14-2012, 10:51 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
yes. you are trusted to get physical access to that location and the equipment there, so what's the problem? There are further methods you could take to secure it, but if you could plain steal the machine outright, does it matter? You couldn't have done that remotely as easy, and to have gained local access without permission you would have had to presumably break various property laws, and others.
 
Old 03-14-2012, 10:58 AM   #3
snowpine
Senior Member
 
Registered: Feb 2009
Posts: 3,911

Rep: Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044
This is an everyday, real-world admin task (as I type this, someone, somewhere, has just forgotten their password), so why would you intentionally make it more difficult?
 
Old 03-14-2012, 01:30 PM   #4
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,183

Rep: Reputation: 363Reputation: 363Reputation: 363Reputation: 363
While it is not a difficult task to reset a password the entire Ubuntu family makes it even easier by taking you straight to a root prompt if you boot to recovery mode.

Under Debian, the base for Ubuntu, you need to use the root password to get the root prompt. This makes a lot more sense.

Why on earth, in this day of portable devices, would you make this process easier?

Obviously I think it is stupidly easy to change the user password under Ubuntu. Filed a bug on it and got plenty of abuse on the UFs.

Bug will not be fixed. This is a feature not a bug. Piss pour feature.
 
Old 03-14-2012, 03:02 PM   #5
snowpine
Senior Member
 
Registered: Feb 2009
Posts: 3,911

Rep: Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044
It is a false sense of security because GRUB can be edited in Debian (or any other distro really) to recovery mode with no password. (For that matter, you can boot with a live CD/USB and get the data that way.) Ubuntu just removes the mental hurdle of assuming their users will remember the GRUB code, so they put the recovery mode option right there in the menu.

If you are talking about a public enterprise or kiosk type of deal, then I think the assumption is that the deployment admin will choose the appropriate security measures for physical access/BIOS password/GRUB password/user accounts/root password vs. sudo, making the decisions that work best for the situation.

For a portable device, the only solution that makes sense is encryption. Obfuscating GRUB features is not a solution for leaving unencrypted data lying around in a public place!
 
Old 03-15-2012, 03:33 PM   #6
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,183

Rep: Reputation: 363Reputation: 363Reputation: 363Reputation: 363
Yes grub can be editted to take you to recovery. This is not the point.

The point is that Ubuntu does not reqire a password to change the password. Distros with a root password require the use of that password to change the user password.

Ubuntu just assumes the user is an idiot and has nothing of value on the box. Therefore why bother with even the most simple security arrangements.

Personally I think that all Ubuntu users should log in as root, with auto login just to make things easier for everyone.
 
Old 03-15-2012, 03:42 PM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Quote:
Originally Posted by widget View Post
Yes grub can be editted to take you to recovery. This is not the point.

The point is that Ubuntu does not reqire a password to change the password. Distros with a root password require the use of that password to change the user password.

Ubuntu just assumes the user is an idiot and has nothing of value on the box. Therefore why bother with even the most simple security arrangements.

Personally I think that all Ubuntu users should log in as root, with auto login just to make things easier for everyone.
I think the point here is that you don't properly understand the ubuntu security model. Your advice does not make sense. Obviously the last line is a joke, but it's not a logical reduction of the security that Ubuntu provides.

Last edited by acid_kewpie; 03-15-2012 at 03:44 PM.
 
Old 03-15-2012, 03:48 PM   #8
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64&i386, Raspbian Wheezy, various VMs
Posts: 3,230

Rep: Reputation: 759Reputation: 759Reputation: 759Reputation: 759Reputation: 759Reputation: 759Reputation: 759
My take on it is that on a home computer the reason for a seperate root account and the subsequent need to sudo and enter a password is to prevent an automated install of malware. I agree that this isn't much like the old user/root relationship which was probably expected for unix and Linux but, then, multi user computers are rare enough nowadays that they are not really the norm.
As for Ubuntu being worse, I thought that you used to be able start most distros in single user and reset the root password anyhow? I also agree that unless you encrypt your hard drive any passwords asked for on a portable device are largely irrelevant as far as security goes.

Last edited by 273; 03-15-2012 at 03:50 PM.
 
Old 03-15-2012, 10:42 PM   #9
Zssfssz
Member
 
Registered: Sep 2011
Location: Las Vegas!
Distribution: Ubuntu n' Flavors, ReactOS, MINIX3, FreeDOS, Arch
Posts: 339

Original Poster
Rep: Reputation: Disabled
Root is not a bad person! Personally I think loging In as root is OK as long as you look at where you are and have a script replacement for rm that conferms the removal. But that's not the point.
I just saw a hole, and if grub can be edited to do that on any distro, linux is a disaster waiting to happen, the reason there are no hacks? We have too little market share. If Linux is to catch on this will need to be fixed, but again not the point.
With this, is there a way to install a dedicated bootloder (Like Window's) to skip grub all together?
 
Old 03-16-2012, 12:01 AM   #10
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,183

Rep: Reputation: 363Reputation: 363Reputation: 363Reputation: 363
Quote:
Originally Posted by acid_kewpie View Post
I think the point here is that you don't properly understand the ubuntu security model. Your advice does not make sense. Obviously the last line is a joke, but it's not a logical reduction of the security that Ubuntu provides.
I think I understand quite well that after several years of folks complaining about the recovery mode menu which gave just such a pass to anyone booting to it that Debian finally dropped it.

This was a good thing.

Ubuntu hung on to it but would not maintain it separately from the base they get from upstream. So they decided to simply remove the need for a root password, something they have never used and have no desire to do so now. So now you don't have the simple for noobs menu and you have no more security.

The menu system could quite rightly be called a security hole from upstream. This implimentation of what has now come from upstream can only be laid directly at the feet of Canonical and Ubuntu.
 
Old 03-16-2012, 12:09 AM   #11
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,183

Rep: Reputation: 363Reputation: 363Reputation: 363Reputation: 363
Quote:
Originally Posted by Zssfssz View Post
Root is not a bad person! Personally I think loging In as root is OK as long as you look at where you are and have a script replacement for rm that conferms the removal. But that's not the point.
I just saw a hole, and if grub can be edited to do that on any distro, linux is a disaster waiting to happen, the reason there are no hacks? We have too little market share. If Linux is to catch on this will need to be fixed, but again not the point.
With this, is there a way to install a dedicated bootloder (Like Window's) to skip grub all together?
Grub is not the problem.

The problem is that Ubuntu uses grub on a system that is supposed to have a root password. When you boot to recovery on Debian you do not get met with a root prompt.

You get met with the option of giving the root password or returning to normal login as a user.

There are ways to get into any system. Ubuntu just chooses to make it very very simple.

Take it up with them. I already have so know what you face. Good luck with that. And have fun with the folks that think that because there are other ways in one more hole is a good idea.
 
Old 03-16-2012, 12:21 AM   #12
Zssfssz
Member
 
Registered: Sep 2011
Location: Las Vegas!
Distribution: Ubuntu n' Flavors, ReactOS, MINIX3, FreeDOS, Arch
Posts: 339

Original Poster
Rep: Reputation: Disabled
I know GRUB is not the problem. Look a it like this: Recovery Mode Is A Stinky Manhole, I use a dedicated boot loader, ba bam I just put a cover on the manhole, the stink is still there but now it takes more effort to get there.
Do the BSDs/Solariss/Darwins have a similar problem?
 
Old 03-16-2012, 03:21 AM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Quote:
Originally Posted by Zssfssz View Post
I know GRUB is not the problem. Look a it like this: Recovery Mode Is A Stinky Manhole, I use a dedicated boot loader, ba bam I just put a cover on the manhole, the stink is still there but now it takes more effort to get there.
Do the BSDs/Solariss/Darwins have a similar problem?
Sorry mate, but you seriously do not understand these security models. Everything you are complaining about is BY DESIGN and does NOT constitute bad security. Every security model CAN be undermined and make it redundant, it's about how it's implemented and used, and grubs default (non) security model is just fine for most scenarios. How many enterprise data centres running government systems are out there with grub passwords or other additional boot security? just about zero I'd say. The cabinet locks, the 4 layer security barriers, the video cameras and biometric security systems make these super specific measure redundant. You have to take a holistic approach to security, not just indivually cherry pick sub components to criticize out of context.

Last edited by acid_kewpie; 03-16-2012 at 03:27 AM.
 
1 members found this post helpful.
Old 03-16-2012, 03:21 PM   #14
Zssfssz
Member
 
Registered: Sep 2011
Location: Las Vegas!
Distribution: Ubuntu n' Flavors, ReactOS, MINIX3, FreeDOS, Arch
Posts: 339

Original Poster
Rep: Reputation: Disabled
I Don't Care How Many Lazers And Knives Are Surrounding The Hole, Its Still There And Haveing One More Layer OF Defence Is A Good Thing, I Have A Me-only Computer And Don't Realy Care But I Just Want To Know In Case I Am Ever In A Super Sucure Envrioment.
 
  


Reply

Tags
password, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Doing The Good Thing LXer Syndicated Linux News 0 07-21-2008 04:00 AM
More newbies is a good thing, right? Radiolarian LinuxQuestions.org Member Intro 1 01-23-2005 09:34 AM
Just a good thing to learn... paicolman LinuxQuestions.org Member Success Stories 1 11-02-2004 10:36 AM
Ahh! ImageMagick! This should be and easy thing! sporkit Linux - Networking 5 04-05-2004 06:36 PM
The GPL, a good or bad thing? schatoor General 19 06-21-2003 08:38 AM


All times are GMT -5. The time now is 06:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration