Important Security Notice - mintAssistant 2.4 in Elyssa!

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Husse on Sun Jun 15, 2008 5:48 pm

Yes
and there is always
Code: Select all
sudo passwd root
Image
Don't fix it if it ain't broken, don't break it if you can't fix it
Husse
Level 21
Level 21
 
Posts: 19703
Joined: Sun Feb 11, 2007 7:22 am
Location: Near Borås Sweden

Linux Mint is funded by ads and donations.
 

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Eric Weir on Mon Jun 16, 2008 10:19 am

Husse wrote:Yes
and there is always
Code: Select all
sudo passwd root

Thanks, Husse. I think I'm gonna have to start learning Linux and the command-line.

Regards,
Eric Weir
Decatur, GA USA
Linux Mint 5
User avatar
Eric Weir
Level 2
Level 2
 
Posts: 93
Joined: Sat May 31, 2008 3:06 pm
Location: Decatur, GA USA

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby arun on Tue Jun 17, 2008 3:45 pm

sir .i want to know how to use aptoncd?.
2)please give how to upgrage my my mint os(aplications)without inter net connection
arun
 

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Husse on Wed Jun 18, 2008 8:11 am

@ arun
This makes me really irritated :twisted:
Why the f-ck do you post that here?
Edit by Husse on june 23
I could of course just have split off the post but it actually made me somewhat angry :)
Image
Don't fix it if it ain't broken, don't break it if you can't fix it
Husse
Level 21
Level 21
 
Posts: 19703
Joined: Sun Feb 11, 2007 7:22 am
Location: Near Borås Sweden

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby larryfroot on Sun Jun 22, 2008 9:44 am

I'm considering moving from Ubuntu Hardy to Mint Elyssa. The way that this bug has been found, made public fixed and that fix disseminated has really, really impressed me. I am happy with Hardy, but want to use Mint as it seems so much more accessible and useful for newbies whilst keeping the power and flexibility of a good distro intact. I just want to recommend such a distro to friends and family. This thread hass gone a long way in answering my questions about which one. Excellent work, Clem.
larryfroot
Level 1
Level 1
 
Posts: 17
Joined: Mon Jun 16, 2008 7:11 pm

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Ardanbis on Fri Jun 27, 2008 9:21 am

When i saw that bug i used:
sudo passwd -l root
immediatly to lock the root account but now anytime i do "sudo su" it shows this message:

Your account has expired, please contact the system administrator.(ignored)

And after i get that message it logs me in as root.

Is there any way to "ignore" completely this message, i mean i dont want to see it anymore.
User avatar
Ardanbis
Level 1
Level 1
 
Posts: 17
Joined: Fri Jun 27, 2008 9:11 am

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Phosgene on Thu Jul 03, 2008 9:01 pm

Good to know this has been fixed, however this doesn't affect me. Goes to show that it's never good to neglect the root account. Always set a reasonably strong password, even if it is written down somewhere (may not be the best security practice, but much better than leaving root open). :) In the case of Ardanbis, it's never a good idea to lock root, if users accidently get deleted, root can always be counted on to help bail you out of any problems that you may run into.
Image
Image
User avatar
Phosgene
Level 2
Level 2
 
Posts: 79
Joined: Thu Jul 03, 2008 6:59 pm
Location: Chernobyl

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Ardanbis on Fri Jul 04, 2008 8:41 am

Phosgene wrote:Good to know this has been fixed, however this doesn't affect me. Goes to show that it's never good to neglect the root account. Always set a reasonably strong password, even if it is written down somewhere (may not be the best security practice, but much better than leaving root open). :) In the case of Ardanbis, it's never a good idea to lock root, if users accidently get deleted, root can always be counted on to help bail you out of any problems that you may run into.


<b>Absolutely False.</b>

If you need the root account for emergency in the Grub Menu, you just have to choose the recovery mode, or if it is not available, edit the Linux Mint option deleting "ro quiet splash" and editing "init=bin/bash" and pres enter.

Keeping root account locked is THE strongest way to protect your computer. (This and a good firewall, specially if it drops ping, thing that ufw doesnt do by default)

You just need to look at the login log of ANY Linux server: There are thousands of dictionary attacks, to the "root" user to find out its password, if the account is locked there is no way you can get in.

EDIT: Instead of "init=bin/bash" you can also use "single". And also u can use the LiveCD to edit the sudoers file, and many more.
Last edited by Ardanbis on Fri Jul 04, 2008 9:23 am, edited 1 time in total.
User avatar
Ardanbis
Level 1
Level 1
 
Posts: 17
Joined: Fri Jun 27, 2008 9:11 am

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Phosgene on Fri Jul 04, 2008 9:20 am

Locking root isn't going to do anything when you're hit with any kind of exploit, well written shell code will give root privilages rather than a root account, not to mention shellcode written to add a root user. And most firewalls are easily evaded by fragmenting packets, strong ruleset or not. Keep a strong passphrase as a root password and there is no way that anyone will get in. I'd much rather have people trying to brute force my root account than have them keeping a hawks eye on my services waiting for 0days.
Image
Image
User avatar
Phosgene
Level 2
Level 2
 
Posts: 79
Joined: Thu Jul 03, 2008 6:59 pm
Location: Chernobyl

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Ardanbis on Fri Jul 04, 2008 9:29 am

Phosgene wrote:Locking root isn't going to do anything when you're hit with any kind of exploit, well written shell code will give root privilages rather than a root account, not to mention shellcode written to add a root user. And most firewalls are easily evaded by fragmenting packets, strong ruleset or not. Keep a strong passphrase as a root password and there is no way that anyone will get in. I'd much rather have people trying to brute force my root account than have them keeping a hawks eye on my services waiting for 0days.


IF an exploit exists or make one so good than how do you use it? You first have to connect to the computer you intend to use it, and how do you know that computer is it off or on? Well you just have to ping it. I guess you caughed the idea. In this case a strong ruleset doesnt really mattter.

EDIT: If you are hit by an exploit either if you have a strong password on your root account wont do anything for you. I was only talknig about brute force not about exploits. Exploits are exploits, thats all. And they get "fixxed" pretty fast as soon as they get out.
Last edited by Ardanbis on Fri Jul 04, 2008 9:50 am, edited 1 time in total.
User avatar
Ardanbis
Level 1
Level 1
 
Posts: 17
Joined: Fri Jun 27, 2008 9:11 am

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Phosgene on Fri Jul 04, 2008 9:48 am

Any portscanner (Which is going to be the primary tool of someone exploiting services) provides a ping off flag (-PN in nmap), this means that no ping request is sent anyway and cuts right to scanning ports and services. If the computer is not connected or not 'on' then there will be no response right away, otherwise sending null packets will be able to stealth scan and find open ports plus grab banners for services.

By locking root account all you accomplish is protection from brute force attacks but you will also encounter many problems such as the ones you are experiencing. By setting a strong root passphrase (At least 40+ chars) not only will your prevent brute force or even hybrid attacks, it also means that should you have to use the root account in the case of disaster, it is right there to be used.
Image
Image
User avatar
Phosgene
Level 2
Level 2
 
Posts: 79
Joined: Thu Jul 03, 2008 6:59 pm
Location: Chernobyl

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Ardanbis on Fri Jul 04, 2008 9:58 am

Phosgene wrote:Any portscanner (Which is going to be the primary tool of someone exploiting services) provides a ping off flag (-PN in nmap), this means that no ping request is sent anyway and cuts right to scanning ports and services. If the computer is not connected or not 'on' then there will be no response right away, otherwise sending null packets will be able to stealth scan and find open ports plus grab banners for services.


Heh yes, you are right port scanning is the usual way. But i think we are talking about activating or not the "root" account and untill now I still dont understand why do I really need to enable it. As i said before even if the sudoers file gets corrupted(in this case i think "root" account can get messed up too) you can fix it with the livecd.

Fine if you preffer to activate your root account then go ahead, it is your choice, not mine.
User avatar
Ardanbis
Level 1
Level 1
 
Posts: 17
Joined: Fri Jun 27, 2008 9:11 am

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Ardanbis on Fri Jul 04, 2008 10:02 am

Phosgene wrote:By locking root account all you accomplish is protection from brute force attacks but you will also encounter many problems such as the ones you are experiencing


What problems? I just want to ignore the root account deactivated message. There is no problem at all. Is just a message.
User avatar
Ardanbis
Level 1
Level 1
 
Posts: 17
Joined: Fri Jun 27, 2008 9:11 am

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Phosgene on Fri Jul 04, 2008 10:12 am

In my opinion, as far as Linux goes, anything that is not perfect is a problem. Windows creates a tendency to accept error messages and problems as the norm. Everything is changeable in Linux right down to Kernel level, there should be no excuse for small inconveniences. This is not a problem of the development, it is something that the user has to change themselves in order to tailor Linux to their own needs.
Image
Image
User avatar
Phosgene
Level 2
Level 2
 
Posts: 79
Joined: Thu Jul 03, 2008 6:59 pm
Location: Chernobyl

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Ardanbis on Fri Jul 04, 2008 12:35 pm

Phosgene wrote:This is not a problem of the development, it is something that the user has to change themselves in order to tailor Linux to their own needs.


So i have to modify the kernel to avoid that message? I thought there was a easier way. Like when bash starts to insult you if you type an incorrect password. I thought this was something like that.
User avatar
Ardanbis
Level 1
Level 1
 
Posts: 17
Joined: Fri Jun 27, 2008 9:11 am

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Phosgene on Fri Jul 04, 2008 12:37 pm

I highly doubt you would have to edit the kernel to remove that message.
Image
Image
User avatar
Phosgene
Level 2
Level 2
 
Posts: 79
Joined: Thu Jul 03, 2008 6:59 pm
Location: Chernobyl

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Ardanbis on Fri Jul 04, 2008 1:03 pm

Ok i will keep searching then, anyway if there is someone like me out there that gets same message using "sudo su" then instead of using "sudo su" use "sudo bash" you will get "root" priviledges aswell, and that message won't pop out. Well i know its a fake solution but its the only 1 i found untill now.
User avatar
Ardanbis
Level 1
Level 1
 
Posts: 17
Joined: Fri Jun 27, 2008 9:11 am

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby MintyCat on Tue Oct 20, 2009 4:26 pm

Okay, sorry to be digging up an old thread, but I've just found an old .iso of Mint 5 lying around my computer and I'm now running it on a Virtual Machine. I'm so used to not being able to "su" on Gloria, but I really dislike mintAssistant, so I'm glad the team took that out of Mint 7.

But I was wondering if there's any way to configure at least just the root password, or does it follow Elyssa's method and randomizes a password? If so, how can I access it? Do I have to create a root account? :?
MintyCat
Level 1
Level 1
 
Posts: 12
Joined: Sun Sep 27, 2009 7:58 am

Re: Important Security Notice - mintAssistant 2.4 in Elyssa!

Postby Mintylamb on Sun Nov 15, 2009 5:05 pm

It is possible to log in as root on the latest kde version of Gloria 7, using the password set for the first user account.
Linux Mint 8 Helena KDE CE running on pentium 4 and 1 gig of ram + 500gig HD and ECS P4M800PRO-M moby.
Mintylamb
Level 1
Level 1
 
Posts: 16
Joined: Sun Nov 15, 2009 1:31 pm

Linux Mint is funded by ads and donations.
 
Previous

Return to Releases & Announcements

Who is online

Users browsing this forum: No registered users and 5 guests