Important Security Notice - mintAssistant 2.4 in Elyssa!
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Important Security Notice - mintAssistant 2.4 in Elyssa!
A very important bug has been found in mintAssistant 2.4 which was released as part of Linux Mint 5 Elyssa.
Explanation
When the root password is not set the root account is still active, and rather than this consequently preventing any root login, it actually means you can login as root without any password at all.
Cause
This regression is due to a change in behavior in passwd from Gutsy to Hardy and a request from the community after RC1 was released not to lock the root account (so that "sudo su -" is still possible).
Solution
- A fix has been released in mintAssistant 2.5. When you select not to use the root password, the root account is now given a randomly generated password.
- The ISO images for both the Main and Light Editions will be rebuilt to include this fix.
What you need to do
- Upgrade mintAssistant to version 2.5.
- Launch mintAssistant and choose whether you want to set a root password or not. If you choose not to, a random password will be assigned for you.
Edit by Husse//
I strongly recommend you to set a root password. If you don't you will not be able to use "Recovery mode" which is a powerful helper when things go wrong.
Explanation
When the root password is not set the root account is still active, and rather than this consequently preventing any root login, it actually means you can login as root without any password at all.
Cause
This regression is due to a change in behavior in passwd from Gutsy to Hardy and a request from the community after RC1 was released not to lock the root account (so that "sudo su -" is still possible).
Solution
- A fix has been released in mintAssistant 2.5. When you select not to use the root password, the root account is now given a randomly generated password.
- The ISO images for both the Main and Light Editions will be rebuilt to include this fix.
What you need to do
- Upgrade mintAssistant to version 2.5.
- Launch mintAssistant and choose whether you want to set a root password or not. If you choose not to, a random password will be assigned for you.
Edit by Husse//
I strongly recommend you to set a root password. If you don't you will not be able to use "Recovery mode" which is a powerful helper when things go wrong.
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
Clem,
I just wanted to let you know that mintUpdate still does not always show updates unless I open it, wait for it to do it's check, and then hit refresh again. After doing this mintAssistant 2.5 did indeed show up. In general I do still have to do this each time to see what updates are available.
Might I request that after you have posted the new .iso file for Mint 5 that you announce it in this thread as a follow up? Once it's ready I would like to download it again so my CD is up to date without this security flaw.
By the way I'm impressed that you found this and have a fix so quickly, considering it's only been a few days since launch. Thank you so much.
I just wanted to let you know that mintUpdate still does not always show updates unless I open it, wait for it to do it's check, and then hit refresh again. After doing this mintAssistant 2.5 did indeed show up. In general I do still have to do this each time to see what updates are available.
Might I request that after you have posted the new .iso file for Mint 5 that you announce it in this thread as a follow up? Once it's ready I would like to download it again so my CD is up to date without this security flaw.
By the way I'm impressed that you found this and have a fix so quickly, considering it's only been a few days since launch. Thank you so much.
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
Hi,
The two ISOs are now ready. I'll just pass them through some basic tests before uploading them to the server. They should be uploaded tomorrow during the day and from there picked up by the mirrors up to 48 hours later.
Clem.
The two ISOs are now ready. I'll just pass them through some basic tests before uploading them to the server. They should be uploaded tomorrow during the day and from there picked up by the mirrors up to 48 hours later.
Clem.
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
How do you launch mintassistant ?
Thanks
Thanks
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
Go to > Control Center > System > mintassistant
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
thanks but I removed it first before installing 2.5 and now it doesent show on that menu. Any other way to launch it?
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
So are you saying if you HAVE set a root password there is no problem?
Using Mint as primary OS since 2006.
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
trod, right click on the menu and choose "Reload Plugins", that should get the menu item to appear.
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
fix is easy to do and worked for me
thanks Clem (and Cathbard)
thanks Clem (and Cathbard)
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
since i have installed the last version of mintAssistant 2.5 in Elyssa, i don't need any password at all to use the "sudo" command......to do....whatever i want
i think than it was not like that before...
i think than it was not like that before...
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
That's exactly what he's saying. The bug occurs when you don't set a root password in mint assistant 2.4kenetics wrote:So are you saying if you HAVE set a root password there is no problem?
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
Other than at install I have never actually used mintassistant, is this something that I can remove? or is an integral part of the distro?
I added a root password and it accepted it, and then I clicked on mint assistant again and to see what it did, and it asked me if i wanted to enable a root password.
*edit-
after a reboot it asked me for my user password to get into the mintassistant
I added a root password and it accepted it, and then I clicked on mint assistant again and to see what it did, and it asked me if i wanted to enable a root password.
*edit-
after a reboot it asked me for my user password to get into the mintassistant
Last edited by eeezzzeee on Wed Jun 11, 2008 10:46 pm, edited 2 times in total.
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
correction : it's cause i've did sudo su one time before..... but i really have to do a complete reboot before have the password request again on a sudo commandPost by matheos on Wed Jun 11, 2008 8:55 pm
since i have installed the last version of mintAssistant 2.5 in Elyssa, i don't need any password at all to use the "sudo" command......to do....whatever i want
i think than it was not like that before...
since i have installed the last version of mintAssistant 2.5 in Elyssa, i don't need any password at all to use the "sudo" command......to do....whatever i want
i think than it was not like that before...
if i logout and relogin, the bug is still there... but not in a tty (CTRL+ALT+F1)
i have two zombie process ( gnome-terminal and sh ) i'm not able to kill them event with kill -9 command probably the source of the bug
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
I have also had my mint assistant disappear - tried 'reload plugins' and it still didn't come back.
Any ideas?
Any ideas?
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
- The new ISO images are available on Heanet.ie and should propagate to other mirrors today and tomorrow.
- The torrents now point at the new ISOs.
- On-Disk is in the process of replacing their ISOs and they will be contacting the people who bought CDs of Elyssa so far.
Clem.
- The torrents now point at the new ISOs.
- On-Disk is in the process of replacing their ISOs and they will be contacting the people who bought CDs of Elyssa so far.
Clem.
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
tried what has been mentioned................I did update, but no mint assistant on my list?
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
You have to refresh the update manager for the newest update to show.
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
I have tried the std. Gnome menu and it is not there. the instructions here were not quite clear what to do, so like others I had removed 2.4 first. Now if I look in package manager, it does say I have 2.5, but it is nowhere to be found in the menus (yes, I have refreshed plugins).Sakonim wrote:Have you tried getting to it from the standard gnome menu? You open it by doing alt + f1.badmotor wrote:I have also had my mint assistant disappear - tried 'reload plugins' and it still didn't come back.
Any ideas?
I did see some sort of 'Gnome integration' file that was removed with 2.4, and it hasn't reappeared in the synaptic list - so maybe that is what is causing the problem. If it doesn't show in the list, how do I get it back ??
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
Hi,
If you removed mintassistant, mintassistant-gnome must have been removed as well (it depends on it). mintassistant-gnome is the package which contains the menu item and the command line launcher.
Clem
If you removed mintassistant, mintassistant-gnome must have been removed as well (it depends on it). mintassistant-gnome is the package which contains the menu item and the command line launcher.
Clem
- bigbearomaha
- Level 3
- Posts: 178
- Joined: Tue Feb 06, 2007 11:34 am
- Location: Omaha, NE
Re: Important Security Notice - mintAssistant 2.4 in Elyssa!
If when using Mint assistant and one chooses to not use the root password, it then generates a random password
1) doesn't that defeat the purpose of saying you don't want to enable the root acct to begin with and
2) if it is given a random generated password, how does one access it at a later time should the need arise? I assume the option of logging in as a "single user mode" is still viable in order to change that.
Big Bear
1) doesn't that defeat the purpose of saying you don't want to enable the root acct to begin with and
2) if it is given a random generated password, how does one access it at a later time should the need arise? I assume the option of logging in as a "single user mode" is still viable in order to change that.
Big Bear
Bee the best you can bee.