You can almost feel it, can't you?

Chat about anything related to Linux Mint
User avatar
jameskga
Level 3
Level 3
Posts: 197
Joined: Sat Jun 04, 2016 8:23 pm

You can almost feel it, can't you?

Post by jameskga » Sun Jun 25, 2017 5:13 am

The imminent release of Mint 18.2
19.2 Xfce
I am out there

Hoser Rob
Level 15
Level 15
Posts: 5670
Joined: Sat Dec 15, 2012 8:57 am

Re: You can almost feel it, can't you?

Post by Hoser Rob » Sun Jun 25, 2017 10:33 am

Nope. The only reason I'd upgrade is for hardware support reasons. I ain't installing 18.whatever until 17.3 goes EOL.

If I was one of those guys who had to have the newest software I'd bite the bullet and install Arch.

Citizen229
Level 5
Level 5
Posts: 819
Joined: Fri Nov 04, 2016 12:09 pm
Location: NW Ohio

Re: You can almost feel it, can't you?

Post by Citizen229 » Sun Jun 25, 2017 11:07 am

Agreed hoser.

"If AMD just let it be"

since I am an XFCE fan I will say this, 18.1 XFCE has been gosh darn flawless for only being the first revision.
Folding@home Project
Team Linux Mint-76140
PM for info on how you can help. Or visit viewtopic.php?f=58&t=243792
Seeking GPU's, i5/7/9's , Ryzens.

User avatar
MintBean
Level 9
Level 9
Posts: 2967
Joined: Fri Aug 07, 2015 6:54 am
Location: Blighty

Re: You can almost feel it, can't you?

Post by MintBean » Sun Jun 25, 2017 12:14 pm

Nothing in 18.2 that is particularly interesting to me but I will upgrade once the option appears in the software manager.

User avatar
Night Wing
Level 4
Level 4
Posts: 305
Joined: Wed Dec 25, 2013 10:21 pm
Location: Texas, USA

Re: You can almost feel it, can't you?

Post by Night Wing » Sun Jun 25, 2017 4:08 pm

I also plan to install 18.2 (Sonja) when it is publicly released (non beta) XFCE.
Mint 19.2 (Tina) Xfce 64 Bit

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Sun Jun 25, 2017 4:25 pm

What I see at now in the Cinnamon beta:

Some good bug fixes.

Some open issues.

Some still not fixed bugs and regressions - partially one year (since Mint 18) old.

2 (new) serious security faults.

Under the line: If this should be the result of the final release, 18.x is in the 3rd edition again no joy. Nothing what I feel, but what I see. Of course I would be happy, if the situation would change until release, but the roadmap.

Seeing, that the file new.md in the roadmap is far longer than fixed.md does not give me the impression, that 18.2 is something like imminent.

User avatar
jameskga
Level 3
Level 3
Posts: 197
Joined: Sat Jun 04, 2016 8:23 pm

Re: You can almost feel it, can't you?

Post by jameskga » Sun Jun 25, 2017 6:00 pm

Where'd you see the security faults? I'd like to see them.
19.2 Xfce
I am out there

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Sun Jun 25, 2017 6:57 pm

Problem #1 is the update for Firefox. I described this here, here and here. The problem affects only Firefox as browser, all other browsers are in level 1 (Chromium) or 2 (all others). Interesting also: Thunderbird - which might give in case of malfunction because of an update far greater problem, because the user might not be able to reach is mails - is set as level 1, the same for LibreOffice (which might for some users also be a critical application, where they have to rely on).
I have opened an issue about it.

Problem #2 is the decision for 18.2, that by default there is no root password set. Consequence: a local attacker can boot into the recovery mode and do, whatever he wants. This takes perhaps 30 to 60 seconds. I have reported and discussed that internally and I got the answer, that by doing so an distant attacker cannot attack the root password. This is - sorry to say it hard - nonsense. A distant attacker would hardly try this at all, but he would attack the password of the first user account - and gets the same result. The simple reason: It is known, at least for any halfway knowledgeable attacker, that Ubuntu does not create a root password since years; consequently an attacker would not even try this. As a regularly reader of the Forum I know, that even some of the most experienced Mint helpers here do not know, that in Mint (at least until 18.1) this is different. But any attacker knows, that the password for at least one account with sudo membership does needlessly exist. So - if he can - he will attack this. (If he cannot, he also cannot attack the root password.) What remains is a local attack vector, which is usable in seconds.
Until Mint 18.1 Mint has set the root password by default. This difference to the Ubuntu base did not fall from heaven, but it was a designer's decision. And quite obviously the developers did either with the old decision or with the new decision something wrong; both together cannot be right. So if they did a mistake on one place the question is, what from both is the wrong decision? I say - with arguments - the new decision is wrong.

User avatar
jameskga
Level 3
Level 3
Posts: 197
Joined: Sat Jun 04, 2016 8:23 pm

Re: You can almost feel it, can't you?

Post by jameskga » Sun Jun 25, 2017 8:35 pm

Thanks.

So to clarify the root password thing, are you saying that since the box is unchecked, most users speeding through their OS install will miss the opportunity to password-protect /home/ and/or their username? Or is it more technical than that?

Because anyone interested in security would naturally check that box at installation, right? So I feel like I'm missing the point. It's not bad, but you have a strange way of writing!

I will check out the firefox links you posted earlier. I love Firefox, so I hate to think it's less secure on Mint than it could or should be.
19.2 Xfce
I am out there

User avatar
jimallyn
Level 18
Level 18
Posts: 8952
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: You can almost feel it, can't you?

Post by jimallyn » Sun Jun 25, 2017 9:05 pm

jameskga wrote:you have a strange way of writing!
Not a native English speaker, but his command of English is much better than my command of any language other than English! Lots of non-native English speakers here in the Mint forums.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

User avatar
jimallyn
Level 18
Level 18
Posts: 8952
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: You can almost feel it, can't you?

Post by jimallyn » Sun Jun 25, 2017 9:12 pm

Cosmo. wrote:Problem #2 is the decision for 18.2, that by default there is no root password set.
I'm guessing that's a relatively easy problem to fix after installation, yes? I suspect there will be a tutorial for this soon.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

all41
Level 15
Level 15
Posts: 5709
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: You can almost feel it, can't you?

Post by all41 » Sun Jun 25, 2017 10:49 pm

Cosmo. wrote:
Problem #2 is the decision for 18.2, that by default there is no root password set. Consequence: a local attacker can boot into the recovery mode and do, whatever he wants. This takes perhaps 30 to 60 seconds. I have reported and discussed that internally and I got the answer, that by doing so an distant attacker cannot attack the root password. This is - sorry to say it hard - nonsense. A distant attacker would hardly try this at all, but he would attack the password of the first user account - and gets the same result. The simple reason: It is known, at least for any halfway knowledgeable attacker, that Ubuntu does not create a root password since years; consequently an attacker would not even try this. As a regularly reader of the Forum I know, that even some of the most experienced Mint helpers here do not know, that in Mint (at least until 18.1) this is different. But any attacker knows, that the password for at least one account with sudo membership does needlessly exist. So - if he can - he will attack this. (If he cannot, he also cannot attack the root password.) What remains is a local attack vector, which is usable in seconds.
Until Mint 18.1 Mint has set the root password by default. This difference to the Ubuntu base did not fall from heaven, but it was a designer's decision. And quite obviously the developers did either with the old decision or with the new decision something wrong; both together cannot be right. So if they did a mistake on one place the question is, what from both is the wrong decision? I say - with arguments - the new decision is wrong.
The New features pages state "The root account is now locked by default."
I seem to remember reading that a randomized root password was generated for each install--but for the life of me I can't find that article again.

User avatar
jameskga
Level 3
Level 3
Posts: 197
Joined: Sat Jun 04, 2016 8:23 pm

Re: You can almost feel it, can't you?

Post by jameskga » Sun Jun 25, 2017 10:59 pm

Thanks for all the interesting information, folks.

I look forward to 18.2 because I am constantly messing with Mint, and I like to minimize the stupid crap I attempt, so the 18.2 release is a chance for a fresh install and clean implementation of the stuff I learned and experimented with in the last six months.

For example, I have like five Wine virtual drives, including a PlayOnLinux drive, that just looks messy and hurts my obsession with neatness. Now that I understand how to install Photoshop and Starcraft BroodWar using Wine, I can have a cleaner installation after I wipe everything.

I like minimalism, too, so clean installs are a chance to start over without extra stuff installed I only needed once, you know? I love clean installing everything, like servers and websites and stuff.
19.2 Xfce
I am out there

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Mon Jun 26, 2017 6:07 am

jameskga wrote:So to clarify the root password thing, are you saying that since the box is unchecked, most users speeding through their OS install will miss the opportunity to password-protect /home/ and/or their username? Or is it more technical than that?
No, this is not the case. I am not sure, which "box" you mean, but the possibility to password protect the user account is not affected by this change.

To say it in other words: Assume, I would be an evil guy and I would have physical access to your computer, without anybody watching me for less than a minute. I will be with 18.2 able to boot the computer into recovery mode and - without any password request - I can change in the system, whatever I want. Inclusive to set a password, which gives me later the possibility to do whatever I want even without the need to reboot. Or I could change your user password and you are out. Or whatever you might think of.

User avatar
jameskga
Level 3
Level 3
Posts: 197
Joined: Sat Jun 04, 2016 8:23 pm

Re: You can almost feel it, can't you?

Post by jameskga » Mon Jun 26, 2017 6:11 am

Why would they create such an easy security flaw? Is this a Mint-specific issue, or Ubuntu? How, or why, did they introduce it in 18.2 (as opposed to 18.1 or 17.3, for example)?
19.2 Xfce
I am out there

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Mon Jun 26, 2017 6:17 am

jimallyn wrote:I'm guessing that's a relatively easy problem to fix after installation, yes? I suspect there will be a tutorial for this soon.
Correcting this mistake is possible (and this is the best, what I can say about this security leak) and is very simple; there will not even a tutorial be needed. Simply entering in a terminal sudo passwd gives you the possibility to set the root password and the problem is on this system solved. But hey, if a new version makes the need for every user to correct a designer's mistake, than there is something terribly wrong. Besides that, most user will not get aware about the leak - consequently they will do nothing. For those, how have become an attack victim it is too late.

A change in the system, which does no good at all, but opens a until than not existing security hole, is simply wrong.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Mon Jun 26, 2017 6:30 am

all41 wrote:The New features pages state "The root account is now locked by default."
I seem to remember reading that a randomized root password was generated for each install--but for the life of me I can't find that article again.
Your remembrance is good, what happened here is bad - as bad can be.

When Clem published the change-log we wrote indeed - on several places - about a randomized password. If this would have been true, the catastrophe would have reached out of some technical reasons its hightest point.

When I reported and discussed the whole issue I also pointed to this "random password" and all the additional security consequences, which would follow, if this would be true. If this would have been true, it would have been the highest thinkable security weakness. After this discussion all traces about the random password have been removed and I was told, that this random password is not the case and was never. I have not the slightest idea, why this "random password" had been mentioned at first - not once, but on several places.

The current state is, that the root password is (in 18.2 beta) empty, which consequently locks the root account. If somebody should now the password of the owner of the computer it is a matter of 5 to 10 seconds to set it.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Mon Jun 26, 2017 6:41 am

jameskga wrote:Why would they create such an easy security flaw?
That is the thousand dollar question.
jameskga wrote:Is this a Mint-specific issue, or Ubuntu?
Mint-specific. As said, in Ubuntu the root password was always empty, at least as long as I can remember.
jameskga wrote:How, or why, did they introduce it in 18.2 (as opposed to 18.1 or 17.3, for example)?
The "how" is easy. The "why" is the thousand dollar question. (I repeat myself.) There was nowhere a reasoning for the change published - at least nothing, what I have seen. And I claim to read every official source of Mint information, which is available. And I often read them several times to ensure, that I do not overlook something.

User avatar
jimallyn
Level 18
Level 18
Posts: 8952
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: You can almost feel it, can't you?

Post by jimallyn » Mon Jun 26, 2017 4:47 pm

Cosmo. wrote:Correcting this mistake is possible (and this is the best, what I can say about this security leak) and is very simple; there will not even a tutorial be needed. Simply entering in a terminal sudo passwd gives you the possibility to set the root password and the problem is on this system solved.
Thanks, Cosmo. Perhaps I will install 18.2 Beta tonight, add a root password, and post a warning about this. In general, the Mint team makes good decisions. But I can't see how this would be one of them.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Mon Jun 26, 2017 6:59 pm

Jim, I suggest that you do it a little bit differently.

Boot the new system into recovery mode. You will notice, that there is no password request in 18.2 beta (in difference to previous Mints) - this is the problem. Now you enter those 2 commands:

Code: Select all

mount -o remount,rw /
passwd
The first command switches the recovery mode from read-only mode to writable. The second sets the root password.

The result is the same as with the method I described above. But this is the method, a local attacker will use. By using this method - for testing - you get a real-life experience, how quickly the attacker can perform his / her action.

BTW: If the attacker would enter a third command: sudo passwd jimallyn, (s)he can change with just 5 seconds more also your user password and the system will be history for you forever. You cannot reach your account and you also cannot enter the recovery console again to set the passwords newly. With the passwords set by the attacker you are out of the system, until you have installed it newly.

Post Reply

Return to “Chat about Linux Mint”