Important Security Notice – mintAssistant 2.4 in Elyssa!

Written by Clem on Thursday, June 12th, 2008 @ 12:09 am | Main Topics

A very important bug has been found in mintAssistant 2.4 which was released as part of Linux Mint 5 Elyssa.

Explanation

When the root password is not set the root account is still active, and rather than this consequently preventing any root login, it actually means you can login as root without any password at all.

Cause

This regression is due to a change in behavior in passwd from Gutsy to Hardy and a request from the community after RC1 was released not to lock the root account (so that “sudo su -” is still possible).

Solution

- A fix has been released in mintAssistant 2.5. When you select not to use the root password, the root account is now given a randomly generated password.
- The ISO images for both the Main and Light Editions will be rebuilt to include this fix.

What you need to do

- Upgrade mintAssistant to version 2.5.
- Launch mintAssistant and choose whether you want to set a root password or not. If you choose not to, a random password will be assigned for you.

41 Responses to “Important Security Notice – mintAssistant 2.4 in Elyssa!”

  1. Clem Says:

    The two ISOs are now ready. I’ll just pass them through some basic tests before uploading them to the server. They should be uploaded tomorrow during the day and from there picked up by the mirrors up to 48 hours later.

  2. Insane1 Says:

    Glad this was caught so fast. Although it did bring up something to my attention, that the Mint Update bug that causes Mint Update not to detect updates unless manually refreshed is still present.

  3. capricornus Says:

    While installing Mint5, it surprised me that this was still possible: it is one of the greater flaws of M$ that a computer can run under administrator. But I was glad to see that the possibility to force a root password was at least offered, so I used it. Everyone should. Force users to work and surf safely.

  4. hamburn Says:

    @ clem thanks for the fast move

    @ capricornus,

    Thank you very much to know better what I have to use than I. But let me say, I’m grown up. I abandoned M$ because they forced the user to do things a little bit too much.
    If Clem makes the same mistake “to force the user” (to work with something that is IT stone age like the console) people like me are very fast in changing the OS.

    H.

  5. Roberto Says:

    Thanks

    mintAssistant upgraded to version 2.5 was done
    through MintUpdate.Instruction above done.

  6. manny Says:

    remember to update the torrents too.

  7. Clem Says:

    UPDATE:

    - The new ISO images are available on Heanet.ie and should propagate to other mirrors today and tomorrow.
    - The torrents now point at the new ISOs.
    - On-Disk is in the process of replacing their ISOs and they will be contacting the people who bought CDs of Elyssa so far.

    Clem.

  8. Steven Brady Says:

    Thanks for the quick advisory and the fast respin. The community appreciates it.

  9. Alan Milnes Says:

    Hamburn

    The console is not stone age – it’s what experienced and knowledgeable people use to get things done quickly and consistently. It’s great to have the friendliness of a GUI but you can’t beat the Terminal for productivity.

  10. adam Says:

    hamburn,

    can i see examples of what you, specifically, are doing?

    a.

  11. Ookami Says:

    I doubt I would have noticed the change in the root account, making it remarkable you’ve discovered it so quickly. I normally carefully assign a (different) password to my root account anyway, for I’m much too nonconformist to not buck the trend and go with the Ubuntu way of doing things.

  12. Joe Vijay Says:

    Can we expect multiple revisions with the latest patches like this in the future?

  13. Donald F. Truax Says:

    Not a big deal for engineers, who use the root account and set a strong password. Please don’t change the option to use the root account….EXCELLENT responce time to this important issue.

    Best

    _Don

  14. Derek Says:

    This may or may not sound silly, but what is the difference between logging in as root and simply typing “sudo -i” in the terminal? If there is no significant difference then the root account should remain locked. After all, it seems much simpler to me that to log in as another user (root).

  15. dodgefan Says:

    great distro! excellent turnaround on getting this issue resolved! i cant say enough about linux mint! my distro hopping days are finally over!

  16. usermint Says:

    @ donald,

    professionals (don’t mix with engineers) don’t login using root account and do not allow anybody else to login as root. they’ve learnt to use sudo long time ago.

    sounds like bad inheritance of debian/ubuntu where root password was saved in installation logs.

  17. Rob Says:

    @Hamburn

    The command line is not stone-age. Quite the opposite, it is a very powerful tool that can often accomplish things the gui can not, or can accomplish things much faster than the gui can.

    Command Line isn’t for everyone, and for ordinary tasks there is a gui available.

    If one feels a need to go to another OS because of the occasional need to use the CLI, I would likely recommend that person to get a Mac; its not that I’m a fan of Apple, quite the opposite really, but I will give credit where credit is due, and despite Apples corporate short comings, its OS is with out a doubt the best choice for the end-user who never wants to be bothered with whats going on behind the scenes of their computing.

    Best of luck to you. Hope you find a good fit regardless of what OS you decide to use.

  18. Clem Says:

    Joe Vijay: Well.. not every week :) But if it’s going to be there for 3 years, yes, we’ll definitely update the ISOs now and then.. whether it’s for security reasons or to catch up with updates.

    The command line is a wonderful tool because:
    – the commands are always the same no matter what locale you use (so it’s much easier to help people by telling them what to type than by guessing on what label they should click)
    – the commands are scriptable, automatable, predictable, remotely accessible.. there’s so much more you can do with commands.
    – it’s faster to type on the keyboard than it is to click widgets on a screen
    – I could think of a lot of other reasons.. for instance, how do you go and install Opera in Mac? Is it faster than typing “apt install opera” and pressing Enter?

    The philosophy in Mint is not to lock down the user, quite the opposite in fact. Our purpose is to make complex and powerful features trivial to use. So to install Opera for instance you can go the Windows way and download it from opera.com.. or you can go the Ubuntu way and launch Synaptic.. or you can go the Mint way and install it via mintInstall/APT or mintInstall/MintPortal.. or you can decide that you want it “right now” and that you’re not going to wait for synaptic or firefox to launch, so you just open a terminal and type “apt install opera”.. and that’s the most efficient way.

    You can think it’s stone-age to drop to a terminal.. but an experienced user will think it’s inappropriate to launch such heavy tools as Firefox or synaptic for the very simple purpose of installing one package.

    Again, from a distributor point of view, we make it simple either way and give you the choice to do it the way you want to. We’ve got a GUI for almost everything in the OS but there’s no wonder the terminal is directly accessible from mintMenu and from your right-click menu… it’s a fantastic tool.

  19. Jymbob Says:

    @derek:
    I personally can’t see any real advantage to using ‘sudo su’ over ‘sudo -i’ or ‘sudo -s’ either.
    Clearly where ‘sudo’ was first introduced, not enough people read the manual (‘man sudo’) and just assumed that if they wanted a persistent shell they needed to type ‘sudo su’.
    Once again: you _never_ need to type ‘sudo su’. sudo has switches that enable a persistent root shell: use ‘sudo -i’ or ‘sudo -s’ if you’re going to be typing lots of system-level commands.

  20. Ben Says:

    This upgrade shows up as ‘NOT AUTHENTICATED’ in the update. Why is that?

  21. timh Says:

    Thank you Clem for your fast reaction and this wonderful distro and thanks for the nice terminal, now I don’t have to play with PS1 any more ;) [now I play with zenity]
    thanks a lot
    tim

  22. kezdeth Says:

    Clem:

    My install CD finally arrived today, and between the new install, the MintBackup Tool, and your very fast reaction to that bug, as well as how I feel about the new look & feel, all I can find to say is “Wow!”

    You’ve created a wonderful distro, and this from a guy who has run Slack, Debian, Ubuntu, and a few others. By far, I find I prefer Mint, and so far Elyssa (granted, only an hour after install…), has won my highest praise. You and your team have finally moved Linux to a true desktop for the average user. Please, keep up the good work!

  23. kassiel Says:

    I agree at all with kezdeth. Linux Mint is Linux for the Desktop

  24. Toya Kinomoto Says:

    Beta1/2 worked better than this released version.
    Why the developers don’t take into account the problems invoked in the forums ?? Since a while people which have a realtek network card 8186/8111 complain that access to internet does not work, at least not the wired version. There was no amelioration with beta2 and now it’s even worser with the released version !! Now even the wireless doesn’t work anymore !!!

  25. Lopo Lencastre de Almeida Says:

    I’m testing it in the live CD Light r1.
    Checked if mintAssistant is the last version. It is :)

    Launched mintAssistant and didn’t set the root password
    Launched CLI and issued sudo su

    I’m directly at the root user environment without any password prompt.

    If I understood well your explanation this should not happen.
    What should happen would be the system asking me for a root password that I could not insert.

    Am I right OR does this only works on an installed system?

  26. Lopo Lencastre de Almeida Says:

    Issuing su – at the prompt do ask me for the unknown password.

    So, disregard the previous comment. I went to RTFM for sudo ;)

  27. j.r.bustamante Says:

    thousand thanks Clem & team for this great work, congratulations for the best distro ever, full agree with 22. and 23., the show must on, coraggio!

  28. orlando_ombzzz Says:

    thanks for the advisory

    a question: i can at this moment install mintAssistant 4.5.

    Can i change the root password as a workaround of the problem?

    Thanks

  29. orlando_ombzzz Says:

    a question: i can at this moment install mintAssistant 4.5.

    s/can/can’t

    :-)

  30. Marvin Ingles Says:

    I see that cnr took cnr client support off website for version 5 what happened thank you new to linux mint but love it

  31. l.e. Says:

    orlando_ombzzz: Yes, that will work just fine.

    As a general note, isn’t “sudo -i” the same as “sudo su -”?

  32. Paul Says:

    Kudos to you for fixing this and for showing the true spirit of OSS by letting everyone know.

    M$ would never have responded in such an honest way.

    Cheers,

    Paul

  33. ken markham Says:

    Derek wanted to know what use root account is! Well, if your user account breaks you you might like to use root to access and repair your system. Else you might find you’ll need a complete wipe and re-install. Doesn’t this sound like windows ? Also forcing users to play the developers game or no game at all, stinks – just like microsoft. By all means provide sound advice but cut the “We have means of making you!”. Users will leave in numbers as they have done with microsoft – there are many other flavours available. I currently use Mint Daryna and Hardy Heron and apart from a few bugs am enjoying the experience (been using various flavours of Linux since 1996. Great advances and excellent work by all involved. Remember if it ain’t broke don’t fix it, but if you want to learn, break it, then fix it.
    Regards from Ken.

  34. paul92 Says:

    Hi!
    why not create a 64bit edition?
    I have many problems with the 32 bit edition, but not with the 64bit. Actually, I have also many problems with de linuxmint live cd (with the compatibility mode too)

    thus, I use ubuntu 8.04 LTS 64bit edition

    And anywhere, when we have a kde4 version, that’s it?
    Bye, (sorry I speak french)

  35. موبایل Says:

    Thank you

  36. tdsok Says:

    hi guys,Just wanted to say how amazing this distro is and how well it works. I’ve tried: Ubuntu,Slackware,,freespire,Opensuse,debian,kubuntu, and fedora 8 and this is without a doubt the best i’ve ever tried. Ilove That It works out of the box,I had problems with most of the above, and that because of the compatability to ubuntu you have access to the opensource programs for it.
    cheers,
    tdsok

  37. Sefy Says:

    I Disagree with ALL of you! completely and utterly!

    Microsoft as much as i HATE them, are the ONLY ones here who actually DO give a CHOICE! what you did is REMOVE the OPTION and FORCE your OWN way of doing things on a home user!

    Cause except of Linux Fanatics, nobody uses or wants a password every time they go into a control panel or when installing an application! it is STUPID and it is IDIOTIC!

    Open Source… yeah right… it’s open as long as you force others to do what you want… When i’ll have government files, i’ll think of all that security garbage. Till then, i’ll do WONDERFUL without your stupid passwords!

    Remember! that’s one of the two MAIN reasons why Linux will never get to beat Windows! because it is Windows who gives a true choice on how a HOME USER will use their own PC! and a Dad/Mom/12 year old kid or a grandparent aren’t gonna bother with stupid passwords.

    Maybe one day you’ll get your head out of those thick dark clouds…

  38. Alex Says:

    @Sefy:

    You do remember that Windows Vista prompts for your approval for even less-risky tasks. When I had Vista installed, it prompted me for approval every time I wanted to move a file. *every* *time!* Wow, was that ever frustrating.

  39. hamburn Says:

    sorry guys, could not come back to this side till now.

    @Alan Milnes

    [quote]The console is not stone age – it’s what experienced and knowledgeable people use to get things done quickly and consistently. It’s great to have the friendliness of a GUI but you can’t beat the Terminal for productivity.[/quote]

    For me the command line is IT-stone-age, see below why.
    Experienced people like me ;-) ,used to the GUI since win3.11, prefer it because they don’t want to learn a lot of commands again and find it easier to use the GUI.
    And as a private user I don’t care about productivity. I use my box for surfing, chatting, mailing, to write some letters on OpenOffice,
    and play my CDs and DVDs. If I need something challenging, I go on the road by bicycle in the rush hour. My compu has to be easy maintenace.

    @Rob

    [quote]The command line is not stone-age.[/quote]

    Sorry Rob, after working with UNIX in the beginning 80th I used the command line last time in the beginning 90th with DOS 6.22.
    It is IT-stone age, at least for a “normal” user. The stone in the hand of a person in the stone age was also a power full tool, but today we use a hammer or an axe or even tools driven by electrically power. And btw. why should I learn a lot of commands again, when it is much easier to make some mouse clicks.
    [quote]Command Line isn’t for everyone, and for ordinary tasks there is a gui available.[/quote]
    Just my point, thank you. But to use it as root you have to have a root account.
    Example: NVIDIA-X-server settings GUI. Set them as user and you have to do it every time you are logging in. Set them as root and the problem is solved.

    And Apple isn’t an otion for me. I have a pc. Shall I go away from the software monopoly of M$ only to get in the claws of a combined software-hardware monopoly? No, thank you!

    To Sefe i have only one old phrase
    Don’t feed the troll.

    H.


Trackbacks & Pingbacks

  1. Important Security Notice - mintAssistant 2.4 in Elyssa! « … Mencoba Menemukan … Says:

    [...] Security Notice – mintAssistant 2.4 in Elyssa! Artikelnya bisa dilihat disini http://www.linuxmint.com/blog/?p=189. Published [...]

  2. The Linux Mint Blog » Blog Archive » Weekly Newsletter - Issue 50 Says:

    [...] security flaw in [...]