Re: we should set a grub password by default
Not that I have a strong opinion on this matter, but I thought that it was worth pointing out that the default Mac install has a similar ability to get a root session by pressing the right combination of keys. (I have used it more than once to gain control of a machine where the various passwords had been forgotten.) - Mitch -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Putting security-based applications as a separate menu entry rather than in Accessories
Op donderdag 17-05-2007 om 00:49 uur [tijdzone +0530], schreef shirish: > What do you guys think of putting things like keyring manager, > GPA (GNU Privacy Assistant), Seahorse, and other security-based > softwares in a separate menu entry titled Security where all > security-based tools including tools for SELinux are there.I know you > guys don't like big menus but I feel it would be a good idea to have > that. Well, it would make some other menus smaller and I already have several extra top-level menu items like that; the default ones really don't cover everything (or throw a lot of completely different things in one submenu). -- Jan Claeys -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Putting security-based applications as a separate menu entry rather than in Accessories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, What do you guys think of putting things like keyring manager, GPA (GNU Privacy Assistant), Seahorse, and other security-based softwares in a separate menu entry titled Security where all security-based tools including tools for SELinux are there.I know you guys don't like big menus but I feel it would be a good idea to have that. Please lemme know what you guys think about that? - -- Shirish Agarwal This email is licensed under http://creativecommons.org/licenses/by-nc/3.0/ 065C 6D79 A68C E7EA 52B3 8D70 950D 53FB 729A 8B17 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iD8DBQFGS1lwlQ1T+3KaixcRAogeAJsGqgaW+gspatSnIoBriRwZiJBoFwCeMCRJ KRziAAOhJ/cpxDaMHFiJ7fg= =I52K -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Ubuntu Mobile and Embedded Edition
On Tue, May 08, 2007 at 11:21:24AM +0100, Ben Francis wrote: > In the Ubuntu Weekly News: Issue #39 there was an announcement of the > Ubuntu Mobile and Embedded Edition. The link to the mailing list > announcement was broken and I think it should have been > https://lists.ubuntu.com/archives/ubuntu-devel-announce/2007-May/000289.html > as we're not in 2008 yet. > > I'm interested in getting involved with development on this project, > specifically the "innovative graphical interfaces". Is there any more > information available yet? Perhaps a wiki page? There is now, at https://wiki.ubuntu.com/MobileAndEmbedded -- - mdz -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: we should set a grub password by default
On Tue, May 15, 2007 at 07:23:41PM +0200, Sven wrote: > In short terms: I propose that during grub setup/configuration the grub > password in menu.lst is activated by default. Please let me explain why. Providing a grub password by default risks giving people the impression that the system is secure, while in fact there are several other steps that would be required for that to be true (disabling CD drive booting, BIOS password, physical security of machine to prevent BIOS being reset or drives removed). Instead, we should make it easy for people to learn what needs to be done to make a system secure. -- Matthew Garrett | [EMAIL PROTECTED] -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
New MOTU Mentoring proposal
Hello everybody, at UDS we had an interesting and fruitful session about MOTU Mentoring. Please take a look at https://wiki.ubuntu.com/MOTU/NewMentoring where you find a write up of what we agreed on. Leave comments on the wiki page and please also leave a note if you're interested in mentoring. We'll get back to you. If you always wanted more members in your team, consider joining the Mentors, ubuntu-dev and ubuntu-core-dev team members alike. :-) Have a nice day, Daniel signature.asc Description: This is a digitally signed message part -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: we should set a grub password by default
Original-Nachricht Datum: Wed, 16 May 2007 12:22:04 +0100 Von: "(``-_-´´) -- Fernando" <[EMAIL PROTECTED]> An: "Matthew Paul Thomas" <[EMAIL PROTECTED]> CC: ubuntu-devel-discuss@lists.ubuntu.com Betreff: Re: we should set a grub password by default > On 5/16/07, Matthew Paul Thomas <[EMAIL PROTECTED]> wrote: > > On May 16, 2007, at 10:33 AM, Phillip Susi wrote: > > > > So how feasible it would be for grub to accept the passphrase of any > > admin user, rather than having its own? That would be weird in the > > sense that the admin accounts are Ubuntu-specific, whereas grub is in > > theory controlling access to multiple OSes. But it would save > > subjecting people to an extra step in the installer, and it would make > > the grub passphrase no longer a headache. > > > > Cheers > > -- > > Matthew Paul Thomas > > http://mpt.net.nz/ > > > > Is is so hard to just run: > "sudo passwd root" > after the fisrt boot, while configuring everything else?? > > I do it all the time, and after this simple step, I dont have even to > bother about a password on grub. Everyone can come around the root password with these steps: By pressing 'e' in grub, step down to the kernel line and press 'e' again, then simply add init=/bin/bash Press enter and press 'b' to boot. You will get a single user system with root-access passwordless. You can mount -o remount,rw your roor partition and with passwd and create a new root password. regards, Sven -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: we should set a grub password by default
Hi, I know this discussion is getting insanely long, but I will add to it anyway... I overall agree that * getting a root shell is _way_ too easy in the default setup * prompting the user for a grub password adds one technical question, normal end-users don't care about this * just putting the first user's password into the grub config seems insane > > Is is so hard to just run: > "sudo passwd root" > after the fisrt boot, while configuring everything else?? > > I do it all the time, and after this simple step, I dont have even to > bother about a password on grub. Setting a password to the root user will indeed protect the "single user" boot mode (available with two extra key press at boot time). But it does not protect at all from relatively easy boot tricks, like adding "init=/bin/sh" to the boot options. Besides this, a weak root passwor would make your system easier to crack, while it is running, a weak grub password seems less dangerous to me. As it was said already, the only protection against this is grub password + bios password (and then, the offender can still open the box anyway, but this is enough for many use case) Anyway, getting a "reasonable" security level requires some intervention (for the BIOS password), so adding an easy way to setup a grub password would be nice. It would also be nice to add a warning message about this at the end of the install, and/or an option in the "advanced" grub setup, but asking such a technical question during the install process does not look nice to me. A tool to set a grub password should: * set the password * check/change the permissions on the menu.lst file * add "lock" where needed This could probably be done using a debconf question, so running "dpkg-reconfigure grub" and give the password when asked would do the trick. -- Aurélien Naldi -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: we should set a grub password by default
On 5/16/07, Matthew Paul Thomas <[EMAIL PROTECTED]> wrote: > On May 16, 2007, at 10:33 AM, Phillip Susi wrote: > > So how feasible it would be for grub to accept the passphrase of any > admin user, rather than having its own? That would be weird in the > sense that the admin accounts are Ubuntu-specific, whereas grub is in > theory controlling access to multiple OSes. But it would save > subjecting people to an extra step in the installer, and it would make > the grub passphrase no longer a headache. > > Cheers > -- > Matthew Paul Thomas > http://mpt.net.nz/ > Is is so hard to just run: "sudo passwd root" after the fisrt boot, while configuring everything else?? I do it all the time, and after this simple step, I dont have even to bother about a password on grub. -- BUGabundo :o) (``-_-´´) GPG key 1024D/00967685 Linux user #443786 http://BUGabundo.net http://BrinKadeiraS.BUGabundo.net http://host.BUGabundo.net -- http://alojamento.BUGabundo.net >From 1€ / month Crazy Domain Insane (200GB disk, 2TB bw, 6.00€ ($7.95)/month) at http://www.dreamhost.com/r.cgi?249195/signup 50$ discount with promo code "BUG50" on all plans Free lifetime domain with promo code "BUGDOMAIN" -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: we should set a grub password by default
Hya On 5/15/07, Sven <[EMAIL PROTECTED]> wrote: Am Dienstag, den 15.05.2007, 18:52 +0100 schrieb Scott James Remnant: > On Tue, 2007-05-15 at 19:23 +0200, Sven wrote: > Say i setup a pc in the childrens room, do i want my children to gain root access without a password? if you are a user/admin responsible to setup this case, just alter the grub yourself. Say i setup 10 pcs in the public library, i dont think they want to steal those old heavy computers, but do i want anyone to gain root access without any problem? Compare it to windows, you can not gain root access during reboot, without a medium. Actually, since users usually create a new admin user, anyone can boot in safe mode and just login with the "administrator" login passwordless. Sven -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- BUGabundo :o) (``-_-´´) GPG key 1024D/00967685 Linux user #443786 http://BUGabundo.net http://BrinKadeiraS.BUGabundo.net http://host.BUGabundo.net -- http://alojamento.BUGabundo.net From 1€ / month Crazy Domain Insane (200GB disk, 2TB bw, 6.00€ ($7.95)/month) at http://www.dreamhost.com/r.cgi?249195/signup 50$ discount with promo code "BUG50" on all plans Free lifetime domain with promo code "BUGDOMAIN" -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: xmms into universe?
On Tue, May 15, 2007 at 10:07:59PM +0200, Jan Claeys wrote: > Op dinsdag 15-05-2007 om 10:47 uur [tijdzone +0100], schreef Matt > Zimmerman: > > It is unfortunate to have to cripple xmms simply for the sake of moving it > > to universe. The ideal way to fix this would be to move the XMMS FLAC > > plugin to the XMMS tree, where most other XMMS plugins are maintained, but > > without an upstream, this isn't going to happen. > > Considering that: > * there are at least two GTK2-based XMMS-derivatives > ('beep-media-player' & 'audacious') > * FLAC does have an upstream > > ... isn't it possible to change the FLAC dependency on XMMS to a > dependency on/from "Beep" (or Audacious?) and get that patch accepted > upstream (in either FLAC, Beep or Audacious)? > > (The XMMS plugin is also the Beep plugin now...) I didn't realize that XMMS and Beep plugins were interchangeable. Doing this in FLAC would require moving beep-media-player to main, but it would be worth talking to Beep and FLAC upstreams to see if they would be interested in moving the plugin to the Beep tree. -- - mdz -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: libpoppler patch in TeXLive in Ubuntu (was: TeXLive 2007 & ConTeXt on etch?)
Hi Norbert, Norbert Preining [2007-05-16 8:49 +0200]: > On Die, 15 Mai 2007, Martin Pitt wrote: > > BTW, the poppler patch is not perfect yet since some parts of > > texlive-bin still use the internal xpdf. I kept that on my TODO list, > > but it wasn't necessary to bootstrap texlive into Gutsy. > > Can you send us the libpoppler patch? Debian is switching in the next > days to the new poppler ... so we have to do the same thing ... http://patches.ubuntu.com/t/texlive-bin/texlive-bin_2007-7ubuntu1.patch has both the changes to the poppler patch and also the libkpathsea change (I guess you want to have this as well, so that tetex-bin can be removed from Debian). Martin -- Martin Pitthttp://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: we should set a grub password by default
Sorry guys but I think this an over reaction... If a network manager wants to restrict privileges for his network thats OK, but don't trouble the average users with such problems Simon Sven schrieb: > hello ubuntu developers! > > Jerome redirected me from my bug report #114838 to your audience. > > In short terms: I propose that during grub setup/configuration the grub > password in menu.lst is activated by default. Please let me explain why. > > With the actual Ubuntu default settings anyone can easily gather > root-privileges by rebooting and pressing e to enter edit mode in grub > and add a init=/bin/bash kernel option. He can go on and do everything > then. > To establish a secure system with today's Ubuntu versions one would have > to: > 1) decide what requirements on protecting direct hardware modifications > must to be established > 2) set up the harddisk as the only boot-device, and protect this BIOS > setting with a password > 3) set up a Grub password to prevent boot-option modifications > > #1 and #2 are totally out of the operating system's focus, but #3 is > something I'd like to talk about. > > To prevent this unauthorized boot-modifications gaining root-access, > grub contains a password command line in menu.lst including a --md5 > option. If we set this password and don't change anything different in > menu.lst, the only thing that changes is: grub options can not be > modified and Grub's command line can not be opened to do different > things. > The Grub password can be be user defined during installation or be a > random generated password, choosing a empty password deactivates Grub's > password option. > Then, assuming someone cared for #1 and #2, Grub's menu.lst can only be > modified from the booted computer by an authenticated user. > > I think this is a little change most Ubuntu users wont even notice > because they just use the grub manager to boot from the menu list, which > will continue to work flawlessly. > > I think this "bug" is critical, because its nearly as simple as pressing > a key during boot to gain root access. Most people i tell this did not > know its so easy to compromise their linux system, which they installed > because they thought its more secure than the "other os". Well it could > be. > > Additional my proposal, i've seen a bug report comlaining about the > alternate installation's grub password setup. It exists but it doesnt > use the md5 hash method of grub, but clear text. The password is stored > in menu.lst which is in 644 mode and everyone can read it. > > kind regards, Sven > > -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss