| === chris14_ is now known as chris14 | ||
| teward | who's alive on the security team | 19:44 |
|---|---|---|
| teward | and can tell me if https://launchpad.net/bugs/2016436 was issued a CVE or not? | 19:44 |
| -ubottu:#ubuntu-security- Launchpad bug 2016436 in calamares-settings-ubuntu (Ubuntu) "Calamares will let you set up a user account with no password" [Critical, Fix Released] | 19:44 | |
| teward | because i think it PROBABLY should have been issued one, as empty or missing passwords are in the CWE | 19:44 |
| teward | *pokes sarnold because it's Community, but this is found hard in Lubuntu at least* | 19:46 |
| Eickmeyer | Found hard in Ubuntu Studio as well. | 19:59 |
| Eickmeyer | teward, sarnold: confirmed issue on 22.04. | 20:19 |
| teward | or is someone else on Security around? mdeslaur maybe? | 20:19 |
| mdeslaur | what's up teward | 20:24 |
| teward | mdeslaur: see above. shouldn't that have a CVE issued since it was discovered in one of the Ubuntu flavors? Or should I go through the full MITRE process? | 20:25 |
| Eickmeyer | Correction: TWO of the Ubuntu flavors. | 20:25 |
| teward | note: tsimonq2 believes this shouldn't be a security bug, but others on Security are against that and the bug is a public sec bug now | 20:25 |
| teward | (i'm surprised this didn't get a CVE if it's such a security concern) | 20:25 |
| mdeslaur | not sure that is CVE worthy | 20:26 |
| teward | ack | 20:26 |
| teward | but it's *definitely* a security flaw wrt Ubuntu, yes? | 20:26 |
| mdeslaur | did anything ship with it? | 20:26 |
| teward | Lubuntu and others going back I think to 22.04 | 20:27 |
| Eickmeyer | It's in 22.04 Lubuntu and Ubuntu Studio, as well as 22.10 Lubuntu and Ubuntu Studio. | 20:27 |
| Eickmeyer | So, yes. | 20:27 |
| teward | found in STudio, and Eickmeyer confirmed it's present in 22.04 as well | 20:27 |
| mdeslaur | if the user wrote a password, and ended up with a blank one, that would be a flaw. | 20:27 |
| sarnold | *sigh* i'm getting nothing but timeouts on that bug :( | 20:27 |
| mdeslaur | not enforcing a sane default is probably not considered a flaw | 20:27 |
| teward | mdeslaur: but the inverse of "user entering no password and that being acceptable" is not considered a flaw? | 20:27 |
| mdeslaur | if it's documented it could be | 20:28 |
| Eickmeyer | sarnold: TL;DR: Calamares isn't enforcing passwords (at all) in Lubuntu or Ubuntu Studio 22.04 or 22.10. | 20:28 |
| mdeslaur | else it's just hardening and wouldn't satisfy the requirements for a CVE | 20:28 |
| mdeslaur | but sarnold gets to decide | 20:28 |
| teward | Eickmeyer: it's also not setting "empty passwords" *as* empty passwords and hashing empty passwords if i'm reading jbicha's notes right | 20:28 |
| Eickmeyer | teward: That's correct, but it's acting as if it's an empty password as far as sudo and others are concerned. | 20:29 |
| Eickmeyer | Basically, it's allowing passwordless escalation. | 20:29 |
| teward | which is what sudo does when a user can be logged into but has no password IIRC | 20:29 |
| Eickmeyer | Correct. | 20:30 |
| teward | Eickmeyer: that's not a cala issue nor a CVE then | 20:30 |
| teward | that's just a user reducing security of their system by being autologin and passwordless i'd think | 20:30 |
| teward | (I hate passwordless as much as the next guy just saying) | 20:30 |
| Eickmeyer | But it's not autologin either. | 20:30 |
| Eickmeyer | Escalation would still require a password in autologin. | 20:31 |
| mdeslaur | passwordRequirements: | 20:31 |
| mdeslaur | + nonempty: true | 20:31 |
| mdeslaur | minLength: 0 | 20:31 |
| mdeslaur | maxLength: 0 | 20:31 |
| Eickmeyer | mdeslaur: That's the fix. | 20:31 |
| mdeslaur | users can still use a 1 letter password, right? | 20:31 |
| Eickmeyer | mdeslaur: Looks like it. | 20:32 |
| Eickmeyer | (not that I'm a fan) | 20:32 |
| teward | mdeslaur: do we know what the standard Desktop installer's requirements are for PW? Or does that also allow empty passwords? | 20:32 |
| sarnold | I don't think this is a CVE -- I'm not even sure I like the "nonempty: true", if a user wants a passwordless login, how else would they get it? | 20:32 |
| teward | sarnold: see my take is | 20:33 |
| teward | cala should check if it's empty and then throw a notice that user can accept the risk for | 20:33 |
| teward | thereby *allowing* for a user to choose it and making it "User Choice" to accept the risks | 20:33 |
| Eickmeyer | Ubiquity nor ubuntu-desktop-installer allow for an empty password. | 20:33 |
| teward | not sure if the standard Gnome installers have that though | 20:33 |
| sarnold | teward: that sounds kinder, yeah | 20:33 |
| teward | if they don't permit an empty password then we should *I THINK* have that as a standard | 20:33 |
| teward | and then consider that being added as a feature later in whatever install suite is in use | 20:34 |
| teward | but for 23.04 i think a standard requirement should be chosen for now, no? | 20:34 |
| mdeslaur | while less than ideal, I think this is a hardening issue, not a flaw per se | 20:34 |
| teward | after discussion here I would agree so no CVE required. That still leaves the question of "sane defaults" which would be a Security decision I think | 20:35 |
| teward | at least, until the feature is avaiable to throw a warn like sarnold says would be kinder | 20:35 |
| mdeslaur | is that during the install only, or is it an applet in some sort of control panel too? | 20:36 |
| teward | arraybolt3: Eickmeyer: ^ | 20:36 |
| Eickmeyer | I think so as well. I think those defaults *should* be based on what Ubiquity and ubuntu-desktop-installer enforce now. | 20:36 |
| arraybolt3 | I know it happens during installation, unsure if the Users app lets you do that. | 20:36 |
| * arraybolt3 checks | 20:36 | |
| Eickmeyer | mdeslaur: There's a KDE Control Module in Plasma's System Settings that allows the user to change their password. | 20:37 |
| mdeslaur | I believe the gnome control panel users app enforces password strength | 20:37 |
| arraybolt3 | Also I missed the whole start of the conversation because it took me ~10 minutes to figure out I wasn't in this channel :P | 20:37 |
| teward | arraybolt3: you has failed. i'll pull you logs | 20:37 |
| arraybolt3 | The "Users and Group" app in Lubuntu does allow you to make a passwordless account, but it also warns if you do so. | 20:38 |
| Eickmeyer | mdeslaur: It enforces a minimum password length of 1 character. *facepalm* | 20:38 |
| arraybolt3 | Or at least, the app tries to let you do that. The underlying `passwd` application it uses then forbids it. | 20:38 |
| arraybolt3 | (I actually use one-characcter passwords all the time in testing :D) | 20:38 |
| arraybolt3 | And for VMs. | 20:38 |
| arraybolt3 | mdeslaur: The installer in Ubuntu allows you to make a one-character password. It just also tells you that it's a weak password. | 20:39 |
| arraybolt3 | (That's the installer in Ubuntu Desktop I mean.) | 20:41 |
| arraybolt3 | sarnold: If a user wants a passwordless *login*, there's an autologin box they can check. If they want passwordless *sudo*, there's a config file they can change. If they want "really truly no password", there's a command they can use (passwd -d). So this doesn't restrict the user's freedom, it only enforces a (more) sane default. | 20:42 |
| mdeslaur | we definitely should turn on password strength meters and such in all the installers and control panel applets | 20:42 |
| sarnold | *nod* a nice little ⚠ NONE / weak / okay meter would be ideal | 20:43 |
| Eickmeyer | So, conclusion: Not a CVE, just a really bad idea. | 20:43 |
| Eickmeyer | Right now, Calamares gives a friendly green checkmark if there's no password. *facepalm* | 20:44 |
| arraybolt3 | Calamares has some more hardening options related to password strength, see https://github.com/calamares/calamares/blob/calamares/src/modules/users/users.conf#L118 | 20:44 |
| Eickmeyer | I mean Calamares as we have it configured prior to 23.04 | 20:45 |
| arraybolt3 | So "allowWeakPasswords: true, allowWeakPasswordsDefault: false" might be handy. | 20:45 |
| arraybolt3 | (That way there's a box the user has to (un?)check in order to allow them to use a weak password.) | 20:46 |
| arraybolt3 | Might be a bit late in the cycle to do that though, since that's a feature of Calamares that hasn't gotten extensive testing. | 20:46 |
| arraybolt3 | (In Ubuntu.) | 20:46 |
| arraybolt3 | Due to XScreenSaver's handling of an empty password, though, I think we should still require *some* password, just like Ubiquity/Ubuntu Desktop Installer. | 20:47 |
| mdeslaur | looks like it was fixed in lunar? | 20:48 |
| arraybolt3 | True. But it affects Jammy and needs SRU'd there. | 20:48 |
| arraybolt3 | (Kinetic we intend to skip since we can't respin that one so there's no point.) | 20:48 |
| mdeslaur | ah, ok, yeah, we'd definitely sponsor an update to -security for that so that it's available on the next respin for jammy | 20:49 |
| Eickmeyer | mdeslaur: The point of this discussion was more to do with the effect on Jammy. | 20:49 |
| mdeslaur | I think it can wait for the next jammy point release | 20:50 |
| arraybolt3 | Agreed. | 20:50 |
| Eickmeyer | mdeslaur: Do you need the regular SRU paperwork? | 20:50 |
| Eickmeyer | (my uploads don't need sponsoring) | 20:50 |
| mdeslaur | no, file it as a security bug and subscribe ubuntu-security-sponsors to it | 20:50 |
| Eickmeyer | Will do. | 20:50 |
| mdeslaur | and we will release it as a security update | 20:51 |
| * Eickmeyer gets on it | 20:51 | |
| arraybolt3 | Should I be prepping a package or is that something the security team will do too? | 20:51 |
| Eickmeyer | arraybolt3: Since it's in Jammy, you don't have upload privs. | 20:51 |
| Eickmeyer | I'll do it. | 20:51 |
| mdeslaur | we'd want debdiffs in the bug to sponsor | 20:52 |
| arraybolt3 | Eickmeyer: Pretty sure I can upload to jammy (I've done it on accident before). | 20:52 |
| mdeslaur | we need to build it in the security ppa, so don't upload it to -proposed | 20:52 |
| arraybolt3 | And on purpose for SRUs. | 20:52 |
| Eickmeyer | mdeslaur: ack. | 20:52 |
| Eickmeyer | arraybolt3: Let me take this. | 20:52 |
| arraybolt3 | Eickmeyer: +1 | 20:52 |
| Eickmeyer | mdeslaur: Done | 21:12 |
| JanC | what is XScreenSaver's problem with empty passwords? | 22:55 |
| sarnold | I didn't go looking but I assumed it was something like an input box 'submit' thing that wouldn't be hooked up until there was some input | 22:56 |
| arraybolt3 | JanC: I think it's something with PAM or some such. Basically Calamares hashes the blank password rather than just setting a deleted password, and so the system behaves like there's a password even though the password is blank. Some programs work with this odd setup, but XScreenSaver will just tell you that your password is wrong even though you're inputting a blank password. | 23:05 |
| arraybolt3 | And since you can't unlock the screen without a password that XScreenSaver will accept, it makes it so that you are essentially locked out. | 23:05 |
| arraybolt3 | (Until you either log into a TTY to circumvent things, or you just force-poweroff the system, which is what a less experienced user is more likely to do) | 23:06 |
| JanC | oh, that would be a problem indeed | 23:06 |
| JanC | might be good to fix XScreenSaver too :) | 23:07 |
| arraybolt3 | JanC: Yeah but it uses PAM to do the password checking AFAICT. | 23:07 |
| arraybolt3 | (And the XScreenSaver code is... dense and confusing.) | 23:07 |
| JanC | so you think the problem is in PAM? | 23:08 |
| JanC | OTOH, maybe it shouldn't set an empty password like that | 23:08 |
| JanC | (calamares) | 23:08 |
| JanC | there might be some POSIX or other standard about this too... | 23:09 |
| arraybolt3 | I think it's probably Calamares' fault for doing a blank password like that. | 23:09 |
| arraybolt3 | Either that or else it's a bug in PAM. | 23:09 |
| arraybolt3 | Or maybe it's in XScreenSaver, in which case someone's going to have to sign up for a migrain in order to fix it... | 23:10 |
| JanC | well, depends on whether that is allowed (and thus applications & libraries should expect it) or not allowed (then undefined behaviour is somewhat expected) | 23:10 |
| JanC | what calamares does | 23:11 |
| arraybolt3 | I personally didn't even know you *could* hash empty data until just recently :P | 23:11 |
| JanC | most likely there is some standard that says that the password has to be filled with NULLs until the total allowed length or so? | 23:13 |
| arraybolt3 | Hmm... a quick look at Unix & Linux SE suggests that Calamares' behavior is valid. | 23:14 |
| JanC | for unused bytes, I mean | 23:14 |
| arraybolt3 | There's a difference between an empty password and no password. | 23:14 |
| arraybolt3 | https://unix.stackexchange.com/questions/705037/whats-the-difference-between-empty-password-and-no-password | 23:14 |
| arraybolt3 | (btw this might be a conversation that would be better had in #ubuntu-devel?) | 23:14 |
| JanC | well, I really only wanted to know what the XScreenSaver issue was :) | 23:15 |
| UnivrslSuprBox | Alex mentioned an SBOM spec in the latest podcast -- is there any public discussion or documentation of this project? | 23:39 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!