[19:44] <teward> who's alive on the security team
[19:44] <teward> and can tell me if https://launchpad.net/bugs/2016436 was issued a CVE or not?
[19:44] -ubottu:#ubuntu-security- Launchpad bug 2016436 in calamares-settings-ubuntu (Ubuntu) "Calamares will let you set up a user account with no password" [Critical, Fix Released]
[19:44] <teward> because i think it PROBABLY should have been issued one, as empty or missing passwords are in the CWE
[19:46] <teward> *pokes sarnold because it's Community, but this is found hard in Lubuntu at least*
[19:59] <Eickmeyer> Found hard in Ubuntu Studio as well.
[20:19] <Eickmeyer> teward, sarnold: confirmed issue on 22.04.
[20:19] <teward> or is someone else on Security around?  mdeslaur maybe?
[20:24] <mdeslaur> what's up teward 
[20:25] <teward> mdeslaur: see above.  shouldn't that have a CVE issued since it was discovered in one of the Ubuntu flavors?  Or should I go through the full MITRE process?
[20:25] <Eickmeyer> Correction: TWO of the Ubuntu flavors.
[20:25] <teward> note: tsimonq2 believes this shouldn't be a security bug, but others on Security are against that and the bug is a public sec bug now
[20:25] <teward> (i'm surprised this didn't get a CVE if it's such a security concern)
[20:26] <mdeslaur> not sure that is CVE worthy
[20:26] <teward> ack
[20:26] <teward> but it's *definitely* a security flaw wrt Ubuntu, yes?
[20:26] <mdeslaur> did anything ship with it?
[20:27] <teward> Lubuntu and others going back I think to 22.04
[20:27] <Eickmeyer> It's in 22.04 Lubuntu and Ubuntu Studio, as well as 22.10 Lubuntu and Ubuntu Studio.
[20:27] <Eickmeyer> So, yes.
[20:27] <teward> found in STudio, and Eickmeyer confirmed it's present in 22.04 as well
[20:27] <mdeslaur> if the user wrote a password, and ended up with a blank one, that would be a flaw.
[20:27] <sarnold> *sigh* i'm getting nothing but timeouts on that bug :(
[20:27] <mdeslaur> not enforcing a sane default is probably not considered a flaw
[20:27] <teward> mdeslaur: but the inverse of "user entering no password and that being acceptable" is not considered a flaw?
[20:28] <mdeslaur> if it's documented it could be
[20:28] <Eickmeyer> sarnold: TL;DR: Calamares isn't enforcing passwords (at all) in Lubuntu or Ubuntu Studio 22.04 or 22.10.
[20:28] <mdeslaur> else it's just hardening and wouldn't satisfy the requirements for a CVE
[20:28] <mdeslaur> but sarnold gets to decide
[20:28] <teward> Eickmeyer: it's also not setting "empty passwords" *as* empty passwords and hashing empty passwords if i'm reading jbicha's notes right
[20:29] <Eickmeyer> teward: That's correct, but it's acting as if it's an empty password as far as sudo and others are concerned.
[20:29] <Eickmeyer> Basically, it's allowing passwordless escalation.
[20:29] <teward> which is what sudo does when a user can be logged into but has no password IIRC
[20:30] <Eickmeyer> Correct.
[20:30] <teward> Eickmeyer: that's not a cala issue nor a CVE then
[20:30] <teward> that's just a user reducing security of their system by being autologin and passwordless i'd think
[20:30] <teward> (I hate passwordless as much as the next guy just saying)
[20:30] <Eickmeyer> But it's not autologin either.
[20:31] <Eickmeyer> Escalation would still require a password in autologin.
[20:31] <mdeslaur>  passwordRequirements:
[20:31] <mdeslaur> +    nonempty: true
[20:31] <mdeslaur>      minLength: 0
[20:31] <mdeslaur>      maxLength: 0
[20:31] <Eickmeyer> mdeslaur: That's the fix.
[20:31] <mdeslaur> users can still use a 1 letter password, right?
[20:32] <Eickmeyer> mdeslaur: Looks like it.
[20:32] <Eickmeyer> (not that I'm a fan)
[20:32] <teward> mdeslaur: do we know what the standard Desktop installer's requirements are for PW?  Or does that also allow empty passwords?
[20:32] <sarnold> I don't think this is a CVE -- I'm not even sure I like the "nonempty: true", if a user wants a passwordless login, how else would they get it?
[20:33] <teward> sarnold: see my take is
[20:33] <teward> cala should check if it's empty and then throw a notice that user can accept the risk for
[20:33] <teward> thereby *allowing* for a user to choose it and making it "User Choice" to accept the risks
[20:33] <Eickmeyer> Ubiquity nor ubuntu-desktop-installer allow for an empty password.
[20:33] <teward> not sure if the standard Gnome installers have that though
[20:33] <sarnold> teward: that sounds kinder, yeah
[20:33] <teward> if they don't permit an empty password then we should *I THINK* have that as a standard
[20:34] <teward> and then consider that being added as a feature later in whatever install suite is in use
[20:34] <teward> but for 23.04 i think a standard requirement should be chosen for now, no?
[20:34] <mdeslaur> while less than ideal, I think this is a hardening issue, not a flaw per se
[20:35] <teward> after discussion here I would agree so no CVE required.  That still leaves the question of "sane defaults" which would be a Security decision I think
[20:35] <teward> at least, until the feature is avaiable to throw a warn like sarnold says would be kinder
[20:36] <mdeslaur> is that during the install only, or is it an applet in some sort of control panel too?
[20:36] <teward> arraybolt3: Eickmeyer: ^
[20:36] <Eickmeyer> I think so as well. I think those defaults *should* be based on what Ubiquity and ubuntu-desktop-installer enforce now.
[20:36] <arraybolt3> I know it happens during installation, unsure if the Users app lets you do that.
[20:36]  * arraybolt3 checks
[20:37] <Eickmeyer> mdeslaur: There's a KDE Control Module in Plasma's System Settings that allows the user to change their password.
[20:37] <mdeslaur> I believe the gnome control panel users app enforces password strength
[20:37] <arraybolt3> Also I missed the whole start of the conversation because it took me ~10 minutes to figure out I wasn't in this channel :P
[20:37] <teward> arraybolt3: you has failed.  i'll pull you logs
[20:38] <arraybolt3> The "Users and Group" app in Lubuntu does allow you to make a passwordless account, but it also warns if you do so.
[20:38] <Eickmeyer> mdeslaur: It enforces a minimum password length of 1 character. *facepalm*
[20:38] <arraybolt3> Or at least, the app tries to let you do that. The underlying `passwd` application it uses then forbids it.
[20:38] <arraybolt3> (I actually use one-characcter passwords all the time in testing :D)
[20:38] <arraybolt3> And for VMs.
[20:39] <arraybolt3> mdeslaur: The installer in Ubuntu allows you to make a one-character password. It just also tells you that it's a weak password.
[20:41] <arraybolt3> (That's the installer in Ubuntu Desktop I mean.)
[20:42] <arraybolt3> sarnold: If a user wants a passwordless *login*, there's an autologin box they can check. If they want passwordless *sudo*, there's a config file they can change. If they want "really truly no password", there's a command they can use (passwd -d). So this doesn't restrict the user's freedom, it only enforces a (more) sane default.
[20:42] <mdeslaur> we definitely should turn on password strength meters and such in all the installers and control panel applets
[20:43] <sarnold> *nod* a nice little ⚠ NONE  / weak / okay  meter would be ideal
[20:43] <Eickmeyer> So, conclusion: Not a CVE, just a really bad idea.
[20:44] <Eickmeyer> Right now, Calamares gives a friendly green checkmark if there's no password. *facepalm*
[20:44] <arraybolt3> Calamares has some more hardening options related to password strength, see https://github.com/calamares/calamares/blob/calamares/src/modules/users/users.conf#L118
[20:45] <Eickmeyer> I mean Calamares as we have it configured prior to 23.04
[20:45] <arraybolt3> So "allowWeakPasswords: true, allowWeakPasswordsDefault: false" might be handy.
[20:46] <arraybolt3> (That way there's a box the user has to (un?)check in order to allow them to use a weak password.)
[20:46] <arraybolt3> Might be a bit late in the cycle to do that though, since that's a feature of Calamares that hasn't gotten extensive testing.
[20:46] <arraybolt3> (In Ubuntu.)
[20:47] <arraybolt3> Due to XScreenSaver's handling of an empty password, though, I think we should still require *some* password, just like Ubiquity/Ubuntu Desktop Installer.
[20:48] <mdeslaur> looks like it was fixed in lunar?
[20:48] <arraybolt3> True. But it affects Jammy and needs SRU'd there.
[20:48] <arraybolt3> (Kinetic we intend to skip since we can't respin that one so there's no point.)
[20:49] <mdeslaur> ah, ok, yeah, we'd definitely sponsor an update to -security for that so that it's available on the next respin for jammy
[20:49] <Eickmeyer> mdeslaur: The point of this discussion was more to do with the effect on Jammy.
[20:50] <mdeslaur> I think it can wait for the next jammy point release
[20:50] <arraybolt3> Agreed.
[20:50] <Eickmeyer> mdeslaur: Do you need the regular SRU paperwork?
[20:50] <Eickmeyer> (my uploads don't need sponsoring)
[20:50] <mdeslaur> no, file it as a security bug and subscribe ubuntu-security-sponsors to it
[20:50] <Eickmeyer> Will do.
[20:51] <mdeslaur> and we will release it as a security update
[20:51]  * Eickmeyer gets on it
[20:51] <arraybolt3> Should I be prepping a package or is that something the security team will do too?
[20:51] <Eickmeyer> arraybolt3: Since it's in Jammy, you don't have upload privs.
[20:51] <Eickmeyer> I'll do it.
[20:52] <mdeslaur> we'd want debdiffs in the bug to sponsor
[20:52] <arraybolt3> Eickmeyer: Pretty sure I can upload to jammy (I've done it on accident before).
[20:52] <mdeslaur> we need to build it in the security ppa, so don't upload it to -proposed
[20:52] <arraybolt3> And on purpose for SRUs.
[20:52] <Eickmeyer> mdeslaur: ack.
[20:52] <Eickmeyer> arraybolt3: Let me take this.
[20:52] <arraybolt3> Eickmeyer: +1
[21:12] <Eickmeyer> mdeslaur: Done
[22:55] <JanC> what is XScreenSaver's problem with empty passwords?
[22:56] <sarnold> I didn't go looking but I assumed it was something like an input box 'submit' thing that wouldn't be hooked up until there was some input
[23:05] <arraybolt3> JanC: I think it's something with PAM or some such. Basically Calamares hashes the blank password rather than just setting a deleted password, and so the system behaves like there's a password even though the password is blank. Some programs work with this odd setup, but XScreenSaver will just tell you that your password is wrong even though you're inputting a blank password.
[23:05] <arraybolt3> And since you can't unlock the screen without a password that XScreenSaver will accept, it makes it so that you are essentially locked out.
[23:06] <arraybolt3> (Until you either log into a TTY to circumvent things, or you just force-poweroff the system, which is what a less experienced user is more likely to do)
[23:06] <JanC> oh, that would be a problem indeed
[23:07] <JanC> might be good to fix XScreenSaver too  :)
[23:07] <arraybolt3> JanC: Yeah but it uses PAM to do the password checking AFAICT.
[23:07] <arraybolt3> (And the XScreenSaver code is... dense and confusing.)
[23:08] <JanC> so you think the problem is in PAM?
[23:08] <JanC> OTOH, maybe it shouldn't set an empty password like that
[23:08] <JanC> (calamares)
[23:09] <JanC> there might be some POSIX or other standard about this too...
[23:09] <arraybolt3> I think it's probably Calamares' fault for doing a blank password like that.
[23:09] <arraybolt3> Either that or else it's a bug in PAM.
[23:10] <arraybolt3> Or maybe it's in XScreenSaver, in which case someone's going to have to sign up for a migrain in order to fix it...
[23:10] <JanC> well, depends on whether that is allowed (and thus applications & libraries should expect it) or not allowed (then undefined behaviour is somewhat expected)
[23:11] <JanC> what calamares does
[23:11] <arraybolt3> I personally didn't even know you *could* hash empty data until just recently :P
[23:13] <JanC> most likely there is some standard that says that the password has to be filled with NULLs until the total allowed length or so?
[23:14] <arraybolt3> Hmm... a quick look at Unix & Linux SE suggests that Calamares' behavior is valid.
[23:14] <JanC> for unused bytes, I mean
[23:14] <arraybolt3> There's a difference between an empty password and no password.
[23:14] <arraybolt3> https://unix.stackexchange.com/questions/705037/whats-the-difference-between-empty-password-and-no-password
[23:14] <arraybolt3> (btw this might be a conversation that would be better had in #ubuntu-devel?)
[23:15] <JanC> well, I really only wanted to know what the XScreenSaver issue was  :)
[23:39] <UnivrslSuprBox> Alex mentioned an SBOM spec in the latest podcast -- is there any public discussion or documentation of this project?