Sudo su

It was odd, being a ubuntu user, typed into terminal sudo su out of habit for killing processes and it gave me root access without a password prompt. Anyone else able to verify this?

 

yes

 

Yes. My first day with the AspireOne and wanted to set the root password. This sure made it easy (and insecure).

 

/etc/sudoers:

Code:

%wheel ALL=(ALL)       NOPASSWD: ALL

/etc/group:

Code:

wheel::10:root,user

^ This is why you can do sudo su without being prompted for a password.

I haven't touched the root password.

Code:

[root@localhost user]# egrep root /etc/passwd
root:$1$2dYkV4Ni$yNuE9KaOteNZe9owAta9i.:0:0:root:/root:/bin/bash

^ This shows that there is already a password set for root.

Ask questions to understand the system before you start rattling off "insecure! insecure!"

The system is fine. Someone would have to guess your user password in order to execute sudo su in the first place.
If you wanted to set a password because you're paranoid that Acer is going to backdoor your lappy... That's another, entirely different issue. Had you not made the "insecure" comment, I wouldn't go off the hook.

This is the only thing open to the outside world:

Code:

[root@localhost Documents]# nmap -sS 192.168.2.3

Starting Nmap 4.52 ( [url]http://insecure.org[/url] ) at 2008-07-31 16:22 PDT
Interesting ports on 192.168.2.3:
Not shown: 1713 closed ports
PORT     STATE SERVICE
6000/tcp open  X11

Nmap done: 1 IP address (1 host up) scanned in 0.278 seconds

Go show me an exploit for X11.

Let's see if they enabled restricted access to X:

Code:

[user@localhost ~]$ xhost
access control enabled, only authorized clients can connect
LOCAL:

o hai can haz sekure uhspire 1? lolollolol

 

Having sudo configured to allow you to run any program without a pawword is insecure, especially when combined with auto login, so no one has to guess your password. This makes it easy for anyone with access to your machine to take control of it if they know what they doing. Of course, if someone has physical access to your machine they essentially can get around any security you have, or for that matter they can even walk off with it unless you locked to something secure. But this sudo misconfiguration also allows anyone who might get remote access to your machine full control aswell. The obvious fix to this is to comment out the line in /etc/sudoers (note: it is recommended to only edit /etc/sudoers with visudo) which allows members of the wheel group to run commands passwordless

Another security hole I've just spotted is that the password hashes are stored in /etc/passwd (which is world readable because some programs need to read user information from there), however the password hashes should be in /etc/shadow so only authorised programs can read them, otherwise anyone can read the hashes which lets them do a brute force attack the password (the attacker could copy the file to another machine to do this). Strangely shadow-utils which provides this functionality is already installed by default, so to fix this all you have to do is run "pwconv" as root.

Another note is the by default both the user and root password are set to the password you provided when setting up the machine, so you do have a root password.

There isn't a good reason to have X listening to TCP ports at all on a laptop like this, since most users of it won't even know about running X sessions over the network and of those that do few will actually need to use it, and those few should know how to enable it for themselves.

All in all this isn't nearly as secure as it should be, even though I don't think it is anything to panic about.

 

Although I completely agree with all the principles stated in the previous post (I have them in place in my One), I have to say that some of them are of little relevance for a system like this.
Safety is already fully compromised in a system like this (or any other laptop), because the first rule for a safe system is to deny direct physical access to the system for any unauthorized personnel. But this rule, if applied would probably render a laptop useless...

Apple Mac OS X systems with factory configuration (desktop or laptop) are quite easy to crack if you can have access to the keyboard. You just need to restart the computer and press a combination of keys at the startup for system maintenance mode, them remount the file system read/write, and then change the root password with passwd (you can do this in much less than 5 minutes; the limiting steep is the boot speed). You can even store the original password file so that you can cover your track before leaving the system.

Any other mainstream system without a BIOS password and/or encrypted file system is also quite easy to crack, if you have physical access to it (at most, you need a live cd or equivalent).
If you have a BIOS password, but someone can easily open your computer case , it is usually also easy to remove the BIOS password. However, this will take more time (about 15 minutes for a well trained person; maybe less...) in the case of the AAO, and you get the automatic bonus of intrusion detection since you would notice the missing/changed password.

The only effective protection in the long run would be to have an encrypted file system (although this is not also bullet proof, and does have its own draw backs)...
In any case, you also have to be careful with your backup copies (it is a big security hole to grant access to these)...

I believe that many of the AAO owners will have a single account there and will not share the netbook. In this case, it is also not that relevant to have shadow passwords. You can always lock the screen if you are leaving the netbook unattended.