Ubuntu User Security (or lack of)

8 03 2009

The other day was the first time I actually set up a user account for someone other than myself on my Ubuntu laptop. Something rather odd that I noticed, by default, the new /home/user directory has the file permissions set so anyone can read or execute the files. If I’m not mistaken, last time I made a user on Slackware or Gentoo it was set so only the owner could access and read the files located in his /home director… This discovery was followed by a “chmod -R go-rwx /home/user” on all my accounts, something that’s a good thing to do every now and then anyway if you’re security paranoid and in a multiuser enviornment. In the future, to make users created with adduser have more secure permissions,  run “sudo dpkg-reconfigure adduser”.

adduserAnd select no on the prompt asking if you want systm-wide readable home directories.

Advertisements




Ubuntu Keyring Password Change

22 02 2009

Due to some reason security problems with a server I had used a common password on, I took the time today to change all my passwords. I reset my Ubuntu password, tried to log on later in the day, and was greeted by a prompt asking me to enter my keyring password in order to connect to my wireless. After trying a few password, I quickly found out the password it wanted was my old one.

The keyring stores all your WEP keys, WAP keys, and other passwords that you let it. Truthfully, I’ve never liked the idea of storing all my passwords in one place, so I was only using it to store my wireless keys. In order to keep this annoying little application from prompting you every time you boot for your old password, you’ll have to blow away the keyring file and then start from scratch entering all your wireless keys. I’ve found no other solution after much Googling, so I will also show you how to just stop using this application all together if you choose rather than going through this again when you change passwords.

In order to reset the keyring, remove it’s files with this command,

rm ~/.gnome2/keyrings/*.keyring

Reboot the computer.

You should be greeted by this prompt when you try to use your wifi (nm-applet),

keyring1Now you have two options. Either input your new password, or leave it blank. If you input a new password, either after this prompt or on next reboot there will be a check box to make the application automatically log into your keyring on user login and life will go back to normal. If you go with option 2 and leave it blank, you’ll be greeted with this,

keyring2Select “Use Unsafe Storage” and your wireless keys will just be stored in plain text and gnome-keyring won’t bother you anymore. This IS less secure, if someone can read the files on your computer. Lets face it though, if someone is already far enough into your system to read your files, they probably have root access, and you’ve got worse things to worry about than your wireless keys.





Sharing Firefox Profiles on Dual Boot Systems

27 01 2009

A quick fix for sharing your Firefox profiles/bookmarks in a dual boot system is shown here. I’m dual booting XP and Ubuntu 8.10 but the operating systems shouldn’t matter much. Simply create a partition that all your operating systems can read, FAT32 format in my case, and makes sure all the operating systems mount it. This is always a good idea when dual booting to keep your files available for all your operating systems. To auto mount that partition in Ubuntu you’ll have to edit /etc/fstab to add something like the following line,

what_to_mount    where_to_mount    vfat    auto,users,rw,exec,uid=username,gid=groupname,umask=017    0    0

For example,

/dev/sda8    /mnt/storage    vfat    auto,users,rw,exec,uid=pherricoxide,gid=admin,umask=017    0    0

Then, copy one of your Firefox profiles to that partition. The profiles are located in ~/.mozilla/firefox/. If you’re using Windows, this would be in c:\\documents and settings\user\application data. If in Linux, this would be in /home/user/. It should be the only directory if you never set you multiple profiles, something with a lot of random looking numbers and letters.

Once that’s done open up a terminal or command prompt and run firefox -profilemanager. In my case, this wasn’t in the XP path, so I had to cd to program files/mozilla firefox/ before running it. After it comes up, click create new profile. Hit next, and then change directory. Change to the directory on your FAT32 partition of the profile that you copied over, and then just hit next. Just stick with the default profile name. That’s it, now Firefox is using the profile in that directory. Do that with all your operating systems and you should be set.

Note: I’m not sure how well sharing a profile would work with multiple versions of Firefox. It’s likely best to update all your versions before you get started.

Note 2: This messes up some of the more complex plugins, and Firefox will often complain that it’s installed new plugins when you switch to the other OS.





Linux Ignorance in Public School

10 12 2008

I think I just lost all faith in the public school system. Oh wait, being told that I didn’t know anything about computer security and that I caused a “mutiny” when I was going to Compuhigh (an online High Schoolprogram) did that, but this certainly didn’t help.

In recent news, a middle school teacher in Texas confiscated Linux CDs from a student. Apparently this has happened several times before, with teachers at various schools confiscating Ubuntu CDs and even suspending students for exchanging pirated software. This particular teacher decided to email the developers at Helios Linux and tell them what she thinks.

“…observed one of my students with a group of other children gathered around his laptop. Upon looking at his computer, I saw he was giving a demonstration of some sort. The student was showing the ability of the laptop and handing out Linux disks. After confiscating the disks I called a confrence with the student and that is how I came to discover you and your organization. Mr. Starks, I am sure you strongly believe in what you are doing but I cannot either support your efforts or allow them to happen in my classroom. At this point, I am not sure what you are doing is legal. No software is free and spreading that misconception is harmful. These children look up to adults for guidance and discipline. I will research this as time allows and I want to assure you, if you are doing anything illegal, I will pursue charges as the law allows. Mr. Starks, I along with many others tried Linux during college and I assure you, the claims you make are grossly over-stated and hinge on falsehoods. I admire your attempts in getting computers in the hands of disadvantaged people but putting linux on these machines is holding our kids back… I am sure if you contacted Microsoft, they would be more than happy to supply you with copies of an older verison of Windows and that way, your computers would actually be of service to those receiving them…” – http://linuxlock.blogspot.com/2008/12/linux-stop-holding-our-kids-back.html

I don’t even know where to begin. She confiscated a student’s property when he wasn’t doing anything illegal. If she actually tried Linux in college she would know that it was free software, or if she actually did some research like she said. She thinks Microsoft would give out free copies of Windows to disadvantaged people? How about be a little open minded, especially for someone in the educational field? Mr. Starks of Helios planned a meeting with the school district’s superintendent, who agreed after seeing this email forwarded to him. Hopefully they’ll have an interesting talk about this teacher. Lets hope she’s just the PE teacher.

EDIT: The following is a fictional story, but after the above it wouldn’t surprise me if it could happen.

Topeka, KS – High school sophomore Brett Tyson was suspended today after teachers learned he may be using PHP. A teacher overheard him say that he was using PHP, and as part of our Zero-Tolerance policy against drug use, he was immediately suspended. No questions asked,” said Principal Clyde Thurlow.   “We’re not quite sure what PHP is, but we suspect it may be a derivative of PCP, or maybe a new designer drug like GHB.” – http://whatsthecrack.net/Student-Suspended-Over-Suspected-Use-of-PHP