FAQ

Differences between revisions 59 and 60
Revision 59 as of 2010-01-25 13:15:40
Size: 21773
Editor: pool-71-114-235-234
Comment:
Revision 60 as of 2010-01-25 13:51:09
Size: 21993
Editor: pool-71-114-235-234
Comment: -proposed is built with -proposed and -backports with -backports
Deletions are marked like this. Additions are marked like this.
Line 26: Line 26:
   * '''proposed''': built with `release`, `security`, and `updates`
   * '''updates''': packages in `updates` are not directly built, but rather copied from `proposed` after they have been tested. See [[StableReleaseUpdates|StableReleaseUpdates]] for details.
   * '''backports''': built with `release`, `security`, and `updates`. See [[UbuntuBackports|UbuntuBackports]] for details.
   * '''proposed''': built with `release`, `security`, `updates` and `proposed`
   * '''updates''': as a matter of Ubuntu policy, packages in `updates` are not directly built, but rather copied from `proposed` after they have been tested. See [[StableReleaseUpdates|StableReleaseUpdates]] for details. If a special circumstance warrants building a package in `updates` without going through `proposed` first, it would be built with `release`, `security` and `updates`.
   * '''backports''': built with `release`, `security`, `updates` and `backports`. See [[UbuntuBackports|UbuntuBackports]] for details.

Official Support

  • What does official security support mean?
    • Members of the Ubuntu Security team are Canonical employees who provide security updates for supported software in the Ubuntu distribution. Security updates are in part prioritized based on severity of impact, exploitability and number of affected users.

  • What software is officially supported by the Ubuntu Security team?
    • Ubuntu is currently divided into four components: main, restricted, universe and multiverse. Packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while packages in universe and multiverse are supported by the Ubuntu community.

  • Who can receive official support?
    • Official support is provided free of charge to all users of Ubuntu during the life of an Ubuntu release. You can see the release schedules in Releases.

Repositories

  • How are the "-updates" and "-security" pockets different?
    • -updates includes things that have gone through the StableReleaseUpdates process, and contain various important bug fixes. Anything built for "-updates" is built on top of which ever version of a package is newest between "-updates" and "-security", so that nothing in "-updates" will introduce security regressions.

    • -security includes only updated packages that contain security-related fixes, and are built to not require anything from "-updates". Anything built for "-security" is built on top of which ever version of a package is newest between "-updates" and "-security", so that nothing in "-security" will introduce bug regressions.

  • How are components and pockets used in the builds, and how do they affect security updates?
    • When packages are built, only certain components are available during the build:
      • main: built with only the main component enabled

      • restricted: built with main and restricted components enabled

      • universe: built with main and universe components enabled

      • multiverse: built with main, restricted, universe and multiverse components enabled

    • Ubuntu also has several pockets that further divide the archive: release, security, updates, proposed and backports. The pocket can be found by looking at the Distribution entry of a source package. The release pocket is simply the name of the release, and the other pockets are denoted by <release name>-<pocket>. For example, the release pocket for Ubuntu 8.04 LTS, the Hardy Heron, is simply hardy, while the security pocket for Ubuntu 8.04 LTS is hardy-security. Packages in release, security and updates are supported by the Ubuntu Security team, while packages in backports are supported by the community and packages in proposed are the responsibility of the uploader. When packages are built, only certain pockets are available during the build:

      • release: during the development cycle, this is the only pocket that is used. Once the development version is released, the release pocket is frozen and does not change.

      • security: built with release and security. UpdateProcedures gives the process used for creating security updates.

      • proposed: built with release, security, updates and proposed

      • updates: as a matter of Ubuntu policy, packages in updates are not directly built, but rather copied from proposed after they have been tested. See StableReleaseUpdates for details. If a special circumstance warrants building a package in updates without going through proposed first, it would be built with release, security and updates.

      • backports: built with release, security, updates and backports. See UbuntuBackports for details.

  • How do I automatically install security updates?

Packages

Versions

Ubuntu releases security updates by patching specific issues rather than updating whole versions of software. This is to keep the packages in a stable release as close to their original version as possible to avoid introducing unintended regressions. For more details, see Stable Release Updates.

Architectures

Ubuntu is built for many architectures. Officially supported architectures for a particular release of Ubuntu can be found in http://archive.ubuntu.com/ubuntu/dists/<release>/main/ and ported architectures (where maintenance is best-effort) are in http://ports.ubuntu.com/dists/<release>/main/.

Release

amd64

armel

hppa

i386

ia64

lpia

powerpc

sparc

Dapper

yes

--

ports

yes

ports

--

yes

yes

Edgy1

yes

--

ports

yes

ports

--

yes

yes

Feisty1

yes

--

ports

yes

ports

--

ports

yes

Gutsy1

yes

--

ports

yes

ports

--

ports

yes

Hardy

yes

--

ports

yes

ports

yes2

ports

ports

Intrepid

yes

--

ports

yes

ports

yes2

ports

ports

Jaunty

yes

ports

ports

yes

ports

ports

ports

ports

Karmic

yes

ports

--

yes

ports

ports

ports

ports

  1. Release has reached end of life and is no longer officially maintained
  2. While LPIA is listed in ports.ubuntu.com for this release, it should be considered a supported architecture

Endianness

Sometimes a security vulnerability affects a particular architecture or endianness. Most architectures in Ubuntu are little-endian, some are so-called bi-endian and some big-endian. In Ubuntu, the endianness of a particular architecture can be see in the following table:

Architecture (hardware name)

Little Endian

Big Endian

amd64 (x86_64)

yes

--

armel (armv5tel)

yes

--

hppa (parisc)

--

yes

i386 (i686)

yes

--

ia64

yes

--

lpia

yes

--

powerpc (ppc64)

--

yes

sparc (sparc64)

--

yes

Software

SSH

  • When I run ssh HOST sudo CMD..., I can see the password as I type it. How do I fix that?

    • There is no "tty" allocated when running commands directly via ssh, please add the "-t" flag.

  • When I connect to my ssh server port, I can see a banner with the exact version I'm running. Can we include a patch to disable the version number?
    • There is an upstream bug that gets into detail about this feature, but Ubuntu does not want to carry the patches unless upstream approves.

    • Hiding the version number is Security through obscurity, which is not real security.

    • SSH clients, including OpenSSH, usually parse the version string in order to identify known bugs/features with a particular version of the server. Changing the values could introduce communication problems with certain clients. See compat.c in the OpenSSH source code.

Sudo

  • Why does Ubuntu disable the root account and use sudo instead?
    • See RootSudo for a thorough discussion, but simply put, sudo offers many benefits including (but not limited to):

      • protecting the user from accidentally damaging parts of the system
      • providing a log audit trail
      • preventing brute-force login and ssh attacks to a well known account
      • authentication timeouts
      • fine-grained granting of privileges
  • I am not prompted for my password when I run "sudo" for a second time!
    • sudo is design to keep a "ticket" valid for 15 minutes after you use your password the first time. This is configurable. Please read man sudoers:

      timestamp_timeout
          Number of minutes that can elapse before sudo will ask
          for a passwd again.  The default is 15.  Set this to 0
          to always prompt for a password.  If set to a value
          less than 0 the user’s timestamp will never expire.
          This can be used to allow users to create or delete
          their own timestamps via sudo -v and sudo -k respec‐
          tively.
  • If sudo authentication does not immediately expire, doesn't that allow for privilege escalation for malware and local users?
    • Giving untrusted users access to your account or running untrusted code can allow privilege escalation via sudo, but Ubuntu does not (and by default cannot) provide protections against users running code as themselves. Some protections against these sort of attacks are:
      • do not open files or run/install programs from untrusted sources
      • enable locking of your screensaver
      • using 'sudo -k' or 'sudo -K' to remove the timestamps (see 'man sudo' for details)
      • adjusting timestamp_timeout in /etc/sudoers (using visudo) (see above, and 'man sudoers' for details)
      • using a virus scanner such as clamav on your files
      • protecting specific applications with Apparmor or SELinux

Rescue Mode

  • I am not prompted for a password when going into rescue mode!
    • This is related to 'sudo', above. Because in Ubuntu there is no root password, there is nothing to prompt for. In general, not prompting for a password in single user mode does not decrease security because it requires physical access to the machine. An attacker with physical access can bypass this restriction easily (eg with bootable media or removing the hard drive). If you decide to set a root password, you will be prompted for it in rescue mode.

UFW

  • Why is the ufw firewall not enabled by default?

    • ufw is available in all new installations of Ubuntu since 8.04 LTS, but is disabled by default. The standard Ubuntu installation has a no open service ports policy, so enabling the firewall by default doesn't gain any extra security in the default installation, but could provide confusion for people new to Ubuntu when new software that is installed does not work because of restrictive firewall rules. As a result, when first adding ufw to Ubuntu it was decided that users must 'opt-in' to using the firewall. In Ubuntu 9.04 and later, you can enable ufw during installation using preseeding. See /usr/share/doc/ufw/README.Debian for details.

GNOME Display Manager (gdm)

  • How do I disable the face browser at the login screen?
    • gdm 2.28, as included in Ubuntu 9.10 and later, has been rewritten and does not have the gdmsetup graphical configuration tool the previous versions had. gdm now stores its settings using GConf. To disable the face browser, use the following command: sudo -u gdm gconftool-2 --set --type boolean /apps/gdm/simple-greeter/disable_user_list true

    • Here are some links with more information:

gnome-keyring

Q: Does using gnome-keyring weaken security?

A: For most users in typical environments, no. Proper use of gnome-keyring should increase security by encouraging users to store passwords securely in the keyring rather than resorting to other less secure means of storing their passwords (eg, sticky notes on the monitor or a plain text file somewhere on disk).

Basically, gnome-keyring can store passwords for you. The passwords are stored in encrypted keyrings that are not available to applications until the keyring is unlocked. A common keyring is the 'login' keyring, but others can be used. Once the keyring is unlocked, applications can ask gnome-keyring for passwords and use them so that users don't have to remember them all, or be hassled with password prompts all the time. A keyring can be locked after it is unlocked. Because gnome-keyring uses protected memory, other users on the system cannot access the keys within a user's keyring (see man mmap and man mlock).

Gnome/Ubuntu integration does a few things (see the upstream documentation for more details):

  • The 'login' keyring is configured, via PAM, to be automatically unlocked upon successful authentication via PAM (ie, when you login)
  • When the PAM session is closed via the screensaver, all keyrings are locked, and the 'login' keyring is unlocked upon successful authentication to the screensaver
  • All keyrings are locked on logout of the user's session

This provides:

  • A good usability experience
  • Protection against access from anyone to keys when the user is not authenticated
  • Protection against other users on the system at all times

Some people may not like to use keyrings in general and there are certain environments where their use is not appropriate. Users can always choose to not store their passwords in the keyring at all. Furthermore, gnome-keyring behavior can be adjusted:

  • Temporarily by using seahorse and manually locking the unlocked keyring

  • Permanently by changing the passphrase of the 'login' keyring
  • Permanently by removing gnome-keyring from the PAM stack

Please note that by changing this behavior, programs that need access to the unlocked passwords will prompt you for the keyring passphrase whenever they need it.

In general, using a keyring does not weaken the security of the system. To use them safely1:

  • You should choose a strong login passphrase (eg, using a mixture of letters, numbers, capitalization and non-alphanumerics that is at least 8 (preferably 12 or more) characters long and not subject to a dictionary attack). This login passphrase should be memorized, and not written down.
  • You should always lock your screen when you step away from your system. You can set a short inactivity timeout and/or better yet, use 'ctrl+alt+l' or activate the screensaver from within your session every time you step away.
  • Do not use shared login accounts

Notice that these recommendations are no different from when you are not using a keyring (ie, you always want a strong login passphrase, to lock your screen, and never share your login account).

[1] If you leave your computer powered on in an environment where it might be stolen (eg, a hotel room), software techniques cannot protect you. In general, in these environments the computer should be completely powered off and use disk encryption. Disk encryption as well as discussion to mitigate hardware, firmware, BIOS, cold-boot or 'evil maid' attacks are beyond the scope of this FAQ).

Firefox AppArmor profile

  • Why is the profile disabled by default?
    • Starting with Ubuntu 9.10, firefox ships an AppArmor profile. It is known to work well in the default Ubuntu installation with extensions, plugins and helper applications provided in the Ubuntu archive. Firefox, like all browsers, is a very complex piece of software that can do much more than simply surf web pages. As such, enabling the profile in the default install could affect the overall usability of Firefox in Ubuntu, which could end up decreasing the security of the overall system. Users who know nothing about AppArmor who encounter AppArmor denials might turn off AppArmor entirely, losing the protections afforded by the existing profiles. Enabling the profile for all users must be very carefully considered.

  • Could the user be prompted on upgrade to enable the profile?
    • Asking the user on upgrade or installation is not a valid option for Ubuntu, because the question could be confusing and boils down to "do you want better security?" People will almost always answer "yes", which is essentially the same as enabling the profile by default. Adding a low priority debconf question which can be preseeded might be implemented in a future release.

  • Will the profile be enabled by default in a future release of Ubuntu?
    • Possibly. As mentioned, Firefox is a very complex application on its own, and when you consider third-party plugins, extensions, helper applications and Ubuntu derivatives, it becomes very difficult to ensure that the profile provides the proper level of usability and confinement. It is known to work well in the default Ubuntu installation with extensions, plugins and helper applications provided in the Ubuntu archive. If the profile can be shown to work for the vast majority of users in Ubuntu and its derivatives, and AppArmor user-space tools mature to the point that they are usable by regular users, enabling the profile by default can be considered.

  • What does the profile protect against?
    • The goals of the profile are to provide a good usability experience with strong additional protection. The profile allows for the use of plugins and extensions, various helper applications, and access to files in the user's HOME directory, removable media and network filesystems. The profile prevents execution of arbitrary code, malware, reading and writing to sensitive files such as ssh and gpg keys, and writing to files in the user's default PATH. It also prevents reading of system and kernel files. All of this provides a level of protection far exceeding that of normal UNIX permissions.
  • How do I enable or disable the profile?
    • The profile can be enabled by using sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5. The profile can be temporarily disabled by performing sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox-3.5 and permanently disabled with sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox-3.5 ; sudo ln -s /etc/apparmor.d/usr.bin.firefox-3.5 /etc/apparmor.d/disable/usr.bin.firefox-3.5. See the Ubuntu AppArmor documentation for more details on using AppArmor.

  • The profile doesn't work for me, what should I do?
    • See DebuggingApparmor for how to diagnose, report and fix bugs in AppArmor profiles. You may also disable the profile (see above).

  • Can I adjust the profile?
    • Certainly! You can add additional access rules or remove rules in the profile for your requirements. The profile is a Debian conffile, which means on package upgrades, you will be prompted for what to do with the changes. For firefox-3.5, simply adjust the profile /etc/apparmor.d/usr.bin.firefox-3.5 and reload it with sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.firefox-3.5. See the Ubuntu AppArmor documentation for more details on using AppArmor. If you feel your additions would benefit all Ubuntu users, please consult DebuggingApparmor and file a bug.

Design

Many common issues come up that may seem to be security design problems, but are actually done intentionally. Please review the Ubuntu Security Policies.


CategorySecurityTeam

SecurityTeam/FAQ (last edited 2024-01-26 14:48:38 by sahnaseredini)