FAQ
Official Support
- What does official security support mean?
Members of the Ubuntu Security team are Canonical employees who provide security updates for supported software in the Ubuntu distribution. Security updates are in part prioritized based on severity of impact, exploitability and number of affected users.
- What software is officially supported by the Ubuntu Security team?
Ubuntu is currently divided into four components: main, restricted, universe and multiverse. Packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while packages in universe and multiverse are supported by the Ubuntu community.
- Who can receive official support?
Official support is provided free of charge to all users of Ubuntu during the life of an Ubuntu release.
Repositories
- How are the "-updates" and "-security" pockets different?
-updates includes things that have gone through the StableReleaseUpdates process, and contain various important bug fixes.
-security includes only updated packages that contain security-related fixes, and are built to not require anything from "-updates".
- How are components and pockets used in the builds, and how do they affect security updates?
- When packages are built, only certain components are available during the build:
main: built with only the main component enabled
restricted: built with main and restricted components enabled
universe: built with main and universe components enabled
multiverse: built with main, restricted, universe and multiverse components enabled
Ubuntu also has several pockets that further divide the archive: release, security, updates, proposed and backports. The pocket can be found by looking at the Distribution entry of a source package. The release pocket is simply the name of the release, and the other pockets are denoted by <release name>-<pocket>. For example, the release pocket for Ubuntu 8.04 LTS, the Hardy Heron, is simply hardy, while the security pocket for Ubuntu 8.04 LTS is hardy-security. Packages in release, security and updates are supported by the Ubuntu Security team, while packages in backports are supported by the community and packages in proposed are the responsibility of the uploader. When packages are built, only certain pockets are available during the build:
release: during the development cycle, this is the only pocket that is used. Once the development version is released, the release pocket is frozen and does not change.
security: built with release and security. SecurityUpdateProcedures gives the process used for creating security updates.
proposed: built with release, security, and updates
updates: packages in updates are not directly built, but rather copied from proposed after they have been tested. See StableReleaseUpdates for details.
backports: built with release, security, and updates. See UbuntuBackports for details.
- When packages are built, only certain components are available during the build:
- How do I automatically install security updates?
Packages
Where did mod_security go?
- The license to mod_security did not allow for redistribution, so it was removed from Debian and Ubuntu after 6.06 (Dapper):
- The licensing issue has been resolved and mod_security is back in the archive as of Ubuntu 9.04 (Jaunty):
Strange Behavior
When I run ssh HOST sudo CMD..., I can see the password as I type it. How do I fix that?
There is no "tty" allocated when running commands directly via ssh, please add the "-t" flag.
Software
Sudo
- Why does Ubuntu disable the root account and use sudo instead?
See RootSudo for a thorough discussion, but simply put, sudo offers many benefits including (but not limited to):
- protecting the user from accidentally damaging parts of the system
- providing a log audit trail
- preventing brute-force login and ssh attacks to a well known account
- authentication timeouts
- fine-grained granting of privileges
- If sudo authentication does not immediately expire, doesn't that allow for privilege escalation for malware and local users?
- Giving untrusted users access to your account or running untrusted code can allow privilege escalation via sudo, but Ubuntu does not (and by default cannot) provide protections against users running code as themselves. Some protections against these sort of attacks are:
- do not open files or run/install programs from untrusted sources
- enable locking of your screensaver
- using 'sudo -k' or 'sudo -K' to remove the timestamps (see 'man sudo' for details)
- adjusting timestamp_timeout in /etc/sudoers (using visudo) (see 'man sudoers' for details)
- using a virus scanner such as clamav on your files
- Giving untrusted users access to your account or running untrusted code can allow privilege escalation via sudo, but Ubuntu does not (and by default cannot) provide protections against users running code as themselves. Some protections against these sort of attacks are: