can ubuntu's update manager be hacked?

Post here for help with Linux security issues: antivirus, firewalls, encryption, vulnerabilities, etc
i_amlegend
Posts: 30
Joined: Tue Aug 28, 2012 6:10 pm

can ubuntu's update manager be hacked?

Post by i_amlegend » Sat Oct 06, 2012 1:53 am

more often than not, update manager does not ask for authorization when I click the 'install updates' button.
is there a possibility that the update manager can be compromised and 'infected' code will be installed?

i-conica
Posts: 32
Joined: Tue Aug 28, 2012 6:11 pm

Re: can ubuntu's update manager be hacked?

Post by i-conica » Sat Oct 06, 2012 1:54 am

As far as I recall the default behaviour for sudo (and GKSU etc.) is to remember your password for something like 10 minutes after you enter it so if you've done anything requiring super user permissions and entered your password in the last ten minutes you won't be asked for your password again.
Why do people always suspect "hacking" before reading up on these things?

i017535
Posts: 17
Joined: Tue Aug 28, 2012 6:11 pm

Re: can ubuntu's update manager be hacked?

Post by i017535 » Sat Oct 06, 2012 1:56 am

I did try to research the problem but went off in the wrong direction
(update manager instead of sudo)

found this link after you mentioned sudo:
https://help.ubuntu.com/community/Ro...t_sudo_timeout
default timeout is 5 minutes and can be changed.

now to see if this holds true next time I get an update...

i020590
Posts: 20
Joined: Tue Aug 28, 2012 6:11 pm

Re: can ubuntu's update manager be hacked?

Post by i020590 » Sat Oct 06, 2012 1:58 am

Whilst of course it is possible to hack package management systems it seems strange that somebody would do so and remove the need for the root password. Seems a good way to let a victim know there's something wrong and seems also to serve no other purpose.

Before assuming "hacking" learn how a system works as most of the posts I have read here and other forums seem to be the user misunderstanding how things are supposed to work.

i0null
Posts: 28
Joined: Tue Aug 28, 2012 6:11 pm

Re: can ubuntu's update manager be hacked?

Post by i0null » Sat Oct 06, 2012 2:00 am

I posted the links because they're related to package management security, not that because they're the reason for him not requiring to enter the root password... The first site was posted in 2008, and I would hope much of the problems were fixed by now, but unfortunately attackers are creative in coming up with new ways to bypass security, and defenders often repeat mistakes so history often repeats itself. So yes, update managers can be compromised...

i18nde
Posts: 25
Joined: Tue Aug 28, 2012 6:12 pm

Re: can ubuntu's update manager be hacked?

Post by i18nde » Sat Oct 06, 2012 2:02 am

as for hacking, I blindly install all updates that update manager sends me.
sometimes the changes it makes to my system do not appear obvious and any changes that are glaringly obvious are still accepted and become the new normal.
how do I know that the password requirments for updates did not change and if so, are the changes authorized.
every change cannot be investigated so they are accepted, but a change in password requirements should raise a few flags.

now if sudo privileges are open for five minutes, does that open a window of opportunity for someone to access my system from the internet?
(how would you search for that answer before posting the question to this forum?)

forgive me for getting off topic
to paraphrase, it is better to light a candle than curse the darkness, it is better to ask a question than cruise the internet.

i2ambler
Posts: 12
Joined: Tue Aug 28, 2012 6:12 pm

Re: can ubuntu's update manager be hacked?

Post by i2ambler » Sat Oct 06, 2012 2:04 am

The password policies are never changed, since they are inherent to the Linux system. If you want to make system wide changes on your system (which includes updating software) you always need root privileges for that. There may be the possibility to change the update system to get root privileges without asking for a password, but in this case you have no other choice as to trust the developers of your distribution or to inspect any package that is to be installed/updated for such changes.

i2landscape
Posts: 20
Joined: Tue Aug 28, 2012 6:12 pm

Re: can ubuntu's update manager be hacked?

Post by i2landscape » Sat Oct 06, 2012 2:06 am

Yes and no. Having that 5 minutes were the system does not ask for a password (this behavior can be disabled, by the way) will not enable people to log into your account and do malicious things. But there may be the (I would think rare) coincidence that in that five minutes an attacker uses an exploit in for example your browser and be able to change things on your system. That would be really a coincidence and I know not of one case where that happened.

i3rianl
Posts: 16
Joined: Tue Aug 28, 2012 6:12 pm

Re: can ubuntu's update manager be hacked?

Post by i3rianl » Sat Oct 06, 2012 2:08 am

OlRoy, your link to 'linux update problems' was worth reading but like you say, needs updating since it was posted in 2008.

and 273, I apologize for not mentioning in my original post what I had done to find an answer before resorting to this forum. I had just read the suggestions for asking good questions yesterday, but for the life of me it I could not follow (remember) those guidelines 24 hours later.
my bad.

My Smart questions will hopefully improve but I have noticed that I also need to work on smart searches. Sometimes a simple search leads me down multiple rabbit holes and I have to hop over to this forum.

thank you all.

i6shot
Posts: 18
Joined: Tue Aug 28, 2012 6:13 pm

Re: can ubuntu's update manager be hacked?

Post by i6shot » Sat Oct 06, 2012 2:10 am

turned on my computer this morning and had 146 updates on Update Manager.
checked my email and surfed the web for awhile
ignored the update message for about half an hour and actually left the computer idle for 6 or 7 minutes
clicked on the update manager icon
clicked on the install updates button
install started with no password requested...
back to finding out why

https://help.ubuntu.com/community/RootSudoTimeout
this page says: By default sudo remembers your password for 15 minutes. If you want to change that you can do so by: sudo visudo

*wait for next update then wait 20 minutes before testing?

I tried to view my sudo settings in a terminal: sudo visudo
there is no line for setting the timeout
my settings appear to be the basic default settings as shown on ubuntu's site.
I can accept the 15 minute timeout default, just trying to figure out why password not required if I have not invoked it after the timeout.

Note: 146 updates, less than 10 were for security reasons.

Post Reply Previous topicNext topic

Return to “Security”

Who is online

Users browsing this forum: No registered users and 9 guests