Important Security Notice - mintAssistant 2.4 in Elyssa!

[clem]

A very important bug has been found in mintAssistant 2.4 which was released as part of Linux Mint 5 Elyssa.

Explanation

When the root password is not set the root account is still active, and rather than this consequently preventing any root login, it actually means you can login as root without any password at all.

Cause

This regression is due to a change in behavior in passwd from Gutsy to Hardy and a request from the community after RC1 was released not to lock the root account (so that "sudo su -" is still possible).

Solution

- A fix has been released in mintAssistant 2.5. When you select not to use the root password, the root account is now given a randomly generated password.
- The ISO images for both the Main and Light Editions will be rebuilt to include this fix.

What you need to do

- Upgrade mintAssistant to version 2.5.
- Launch mintAssistant and choose whether you want to set a root password or not. If you choose not to, a random password will be assigned for you.

Edit by Husse//
I strongly recommend you to set a root password. If you don't you will not be able to use "Recovery mode" which is a powerful helper when things go wrong.

[Lantesh]

Clem,

I just wanted to let you know that mintUpdate still does not always show updates unless I open it, wait for it to do it's check, and then hit refresh again. After doing this mintAssistant 2.5 did indeed show up. In general I do still have to do this each time to see what updates are available.

Might I request that after you have posted the new .iso file for Mint 5 that you announce it in this thread as a follow up? Once it's ready I would like to download it again so my CD is up to date without this security flaw.

By the way I'm impressed that you found this and have a fix so quickly, considering it's only been a few days since launch. Thank you so much.

[clem]

Hi,

The two ISOs are now ready. I'll just pass them through some basic tests before uploading them to the server. They should be uploaded tomorrow during the day and from there picked up by the mirrors up to 48 hours later.

Clem.

[trod]

How do you launch mintassistant ?
Thanks

[exploder]

Go to > Control Center > System > mintassistant

[trod]

thanks but I removed it first before installing 2.5 and now it doesent show on that menu. Any other way to launch it?

[kenetics]

So are you saying if you HAVE set a root password there is no problem?

[exploder]

trod, right click on the menu and choose "Reload Plugins", that should get the menu item to appear.

[tawan]

fix is easy to do and worked for me

thanks Clem (and Cathbard)

[matheos]

since i have installed the last version of mintAssistant 2.5 in Elyssa, i don't need any password at all to use the "sudo" command......to do....whatever i want

i think than it was not like that before...

[cathbard]

So are you saying if you HAVE set a root password there is no problem?

That's exactly what he's saying. The bug occurs when you don't set a root password in mint assistant 2.4

[eeezzzeee]

Other than at install I have never actually used mintassistant, is this something that I can remove? or is an integral part of the distro?
I added a root password and it accepted it, and then I clicked on mint assistant again and to see what it did, and it asked me if i wanted to enable a root password.

*edit-
after a reboot it asked me for my user password to get into the mintassistant

[matheos]

Post by matheos on Wed Jun 11, 2008 8:55 pm
since i have installed the last version of mintAssistant 2.5 in Elyssa, i don't need any password at all to use the "sudo" command......to do....whatever i want

i think than it was not like that before...
since i have installed the last version of mintAssistant 2.5 in Elyssa, i don't need any password at all to use the "sudo" command......to do....whatever i want

i think than it was not like that before...

correction : it's cause i've did sudo su one time before..... but i really have to do a complete reboot before have the password request again on a sudo command

if i logout and relogin, the bug is still there... but not in a tty (CTRL+ALT+F1)

i have two zombie process ( gnome-terminal and sh ) i'm not able to kill them event with kill -9 command probably the source of the bug

[badmotor]

I have also had my mint assistant disappear - tried 'reload plugins' and it still didn't come back.

Any ideas?

[clem]

- The new ISO images are available on Heanet.ie and should propagate to other mirrors today and tomorrow.
- The torrents now point at the new ISOs.
- On-Disk is in the process of replacing their ISOs and they will be contacting the people who bought CDs of Elyssa so far.

Clem.

[marty510]

tried what has been mentioned................I did update, but no mint assistant on my list?

[Zero Prime]

You have to refresh the update manager for the newest update to show.

[badmotor]

I have also had my mint assistant disappear - tried 'reload plugins' and it still didn't come back.

Any ideas?

Have you tried getting to it from the standard gnome menu? You open it by doing alt + f1.

I have tried the std. Gnome menu and it is not there. the instructions here were not quite clear what to do, so like others I had removed 2.4 first. Now if I look in package manager, it does say I have 2.5, but it is nowhere to be found in the menus (yes, I have refreshed plugins).

I did see some sort of 'Gnome integration' file that was removed with 2.4, and it hasn't reappeared in the synaptic list - so maybe that is what is causing the problem. If it doesn't show in the list, how do I get it back ??

[clem]

Hi,

If you removed mintassistant, mintassistant-gnome must have been removed as well (it depends on it). mintassistant-gnome is the package which contains the menu item and the command line launcher.

Clem

[bigbearomaha]

If when using Mint assistant and one chooses to not use the root password, it then generates a random password

1) doesn't that defeat the purpose of saying you don't want to enable the root acct to begin with and

2) if it is given a random generated password, how does one access it at a later time should the need arise? I assume the option of logging in as a "single user mode" is still viable in order to change that.

Big Bear