Ubuntu in the Corporate

I’ve been using Ubuntu 11.04 in the corporate environment for over a year now and this post will attempt to summarise the frankly disappointing state of affairs that is “linux in the corporate environment”.

Thumnbnails

Such a little thing – getting a thumbnail for your images, videos or office documents.  In Windows, once a directory has been thumbnailed, it creates a hidden file “thumbs.db” in that directory, so that when other people visit the directory, there’s no need to recreate every thumbnail from scratch.

In Ubuntu, however, there is. Every user stores their own version of thumbnails .  At work, my .thumbnails directory is a little shy of 40Mb.  If you multiply that by 1000 employees, you’ve just wasted 39.96Gb of data creating the same set of thumbnails 1000 times.  Bandwidth, Disk I/O, wasted.  Worse, if you make your staff’s home directories a network share, you’re now wasting 40Gb of storage across your home share.

It’s a poor model and needs fixed.

Encrypted Home Directories with Likewise

Wanted an encrypted home directory?  Easy – tick the box when you install and you’ve got one.  But wait.  Logging with AD credentials after installing Likewise?  Nope.  Likewise creates a non-encrypted domain directory in your /home and every user that logs in thereafter gets an unencrypted home.

EDIT :

The use case is simply theft.  If a PC is stolen, then anything unencrypted on that device is going to be revealed trivially through the use of a USB boot key.  User documents, settings or, worse, Dropbox installs are going to be readable.  So I’d like to encrypt the home directories to prevent it.  It won’t be as effective as a full-disk LUKS install, but it integrates with login so that only one password is required, so a slicker option in my opinion.

If anyone knows a way around this behavior, please holler.

Passwords

In Windows, every password you enter on the system is shown on screen by substituting asterisks.  On Ubuntu, the same is true, but many of these entries have a tick box that says “Show password”.  What the hell?  Why?  Why on earth, having entered my password would I EVER want it shown on screen??

Basically what this means is that even a 2 minute slip up where you forget to lock your screen while you grab a packet of crisps or a coffee – you’ve possibly just let a colleague see what your password is.  I raised with the Seahorse devs, but they argued that if you leave your laptop/PC unlocked for two minutes then it’s compromised irretrievably and refused to acknowledge that the “show password” option was making things worse.

What can you do, maliciously, in two minutes with a Windows laptop?  Plenty, but I think it would be mostly obvious.  I reckon it would be quite challenging to seriously compromise a user without his knowledge on a Windows computer.  On Ubuntu – 20 seconds to reveal my WIFI password, which also happens to be my AD password, since we use PEAP authentication.

“Linux is more secure.”  Really?  Depends, doesn’t it?

EDIT:

I should clarify my use case here.  We have contractors coming onsite all the time to help with new product install, support cases, or training.  Due to the nature of my job, a lot of what we access is protected by either firewall or ACL, so that only specific devices can access the service that contractor is onsite for.

I trust these guys not be installing root kits or maliciously hacking my laptop while I grab us both a coffee, but in the case of Ubuntu, I literally can’t use it because while I do trust them generally, it’s just too easy for them to stumble upon a password box with a glaringly tempting “show password” button next to it.

The weird thing when I raise the “show password” issue is that no-one can give me a use-case for its existence.  Or if you count “I forgot my password” as a use case, then they can’t explain the huge inconsistencies in Ubuntu – I can “show” my keychain password and my WIFI password but for some strange reason, I can’t show the password for my actual install, or my encryption password.  Why?  If physical access = “toast”, then why do I have to enter my previous password to change it to a new one?  Why am I prompted for my password on login?  Why am I prompted for my password on resume?

Rhetorical questions obviously, but despite everyone seeing that passwords for logging in, decrypting and resuming are necessary, they lose all logic about a simple “show password” box.  IT IS NOT NECESSARY.

I just don’t understand it.  It’s like a blindness.

Proxy support

Very frustrating.  The command line uses one environment variable, while GUI programs use another.  The proxy configuration dialogue has an option to “Apply System-Wide”, but doesn’t appear to do anything.  Bypass options don’t always work, or require a reboot to activate.  Some downloads (flash-plugin for example) will use wget in the middle of the apt-get install, which fails, because apt-get doesn’t pass in the proxy option.

Worse, why isn’t there an option to set the proxy by network?  If I’m on our internet-only WIFI, I don’t want a proxy, but if I’m on our internal-WIFI, I do.  Why can’t it set/unset the proxy depending on what I connect to?

Mapping Drives

In Windows, you map a drive, then there’s an option to “Reconnect at next login”.  Not in Ubuntu.  Or any linux distro I’ve tried in fact.  No, you have to edit your /etc/fstab for this functionality.  It’s 2012 and you have to edit text files to make samba shares persistent.

Evernote

Finally, a non-O/S specific issue.  In fact, it’s a bit unfair to include this, because it’s not really Ubuntu’s fault… but it’s a big one for me, so :  Evernote, which I use every hour of every day, doesn’t have an Ubuntu version.  Some utter genius has coded the awesome “NixNote” in java and so I use that.  But pretty frustrating that such a crucial tool (for me) doesn’t have a native client.  And launching java to run NixNote is a drain – it takes about 30 seconds to start up and synchronisation isn’t quite as slick as the native version.

Summary

It’s not all bad.  Nautilus remains much better to use than Explorer, LibreOffice is getting better all the time, workspace shifting is a joy, start up is very quick and Xenapp covers the few programs I use that don’t have an Ubuntu version – Vsphere, I’m looking at you.

What else?  Network Manager makes setting up multiple networks a joy (overlooking, for the moment, the proxy issues above), external monitor support works well, and of course terminal access with built-in python is superb.

But there’s so much wrong with Ubuntu in the corporate that it takes real determination to make it work, and many of the issues just shouldn’t exist in this day and age.  Maybe 12.04, the Precise Pangolin will deliver a better experience, but nothing I’ve seen so far suggests that this will be the case.  In fact, in many areas, I think there will be regressions due to the move to Gnome 3 – such as external monitor support.

Time will tell, but I’m not holding my breath for the perfect corporate system.

  • http://jeremy.bicha.net/ Jeremy Bicha

    A fundamental premise in security is if an attacker has physical access, you’re toast. Two minutes is plenty of time to install a rootkit where a persistent backdoor can be set up. Even without root access, that script has full access to everything the user has access to, including your mounted shared folders or whatever.

    The show password button is the same as in OS X. If you’d try out OS X, you’d notice a rather significant resemblance between Apple’s control panel and the one in GNOME 3. Admittedly, Windows hides the password but that is frustrating to people who just want to use their computers.

    If it makes you feel better, the GNOME designers are considering hiding the wifi password behind a very unintuitive “hold down the Alt button trick”, the same trick that is used only once in GNOME Shell and once in the GNOME 3 Fallback. Personally, I think it’s a lousy idea to hide stuff like this. At least right click makes some sense because it’s so widely implemented.

    http://afaikblog.wordpress.com/2011/11/10/gnome-design-update/

    • guest

      You can try NeverNote, it’s a fork of Evernote

      • scaine

        Thanks – actually Nevernote has been renamed NixNote, so we’re talking about the same product!

    • scaine

      I’ve updated my post to include an expanded use case.

      As for your link, two things :
      1. No, I won’t be happy with the change to show passwords UNLESS it invokes a policy-kit request for the current user’s password. In fact, I’d be happy with any “show password” box if it did so. But they don’t. They just inconsistently ignore security and show it to anyone.

      2. The network settings overhaul may well fix my gripe about proxy support not being incorporated on a per-network basis. It will be exciting if that sees the light of day, as it would save me several clicks a day and a lot of grief from flicking proxy on and off all the time.

  • Vadim P.

    I’m not with you on the ‘show password’ issue.

    • scaine

      It would seem that few people are…

  • https://blog.misc.ephaone.org/ Michael

    technically, if you can show the password, then it is stored in clear text. So even without showing, you can get it from the disk. So you cannot place it on the disk in a way that could be automatically extracted when needed, and yet not be extracted by someone who want to do it.

    Regarding the encryption, I use full disk encryption, so that’s avoid the issue.

    For the proxy, that’s a problem as old as UNIX, due to the way proxy work on UNIX. There is libproxy to solve that, but someone need to port all applications to use it.

    • scaine

      I believe Seahorse encrypts its passwords somehow, but still offers a “show password” box, so LUKS isn’t going to help me here. I did use LUKS previously, but feel that encrypted home dirs is a decent compromise personally. Each to their own though.

      Proxy – yeah. Big bug report here : https://bugs.launchpad.net/ubuntu/+source/apt/+bug/556293

  • http://libertus.co.uk Alan Bell

    I think having the option to show the password on the wifi dialog is great, generally you are trying to type in something like 2u298h23jawf34e from a bit of paper someone passed to you. It often isn’t a secret to be guarded from other people in the room and seeing what you type for that kind of string is easier.

    The thumbnails point is good. A personal thumbnail store does mean you can thumbnail and cache the thumbnails for read-only locations, and you are not littering the disk with thumb.db files which might have adverse consequences for scripts and things. I suspect it would be possible to extend the existing model somehow to get the best of both and have shared thumbs where possible and fall back to personal thumbs.

    Proxy support, yeah, with you on that one. Luckily I am seeing customers ditch proxy servers and just use nat or transparent proxys

    reconnecting mapped things, in Nautilus if you bookmark drives they reconnect on demand, this seems reasonable to me, why connect before you want to use it? Bookmarking could probably be improved, but the general principal of on-demand connecting seems sound to me.

    • scaine

      I’m responsible for the proxies at work and I have no intention of ditching them in favour of transparent proxies – transparent proxies are a massive headache to implement properly – cookie rewriting, seamless authentication, proxy bypassing, all very achievable but much more difficult than explicit proxy.

      As for reconnecting, that only works if you remember to hit the share button in nautilus /before/ you try to access the share. So if you’re in LibreWriter, save your document, your share won’t be available and you’ll have the hassle of connecting it in nautilus, then coming back to save. Pain.

      But more generally, nautilus shares use gvfs and won’t support thumbnailing (for better or worse), so I prefer to edit my /etc/fstab. My point is, you shouldn’t have to edit text files in this day and age to get access to a feature.

  • http://www.mhall119.com Michael Hall

    I believe the “show password” checkbox only shows what you’ve typed into the password box, so the scenario would be that you had a password prompt come up, typed in your password, then walked away without hitting enter or pressing OK. If you did the same with windows, I believe somebody could just as easily highlight the asterisks, hit ctrl+c, and paste the clear text password into Notepad.

    • scaine

      Michael, I’m afraid not. Passwords stored months ago can be revealed by the “show password” box.

      Additionally, Windows will allow you paste password into their password boxes, but won’t allow you to copy text out.

  • Shaun Mallette

    Michael Hall is right the showing of the password it what you have typed in. Really none of it matters in fact as with any system if you have physical access you can own it regardless.

  • http://www.nux.ro Nux

    A few comments:

    1. Thumnbnails
    - with you on this one, but to be honest it’s not really boobuntu’s fault.
    If you use a FS that does deduplication you can claim back that space, zfs can do this now and btrfs will probably do it soon, assuming you use same storage for the users that is.

    2. Encrypted directories (with Likewise)
    - I appreciate the desire for more security, but – assuming it’s not a mobile device – why do you need to encrypt home dirs? Other users sharing the station shouldn’t have permissions to check your homedir and root can change your password and login as yourself thus decrypting the thing. I hope I didn’t get the way booboo encrypts your homedir wrong, I haven’t used anything else but LUKS.

    3. Passwords
    - I’m not with you on this one, shadowing the password with ***s is only so that other eyes watching the monitor don’t get it. You should be able to view the password at all times if you so desire. Like someone else was writing above, sometimes you need to input really wacky stuff and it’s nice to see what the heck you’re typing.
    It’s not really a security issue.
    Want something real to worry about? How about the integrated keylogger in Xorg!
    http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html

    4. Proxy support
    - The issue you’re raising is real, but if you rely on those settings in your “corporate” environment… it’s very brave. This kind of stuff should be forced at gateway/router level, transparent proxy, NATs based on destination etc.

    5. Mapping drives
    - Like someone else stated above you can use Nautilus bookmarks, but it’s not very “corporate”. You can use automount and/or pam_mount, look them up, _very_ handy and they actually work.

    6. Ok, it’s the first time I hear about Evernote. Anyway, looking at their site you do realise that by using it you’re putting private information in other people’s hands? I don’t think that’s a very corporate idea.

    I still think Linux can work in corporate, though, just requires more determination.

    • scaine

      Good answers.

      Regarding Likewise, I’ve edited my post with a use-case. Bug report is here :https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/831604

      Regarding LUKS, yeah, it’s a safer method, but overkill for me. Can root change my password and decrypt? I don’t think so, as the decryption key is updated by the change password process, so root changes my password when my homedir is not mounted/decrypted, you’ve just toasted my homedir! I think – I’ll need to test that.

      Regarding passwords, well – you have your opinion, I have mine. You think you should be able to see all passwords at any time. What about your login password then? Where can you see that one with a “show password”? Hmmm.

      Regarding proxy – of course it’s forced at the firewall. If you don’t have an explicit password set, you don’t get access (in other words, we block all port 80 and 443 traffic unless it originates from the proxy). This prevents callbacks from malicious software working.

      Regarding mapping drives – yep, I use autofs, but who knew… MORE text editing! It just shouldn’t come down to that these days.

      And finally regarding Evernote, of course nothing sensitive is stored on there! Just meeting notes on companies, the odd bullet point to-do list maybe. Its sharing model and convenience make it a great tool.

    • http://twitter.com/Azthma Azthma

      Isn’t it called PowerBroker now instead of Likewise Open?

  • Anon

    I’d just like to point out this: a little over a year and Ubuntu 11.04, which was released on Apirl 28. Are you a time traveller?

    • scaine

      Nice! Nope, you’re right, I was using 10.04 LTS initially as a trial. When I considered Ubuntu viable (albeit painful), I installed 10.10. When I was given a Dell Vostro V13 in May of last year, I installed it with Ubuntu 11.04. Despite 11.10 coming out, I’m skipping it and waiting for 12.04 LTS as the pain introduced by Gnome 3 in terms of both power management and external monitor support meant that it’s not worth doing that upgrade at this time.

      Sorry for the confusion!

  • Mykro76

    I agree with some of your comments, but you may wish to reconsider skipping 11.10 which I use at work:

    - Proxy support was greatly improved in 11.10 – Apply System-wide works much better, and more applications support the system proxy.

    - Drive mapping is improved in 11.10 – once you’ve used the “Connect to Server..” option to access a Windows share host you can right-click the Network entry to add it to Bookmarks and it will stay in Places / Nautilus even through reboots.

    - Oneiric also bumps up Network Manager from 0.8.x to 0.9.x which was a big rewrite to explicitly solve multi-location networking scenarios (laptops). It worked much better on my netbook than 11.04 did.

    - I don’t consider the “show password” option a problem – ultimately you are responsible for your terminal’s security. I always hit Ctrl-Alt-L when leaving my desk for any more than 30 seconds.

    Hope this helps.

    • Anonymous

      Good to see some improvements coming in 12.04 really, especially proxy, but we agree to differ on the password issue.  It sure must be great to be perfect.  :-)

      But I’m curious – what if (just if) you forget?  Do you immediately change all your passwords and re-install your laptop/PC with a fresh copy of Ubuntu?

      I doubt it.  This needs fixed – until it does, Ubuntu’s security is worse than Windows in my opinion.  Don’t get me started on a lack of firewall.  At least other well respected Ubuntu developers/users agree with me on that.

      • Kaceyr

        Windows 7 will also show you your password.

    • http://twitter.com/Azthma Azthma

      There several use cases behind the use of the SHOW PASSWORD button and myself, the instant I leave the machine, I hit CTRL+ALT+L to lock the screen. I agree with Mykro76. 

      • Anonymous

        Thanks Azthma – can you outline a use case, please?  Can you tell me what you’d do if you once (just once) forgot to lock your screen?

  • http://twitter.com/Azthma Azthma

    Please check the new Multi Monitor support specifications in Canonical’s website! 12.04 should make your dream come true.
    https://docs.google.com/document/d/1aHvJ-iIw-59bXTYBmIhQqEx0za2h9jpFE_RhZ2VOvJc/edit?authkey=CJO5wPkH&hl=en_GB&pli=1

    • Anonymous

      That’s an awesome document!  Thanks.  Shame that some of it is targetted for 12.10, but brilliant to know that it’s being planned out nonetheless.  I hope their “presentation mode” takes into account an option to supress libnotify alerts – nothing more embarrassing than doing a presentation and a mate/colleague IM’s you about lunch…

  • Pingback: one day event insurance