Officials at Red Hat disputed the assertion, but moved quickly to close the hole.
The security opening came as a surprise to some Linux users, who have considered the operating system (OS) either so well-designed or so obscure that it didn't have the same security problems as Windows.
Now most parties agree that is not the case. The appearance of a security issue at a time when users are still asking for more applications is unlikely to bolster the fortunes of Linux stocks, which tumbled faster and farther than general technology issues in April.
Quality assurance and security aren't the only issues: Outside of a few suites, there is a lack of widely available office software; consumer versions of the OS are relatively untried; and open source code's open-ended nature -- with many developers working on different parts of the system -- makes some IT managers nervous about its predictability.
Under an open source code approach, each development group adds changes to the system on top of a shared, underlying kernel or system core.
IT managers worry that variations in the OS will spring up between competing versions ÃÆ'Ã,¢Ã¢,Ã,¬" which in addition to Red Hat now include Caldera Systems, Corel, Debian, Lineo, Macmillan Software, MandrakeSoft, SuSE, TurboLinux and Yellow Dog ÃÆ'Ã,¢Ã¢,Ã,¬" and that the inconsistencies may affect performance or systems' ability to work together.
For example, a backup software package from Legato Systems works without adjustment on Caldera, MandrakeSoft and RedHat, but failed when used on Debian systems, said Tom Stoddard, database administrator at BFGoodrich's Avionics division.
IT managers want someone who is under a contractual agreement with them to be responsible for the software they use, said Judith Hurwitz, president of the Hurwitz Group.
Helpful or hazardous?
They also don't want to worry about security holes. But, noted David Sifry, chief technology officer at Linuxcare, a technical support organisation, "To think that Linux doesn't have bugs is frankly ludicrous."
"Open source code is great for rapid development, but there's no quality assurance role in the typical open source project the way there is in commercial software. It's a hobby for people," said Chris Rouland, director of the bug identification task force at security package vendor Internet Security Systems.
Quality assurance checks are a battery of tests that commercial software undergoes before being released to customers to stress a product's integrity and resilience in the face of unexpected events.
But in early April, Red Hat started shipping Red Hat 6.2 with an updated clustering package, Piranha, with a default log-in and password meant to help a systems administrator get Piranha up and running remotely. After initially configuring a Piranha server, the administrator was supposed to set a secret password for future use.
Users installing Red Hat 6.2 who selected the "install all" option loaded Piranha onto their servers, giving an outsider with knowledge of the default log-in and password on the server an automatic entry point or "backdoor."
"Even if a user had no plans to use Piranha, the backdoor existed on that machine [loaded with 'install all']. Red Hat did not document it," Rouland said.
Red Hat's officials countered that the Piranha remote access, including the log-in and default password, were described in the Red Hat 6.2 documentation. The company decided to give system administrators automatic remote access because in many cases Piranha clusters are initiated without monitors or keyboards attached to the servers.
"It may have been naÃÆ'Æ'Ã,Ã,¯ve, but that's what we decided. It happened because people said they wanted to configure Piranha over the Web," said Erik Troan, director of engineering at Red Hat.
Troan disputed Rouland's claim that more testing would have found the opening. "It was a wrong judgment to include it [the log-in and default password], but we shipped Red Hat 6.2 knowing it was there. More testing would not have changed that."
Rouland said ISS rated the hole at its highest level, 5, because a hacker using it could "execute arbitrary commands against the server" and would likely be able to alter content being posted on a Web site. The degree of mischief that could be committed would depend on the privilege level set for the Web server, he said.
Linuxcare's Sify said the exposure would have the most impact on commercial Web servers, but their administrators were the ones least likely to use "install all" upon installation. Systems administrators don't load up their servers with extraneous software that won't help the Web server do its job, he said.
Linux drives 29 percent of all Web servers, according to surveys by Netcraft, but Red Hat said it doesn't know what percentage run on its distribution.
