-
Haha nice one Ubuntu
Well, since Ubuntu seems to have more steam than a tea kettle, I'll point this out:
http://lxer.com/module/newswire/view/55975/index.html
Cute.....EVERY USER ON THE SYSTEM CAN SEE EVERY USER NAME AND PASSWORD ON THE SYSTEM... Not that I use Ubuntu, I've installed it and looked at it and decided this no root but you can sudo to anything WITHOUT a passwd wasn't for me so I put Slackware and Free BSDon that box.
-
While I may be mistaken.you can see every user name in the /etc/passwd file. As for the password. I find that a bit much. But, since I Haven't played with Ubuntu I can't say if it is as retarted as it sounds. Some of the most ass-backwards security measures effectively secure a system. When I get some more time today I will take some time and read over the entire site. But, for now it's workout time.
*Yea... Burn those calories.*
-
Badger Badger Badger Badger Cleartext password password !
Badger Badger Badger Badger Cleartext password password !
Badger Badger Badger Badger Cleartext password password !
Badger Badger Badger Badger Cleartext password password !
A patch, a patch.. a yeah.. there's a patch !!
@House929: It was in the file /var/log/installer/cdebconf/questions.dat readable by anyone..
It is the instalation log that contains either a sudo password or the root password (depending on your installation choices)..
-
I'm surprised they missed that - and the file was readable by anyone.. :eek:
I haven't had a chance to look at it - but if it's the installation log, then why does the patch advise you to upgrade base-config and passwd, rather than simply removing the log? LXer also says that it contains the results of the installation questions, so I don't see why upgrading the packages would resolve the problem..
Cheers,
-jk
-
Quote:
Originally posted here by House929
While I may be mistaken.you can see every user name in the /etc/passwd file. As for the password. I find that a bit much. But, since I Haven't played with Ubuntu I can't say if it is as retarted as it sounds. Some of the most ass-backwards security measures effectively secure a system. When I get some more time today I will take some time and read over the entire site. But, for now it's workout time.
*Yea... Burn those calories.*
Speaking of calories and health, how about checking out SALTS for /etc/passwd ;)
Jinx..... No you did not just sing the badger song about Linux......
-
Re: Haha nice one Ubuntu
Quote:
Originally posted here by gore
Well, since Ubuntu seems to have more steam than a tea kettle, I'll point this out:
http://lxer.com/module/newswire/view/55975/index.html
Cute.....EVERY USER ON THE SYSTEM CAN SEE EVERY USER NAME AND PASSWORD ON THE SYSTEM... Not that I use Ubuntu, I've installed it and looked at it and decided this no root but you can sudo to anything WITHOUT a passwd wasn't for me so I put Slackware and Free BSDon that box.
You did blow this a little outta proportion Gore :), As Jinx mentioned only one password was visible.. and you know what... I setup all my installs with the sudo option and I've gone through the three Ubuntu boxes that I have (before install the update that "fixes" this) and I couldn't find any passwords..
Anyone who thinks first and then installs avoided this problem..
What I do is let it install sudo access.... Then I use sudo to password protect my root account with my own password.. voila, this whole problem is avoided...
Also root, by default has no remote access and no X-Windows access (if I remember correctly)... as I've seen a number of complaints about both... although I usually give root full access on my machines because they aren't available to the public.. and in this case this has to be locally exploited... or the person has to already have access to your system...
If the person is local... we know you're already beaten
If they have access and you didn't secure the box to prevent them from accessing the location where the file was stored... well... you should be locking down your box better if you don't trust your users..
Big whole yes... big problem.. no... Not if you compute intelligently... Also it was fixed rather quickly when reported...
Peace,
HT
-
:D but what if your password really was ####### :D would you have picked it up :).
-
Not sure I follow everyone here on this one. I'm running Ubuntu, and yes indeed, there's my password 95% of the way through the aforementioned log. Can't I just edit the log, deleting or changing the password?
Thanks.
-
There ist supposed to be ein patch,
-
Jawohl, Herr Gore, ich verstehe.
I'm not as up to speed on admin'ing linux systems as I'd like, just checked the Update Mgr which told me the system was up-to-date. Reloaded the Update Mgr., and lo-and-behold, here come the warm jets. Tankee.
Sehr gut!