Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Haha nice one Ubuntu

  1. #1
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177

    Haha nice one Ubuntu

    Well, since Ubuntu seems to have more steam than a tea kettle, I'll point this out:

    http://lxer.com/module/newswire/view/55975/index.html

    Cute.....EVERY USER ON THE SYSTEM CAN SEE EVERY USER NAME AND PASSWORD ON THE SYSTEM... Not that I use Ubuntu, I've installed it and looked at it and decided this no root but you can sudo to anything WITHOUT a passwd wasn't for me so I put Slackware and Free BSDon that box.

  2. #2
    While I may be mistaken.you can see every user name in the /etc/passwd file. As for the password. I find that a bit much. But, since I Haven't played with Ubuntu I can't say if it is as retarted as it sounds. Some of the most ass-backwards security measures effectively secure a system. When I get some more time today I will take some time and read over the entire site. But, for now it's workout time.
    *Yea... Burn those calories.*

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Badger Badger Badger Badger Cleartext password password !
    Badger Badger Badger Badger Cleartext password password !
    Badger Badger Badger Badger Cleartext password password !
    Badger Badger Badger Badger Cleartext password password !

    A patch, a patch.. a yeah.. there's a patch !!


    @House929: It was in the file /var/log/installer/cdebconf/questions.dat readable by anyone..
    It is the instalation log that contains either a sudo password or the root password (depending on your installation choices)..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Senior Member
    Join Date
    Jul 2004
    Posts
    548
    I'm surprised they missed that - and the file was readable by anyone..

    I haven't had a chance to look at it - but if it's the installation log, then why does the patch advise you to upgrade base-config and passwd, rather than simply removing the log? LXer also says that it contains the results of the installation questions, so I don't see why upgrading the packages would resolve the problem..

    Cheers,

    -jk

  5. #5
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by House929
    While I may be mistaken.you can see every user name in the /etc/passwd file. As for the password. I find that a bit much. But, since I Haven't played with Ubuntu I can't say if it is as retarted as it sounds. Some of the most ass-backwards security measures effectively secure a system. When I get some more time today I will take some time and read over the entire site. But, for now it's workout time.
    *Yea... Burn those calories.*
    Speaking of calories and health, how about checking out SALTS for /etc/passwd



    Jinx..... No you did not just sing the badger song about Linux......

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915

    Re: Haha nice one Ubuntu

    Originally posted here by gore
    Well, since Ubuntu seems to have more steam than a tea kettle, I'll point this out:

    http://lxer.com/module/newswire/view/55975/index.html

    Cute.....EVERY USER ON THE SYSTEM CAN SEE EVERY USER NAME AND PASSWORD ON THE SYSTEM... Not that I use Ubuntu, I've installed it and looked at it and decided this no root but you can sudo to anything WITHOUT a passwd wasn't for me so I put Slackware and Free BSDon that box.
    You did blow this a little outta proportion Gore , As Jinx mentioned only one password was visible.. and you know what... I setup all my installs with the sudo option and I've gone through the three Ubuntu boxes that I have (before install the update that "fixes" this) and I couldn't find any passwords..

    Anyone who thinks first and then installs avoided this problem..

    What I do is let it install sudo access.... Then I use sudo to password protect my root account with my own password.. voila, this whole problem is avoided...

    Also root, by default has no remote access and no X-Windows access (if I remember correctly)... as I've seen a number of complaints about both... although I usually give root full access on my machines because they aren't available to the public.. and in this case this has to be locally exploited... or the person has to already have access to your system...

    If the person is local... we know you're already beaten

    If they have access and you didn't secure the box to prevent them from accessing the location where the file was stored... well... you should be locking down your box better if you don't trust your users..

    Big whole yes... big problem.. no... Not if you compute intelligently... Also it was fixed rather quickly when reported...

    Peace,
    HT

  7. #7
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    but what if your password really was ####### would you have picked it up .
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  8. #8
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Not sure I follow everyone here on this one. I'm running Ubuntu, and yes indeed, there's my password 95% of the way through the aforementioned log. Can't I just edit the log, deleting or changing the password?

    Thanks.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  9. #9
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    There ist supposed to be ein patch,

  10. #10
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Jawohl, Herr Gore, ich verstehe.

    I'm not as up to speed on admin'ing linux systems as I'd like, just checked the Update Mgr which told me the system was up-to-date. Reloaded the Update Mgr., and lo-and-behold, here come the warm jets. Tankee.

    Sehr gut!
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •