Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-12-2006, 10:32 AM
|
#1
|
|
Member
Registered: Mar 2004
Posts: 171
Rep: 
|
Admin Password readable by all users on Ubuntu Breezy?
Would you want your Admin password in plain text on your hard drive readable by any user?
If you're using Ubuntu Breezy, this post on the Ubuntu Forums may be of interest.
In short, a user posted about the admin username/password being readable by any user in plain text in the file:
/var/log/installer/cdebconf/questions.dat
Check your own system and see for yourself.
Edit: See also: "Bug #34606 in Ubuntu: "Administrator root password readable in cleartext on Breezy"
Comments?
Last edited by furfurdemon666; 03-12-2006 at 11:06 AM.
|
|
|
|
|
03-12-2006, 10:43 AM
|
#2
|
|
Senior Member
Registered: Oct 2004
Location: Luxemburg
Distribution: Slackware, OS X
Posts: 1,507
Rep:
|
Same on Kubuntu. And file is world-readable.
Well done...
|
|
|
|
|
03-12-2006, 11:56 AM
|
#3
|
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Hmm. It isn't quite as straightforward as that. I support a couple of Ubuntu boxes for friends (both Breezy Badger) and while the admin username is in that file, the passwords definitely are not. Both are pretty stock installs of Ubuntu with very little customization. There has got to be a bit more to this story.
|
|
|
|
|
03-12-2006, 01:26 PM
|
#4
|
|
Member
Registered: Mar 2004
Posts: 171
Original Poster
Rep:
|
Quote:
|
Originally Posted by Hangdog42
Hmm. It isn't quite as straightforward as that
|
Actually, for many people, it is. In fact, this bug has been confirmed and is listed as critical:
https://launchpad.net/distros/ubuntu/+bug/34606
Last edited by furfurdemon666; 03-12-2006 at 01:27 PM.
|
|
|
|
|
03-13-2006, 09:06 AM
|
#5
|
|
Senior Member
Registered: May 2004
Location: Hilliard, Ohio, USA
Distribution: Slackware, Kubuntu
Posts: 1,851
Rep:
|
This bug has been fixed. This post on the Ubuntu forum indicates that it was a problem in the install process that has not only been fixed in the upcoming Dapper Drake release, but there is a patch already available. To update yourself, simply install the latest version of passwd (passwd-4.0.3-37ubuntu8). |
|
|
|
|
03-13-2006, 05:35 PM
|
#6
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
WARN: Ubuntu Admin Password Leak
A potentially critical vulnerability has been identified in Ubuntu 5.10 (Breezy Badger). The Ubuntu installer stores in plaintext the username and password of the first user created during installation in a world-readable file. As this user is granted full sudo rights by default, the account has administrative privileges. It has also been reported that the actual root password will appear if the installation was performed in 'expert mode'. Some uncertainty regarding the significance of this bug has led some vulnerability reports to classify it as minor, however it does appear to allow compromise of an administrative account by a local user.
http://secunia.com/advisories/19200/
http://www.securityfocus.com/brief/161
http://www.ubuntu.com/usn/usn-262-1
http://www.ubuntuforums.org/showthread.php?t=143334
Last edited by Capt_Caveman; 03-13-2006 at 05:36 PM.
|
|
|
|
|
03-13-2006, 05:45 PM
|
#7
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Thanks for reporting this. Merging this thread with the stickied post.
|
|
|
|
All times are GMT -5. The time now is 09:47 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
