Linked by Thom Holwerda on Sun 12th Mar 2006 20:46 UTC, submitted by lotusleaf
Ubuntu, Kubuntu, Xubuntu A major, critical bug and possible security threat has been discovered in Ubuntu Breezy. Apparently, the 'root' password (not actually the root password because Ubuntu uses sudo) gets written into the installer's log files in clear text, and can be read by any account on the Ubuntu machine. The bug was first discovered and reproduced on the Ubuntu forums. The bug does not seem to affect Dapper, however, users upgrading from Breezy to Dapper might still be at risk because the log files are not modified. Update: Bug is fixed. Please upgrade.
Thread beginning with comment 103812
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Not too bad, at least for me
by antwarrior on Sun 12th Mar 2006 22:43 UTC in reply to "Not too bad, at least for me"
Member since:

The tone of some on this article is a bit worrying.
I CAN'T believe that some would even attempt to play this down. If this was stated in some other operating system ,say Vista, or maybe even better OSX ,there would be general outrage and disgust disgust at such indecent exposure.

Now some might say that my box is secure, and it's single user operating system,the danger is minimal.
blah blah blah.But i would like to point out that Ubuntu is a linux distro, it can double as a server and people without thinking will set up Ubuntu as a server because it is Linux and not a Desktop distro ,as some people would like to imply such a distinction ( which should not be made to begin with ). Linux is Linux , let's get that straight. I'm apalled !

It's an interesting facet to Linux security,that might be on the increase, that is insecurity and vulnerability being introduced by various user level tools that aid the "user's experience".

I must apologise for the tone of the email. I use Ubuntu @ home on my desktop and as a server machine and I was shocked at this.
root password or sudo enabled user ( however you want to look at ) in clear text ? wow.

Reply Parent Score: 5

ma_d Member since:

Ubuntu is a desktop distro. It really is... Things like sudo are things that a server admin won't touch with a ten foot pole; they're unecessary complications for his situation (he's one of very few who needs root access anyway).

Realistically if we saw this on slackware, debian, or gentoo I'd be more concerned. My concern is when people up-play these security vulnerabilities. It's not the end of the world ;) . It's not sasser, it's just a local exploit. The people most upset should be the developers (or in this case, distributors).

I'm surprised no one has tried to disprove many eyes with this one.. I'm waiting for that argument ;) .

Reply Parent Score: 3

skx2 Member since:

Things like sudo are things that a server admin won't touch with a ten foot pole

Actually I'd beg to differ

I look after 30-50 machines and I couldn't live without Sudo. Sure for a single server-admin they might be a bit of overkill, but sudo is perfect for granting particular users access to some things, but not giving them root.

(e.g. Allowing a developer access to restarting Apache.)

As soon as you have a team of sysadmins looking after a lot of machines sharing root passwords becomes unweildy. In that case having sudo setup to allow all 'sysadmin' group-members access to root is the way to go. It provides a sane sensible approach to delegation, along with logging.

(Especially with one global sudoers file kept under revision control).

Reply Parent Score: 2