Linked by Thom Holwerda on Sun 12th Mar 2006 20:46 UTC, submitted by lotusleaf
Ubuntu, Kubuntu, Xubuntu A major, critical bug and possible security threat has been discovered in Ubuntu Breezy. Apparently, the 'root' password (not actually the root password because Ubuntu uses sudo) gets written into the installer's log files in clear text, and can be read by any account on the Ubuntu machine. The bug was first discovered and reproduced on the Ubuntu forums. The bug does not seem to affect Dapper, however, users upgrading from Breezy to Dapper might still be at risk because the log files are not modified. Update: Bug is fixed. Please upgrade.
Thread beginning with comment 103824
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Cue the peanut gallery
by Tom K on Sun 12th Mar 2006 23:05 UTC in reply to "RE: Cue the peanut gallery"
Tom K
Member since:
2005-07-06

It goes to show that even the godly Linux devs make retarded mistakes. It's a warning sign to all of you who think "Oh, I'll install Linux, and my computar will be UNHAXABLE!!11!".

So you get Joe User who has managed to happily install Ubuntu, and he tells his OS X/Windows-using friend how great and secure it is. Said friend knows about the log file, finds it, gets root on Joe's box. Joe is not happy, and realizes that the Linux zealots on some forum or other were just spewing bullshit.

The truth can be painful when you've had unrealistic expectations implanted in your head.

Reply Parent Score: -2

RE[3]: Cue the peanut gallery
by atsureki on Mon 13th Mar 2006 03:09 in reply to "RE[2]: Cue the peanut gallery"
atsureki Member since:
2006-03-12

So you get Joe User who has managed to happily install Ubuntu, and he tells his OS X/Windows-using friend how great and secure it is. Said friend knows about the log file, finds it, gets root on Joe's box. Joe is not happy, and realizes that the Linux zealots on some forum or other were just spewing bullshit.

Some friend. That makes no sense at all. Put me in the room with anyone's desktop Wintel running Linux, and I can hax0r it with a liveCD and chroot. Even change the root password. If we're talking about a system you could just reach around and unplug or open up and remove the hard drive from, nothing you can do in software really counts as breaking in. This "exploit" affects basically two people: paranoid parents and people with untrusted guest accounts.

Reply Parent Score: 2

RE[4]: Cue the peanut gallery
by Tom K on Mon 13th Mar 2006 03:25 in reply to "RE[3]: Cue the peanut gallery"
Tom K Member since:
2005-07-06

> nothing you can do in software really counts as breaking in

So if my bank's ATM had a flaw in the UI that allowed me to bypass authentication and simply withdraw money, that wouldn't be breaking in?

Please, get a clue.

Reply Parent Score: -1

RE[4]: Cue the peanut gallery
by ma_d on Mon 13th Mar 2006 04:13 in reply to "RE[3]: Cue the peanut gallery"
ma_d Member since:
2005-06-29

It affects anyone who gives ssh access to untrusted users.
It affects anyone who shares a machine with others and uses a sensitive password (and was the one to setup the machine).

The second category is pretty rare. But the first category is called a webhost.

Reply Parent Score: 1

RE[3]: Cue the peanut gallery
by rattaro on Mon 13th Mar 2006 03:50 in reply to "RE[2]: Cue the peanut gallery"
rattaro Member since:
2005-08-22

>It's a warning sign to all of you who think "Oh, I'll install Linux, and my computar will be UNHAXABLE!!11!"

Really, only anti-linux zealots think that linux users think that Linux is unhackable. Actual Linux users are a lot more realistic.

Fanboys of any type seem to have a hard time thinking of anything less than extremes. It's really a shame, but not everyone can see the balance of pros and cons.

Reply Parent Score: 4

v RE[4]: Cue the peanut gallery
by Tom K on Mon 13th Mar 2006 03:53 in reply to "RE[3]: Cue the peanut gallery"