Linked by Thom Holwerda on Sun 12th Mar 2006 20:46 UTC, submitted by lotusleaf
Ubuntu, Kubuntu, Xubuntu A major, critical bug and possible security threat has been discovered in Ubuntu Breezy. Apparently, the 'root' password (not actually the root password because Ubuntu uses sudo) gets written into the installer's log files in clear text, and can be read by any account on the Ubuntu machine. The bug was first discovered and reproduced on the Ubuntu forums. The bug does not seem to affect Dapper, however, users upgrading from Breezy to Dapper might still be at risk because the log files are not modified. Update: Bug is fixed. Please upgrade.
Thread beginning with comment 103886
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Cue the peanut gallery
by atsureki on Mon 13th Mar 2006 03:09 UTC in reply to "RE[2]: Cue the peanut gallery"
atsureki
Member since:
2006-03-12

So you get Joe User who has managed to happily install Ubuntu, and he tells his OS X/Windows-using friend how great and secure it is. Said friend knows about the log file, finds it, gets root on Joe's box. Joe is not happy, and realizes that the Linux zealots on some forum or other were just spewing bullshit.

Some friend. That makes no sense at all. Put me in the room with anyone's desktop Wintel running Linux, and I can hax0r it with a liveCD and chroot. Even change the root password. If we're talking about a system you could just reach around and unplug or open up and remove the hard drive from, nothing you can do in software really counts as breaking in. This "exploit" affects basically two people: paranoid parents and people with untrusted guest accounts.

Reply Parent Score: 2

RE[4]: Cue the peanut gallery
by Tom K on Mon 13th Mar 2006 03:25 in reply to "RE[3]: Cue the peanut gallery"
Tom K Member since:
2005-07-06

> nothing you can do in software really counts as breaking in

So if my bank's ATM had a flaw in the UI that allowed me to bypass authentication and simply withdraw money, that wouldn't be breaking in?

Please, get a clue.

Reply Parent Score: -1

RE[5]: Cue the peanut gallery
by ma_d on Mon 13th Mar 2006 04:09 in reply to "RE[4]: Cue the peanut gallery"
ma_d Member since:
2005-06-29

If your banks ATM has any authentication control you need to look into a new bank.

Reply Parent Score: 0

RE[5]: Cue the peanut gallery
by atsureki on Mon 13th Mar 2006 05:34 in reply to "RE[4]: Cue the peanut gallery"
atsureki Member since:
2006-03-12

So if my bank's ATM had a flaw in the UI that allowed me to bypass authentication and simply withdraw money, that wouldn't be breaking in?

Please, get a clue.


If your "bank" were a private citizen and the "ATM" were his unguarded Wintel box and the "money" were a bunch of bits on a physical disk that you could easily pop out with nothing but a Phillips head screwdriver, then we might be somewhere in the ballpark of what I said, yes.

I'm minimizing the security flaw on the grounds that it's nearly useless, not that it's easy. Gaining low-level control of any PC you have in your physical possession is a walk in the park. Doing it without having to restart isn't much of an exploit.

Another reply mentioned untrusted ssh, but that's a whole separate can of worms. You've gotta know what you're doing to get away with something like that regardless of your distro. Make a chroot jail and debootstrap. No password set prompts, no install log entry, no security bug.

A clear text password sitting anywhere on a filesystem in this day and age is pathetic, but all these red flag terms like root access are going to give people the wrong idea. It's an embarrassment, not a catastrophe.

Reply Parent Score: 2

RE[4]: Cue the peanut gallery
by ma_d on Mon 13th Mar 2006 04:13 in reply to "RE[3]: Cue the peanut gallery"
ma_d Member since:
2005-06-29

It affects anyone who gives ssh access to untrusted users.
It affects anyone who shares a machine with others and uses a sensitive password (and was the one to setup the machine).

The second category is pretty rare. But the first category is called a webhost.

Reply Parent Score: 1

codergeek42 Member since:
2006-01-07

Wrong. Any webhost who knows what they're doing would not give SSH access to any of its users unless they were separated into VM servers like User-Mode Linux, Xen, or VMware.

Reply Parent Score: 1