Linked by Thom Holwerda on Sun 12th Mar 2006 20:46 UTC, submitted by lotusleaf
Ubuntu, Kubuntu, Xubuntu A major, critical bug and possible security threat has been discovered in Ubuntu Breezy. Apparently, the 'root' password (not actually the root password because Ubuntu uses sudo) gets written into the installer's log files in clear text, and can be read by any account on the Ubuntu machine. The bug was first discovered and reproduced on the Ubuntu forums. The bug does not seem to affect Dapper, however, users upgrading from Breezy to Dapper might still be at risk because the log files are not modified. Update: Bug is fixed. Please upgrade.
Thread beginning with comment 103924
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: Cue the peanut gallery
by atsureki on Mon 13th Mar 2006 05:34 UTC in reply to "RE[4]: Cue the peanut gallery"
atsureki
Member since:
2006-03-12

So if my bank's ATM had a flaw in the UI that allowed me to bypass authentication and simply withdraw money, that wouldn't be breaking in?

Please, get a clue.


If your "bank" were a private citizen and the "ATM" were his unguarded Wintel box and the "money" were a bunch of bits on a physical disk that you could easily pop out with nothing but a Phillips head screwdriver, then we might be somewhere in the ballpark of what I said, yes.

I'm minimizing the security flaw on the grounds that it's nearly useless, not that it's easy. Gaining low-level control of any PC you have in your physical possession is a walk in the park. Doing it without having to restart isn't much of an exploit.

Another reply mentioned untrusted ssh, but that's a whole separate can of worms. You've gotta know what you're doing to get away with something like that regardless of your distro. Make a chroot jail and debootstrap. No password set prompts, no install log entry, no security bug.

A clear text password sitting anywhere on a filesystem in this day and age is pathetic, but all these red flag terms like root access are going to give people the wrong idea. It's an embarrassment, not a catastrophe.

Reply Parent Score: 2

RE[6]: Cue the peanut gallery
by Tom K on Mon 13th Mar 2006 05:47 in reply to "RE[5]: Cue the peanut gallery"
Tom K Member since:
2005-07-06

I'm not saying it's a catastrophe, but I still take issue with the fact that you think nothing that is done through software can constitute "breaking in". I gave one of many hundreds of thousands of examples.

A security researcher you are not cut out to be, so don't pretend to be one.

Reply Parent Score: -1

RE[7]: Cue the peanut gallery
by ma_d on Mon 13th Mar 2006 06:58 in reply to "RE[6]: Cue the peanut gallery"
ma_d Member since:
2005-06-29

This flaw can't be used to break in. It's a clear cut priviledge escalation issue, break ins are another matter.

This is more like inviting your neighbor over and him then snatching the deed to your house from under your nose. Where a breakin would be someone cutting/breaking the window and stealing things.

You'll notice my analogy made the breakin easier to detect and the damage much easier to find. He also got less, the neighbor got your whole house by some impossibility of law.


Once again. If you are already a user on the machine you can't break into it. You're already in it!

Reply Parent Score: 1