Slashdot Mirror

← Back to Stories (view on slashdot.org)

Root Password Readable in Clear Text with Ubuntu

Posted by ryuzaki0 on from the that's-a-big-oops dept.

BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."

4 of 520 comments (clear)

  1. Re:But Ubuntu has no root account! by Yosho · · Score: 5, Informative

    Read the article. The Slashdot summary is incorrect; the password is for the account you create during installation, which has sudo rights and therefore is just as effective as a root account.

    --
    Karma: Terrifying (mostly affected by atrocities you've committed)
  2. Solution by itismike · · Score: 5, Informative
    1. open a terminal and type:
      sudo apt-get update
    2. wait for it to finish
    3. click the Red update icon in the upper-right corner
    4. click through the update
    5. locate the file and verify that it is unreadable by a non-privileged user
  3. Re:Saw this on Digg by xlsior · · Score: 5, Informative

    Actually slightly more elaborate: SQL 7 SP3 was also affected, plus they wrote the password to not one, but two files:

    Summary
    On May 30, 2000, Microsoft released the original version of this bulletin, to announce the availability of a patch that eliminates a security vulnerability in Microsoft® SQL Server® 7.0 Service Packs 1 and 2 installation routine. When run on a machine that is configured in a non-recommended mode, the routines record the administrator password in a log file, where it could be read by any user who could log onto the server at the keyboard.

    On June 15, 2000, the bulletin was updated to note that, under the same conditions as originally reported, the password also is recorded in a second file. A new version of the patch is available that prevents the password from being recorded in either file.

    On May 10, 2001, the bulletin was updated to note that Service Pack 3 is also affected by this vulnerability. A new patch is available for SP3 and we are also providing a command line utility (post Service Pack deployment) to remove all instances of the SA password written in either file via Q263968.


    So not only did they have a similar problem, it persisted for over a year after initially being found & alledgedly fixed.

  4. Re:UNIX mouse driver released by Pogue+Mahone · · Score: 5, Informative
    Since when did UNIX have mice.

    Since long before MS-DOS had them:

    Look..

    --
    Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]