Slashdot Mirror

← Back to Stories (view on slashdot.org)

Root Password Readable in Clear Text with Ubuntu

Posted by ryuzaki0 on from the that's-a-big-oops dept.

BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."

4 of 520 comments (clear)

  1. Ehh by cosmotron · · Score: 0, Troll

    This was probably just some way for the Ubuntu developers to steal passwords. But, since someone noticed they had to act like it was an accident and release a patch.

    --
    Ryan - http://www.thecosmotron.com/
  2. Re:Saw this on Digg by aussie_a · · Score: 0, Troll

    To be honest, you get what you pay for.

  3. missing the point by BinLadenMyHero · · Score: 0, Troll

    I saw many comments stating that they should not write down the password on any file, etc. Seems that nobody here nor on Ubuntu has any clue..

    First of all, the password shouldn't be read with normal stdin. The 'passwd' program reads the password in a more direct way, not allowing it to be redirected anyware. Just try "ls | head -3 | passwd" and you will see it does not work.

    The installation should use it to enter the passwords, so that it will not even know what the password is, let alone writing it on a log file.

  4. Re:Time From Discovery to Patch by tinkertim · · Score: 0, Troll

    Ubuntu is open source. Think about the time and effort that went into writing said installer. If I were writing one, I'd log everything too while I developed it, otherwise how the hell am I going to see if all input has been processed correctly?

    I might remind you that the installer is their only chance to successfully install their *free* OS on *your* system, its critical they get it right, and they did.

    Someone obviously forgot to remove that portion from the install log, yeah ok I agree that was a major brainfart .. however please don't go calling the authors incompetent until you, yourself have released your own (perfect) operating system, or something better than Ubuntu.

    You write as though you paid Ubuntu to write that distribution just for you. I think the more serious issue here is your ego displayed, in plain text , on slashdot .. not the password in the log file as you are obviously out to cause more irritation than the bug itself.

    Perhaps you should go back to Microsoft Bob. I think thats more to your speed. If you have any complaints, the person responsible is the wife of Bill Gates, go talk to her.