ubuntu-users Digest, Vol 19, Issue 142

Scott sdamron at gmail.com
Tue Mar 14 02:21:15 UTC 2006 

Message: 5
Date: Mon, 13 Mar 2006 19:47:16 -0500
From: "Darryl Clarke" <smartssa at gmail.com>
Subject: Re: security issues
To: "Ubuntu Help and User Discussions" <ubuntu-users at lists.ubuntu.com>
Message-ID: <37dd77890603131647u2e4f3128p at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 13/03/06, Lamp <lampajoo at gmail.com> wrote:
> "Karl Øie discovered that the Ubuntu 5.10 installer failed to clean
> passwords in the installer log files. Since these files were
> world-readable, any local user could see the password of the first
> user account, which has full sudo privileges by default.
>
> The updated packages remove the passwords and additionally make the
> log files readable only by root."
>
>
> Why on God's green earth was the password ever written to a file in
> the first place?!?!??  I use ubuntu because it's "easy," not expecting
> it to be ultra secure, but this is ridiculous.  To compound the
> problem the explanation given is awful... "since these files were
> world-readable" should have been, "some dumbass wrote code that wrote
> clear text passwords to disk"--the readability of the files is
> irrelevant.    I'm switching distros ASAP, there's no way I can trust
> ubuntu after this.
>
> --

That's a pretty heavy reaction.  You'd never even know of it if the
origial bug finder actually posted the critical status of properly.
Unfortunately it hit the forums, then a bug was posted.

I read about the bug, updated, saw the fix come in, checked the files
affected and sure enough they're clean (and no longer world readable).

Also, from the timeline and information on launchpad this bug was
fixed quite rapidly, and will receive further investigation as to why
it happened.  The installer is supposed to clear those fields before
writing the log, clearly it didn't.  Oops, humans, they're crazy.


You know....If this were a M$ Problem, and it was posted on a Forum,
it would have been a month, at least, before any kind of fix would
have been available.  Some folks may argue that this would be due to
elaborate testing, and quality assurance, but, I disagree.  Open
Source means you can have one person in someplace like Dallas, TX, USA
finding the problem, and another person in Umbabamaumau,
whereevertheheck fixing it at the same time.  I am not one to tell
folks that they should not react, but never over react.  That just
makes you look silly :o)

More information about the ubuntu-users mailing list