Re: [tlug] Fwd: Re: [linuxNUS] Possible HUGE Security Flaw inUbuntu Breezy (and maybe other versions)

["Stephen J. Turnbull" <stephen@example.com>]

>>>>> "Roger" == Roger Markus <rogermarku@example.com> writes:

    >> > Karl Řie discovered that the Ubuntu 5.10 installer > failed
    >> to clean > passwords in the installer log files. Since these >
    >> files were > world-readable, any local user could see the >
    >> password > of the first > user account, which has full sudo
    >> privileges by > default.

    Roger> Ouch!  That one password system doesn't seem so good
    Roger> now....

Um, no.  This particular bug could happen to any install script that
"helpfully" sets up a root account for you.  So it actually
demonstrates *why* the one-password setup is a good idea: because you
only have to worry about that one.  Eg, you could do a recursive grep
for it on /, and find all the rootkits that have logged it, I bet.
;-)

Also, remember that anybody who has shell access is already past the
(on average) hardest hurdle already.

Uva Coder is welcome to chime in about the virtues of Plan 9 right
about here, though.

-- 
School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.