Rocking the blogosphere
Apple Online Store

3/18/2006

Ubuntu security advisory

March 18th 2006 Posted to Linux, Ubuntu

SecurityFocus reports a vulnerability in Ubuntu

The problem is that the root password is stored in clear-text in a world-readable installer log file, verifiable by running grep password /var/log/installer/cdebconf/questions.dat

There is a fix available…

Basically you just need to do a regular update to get the latest base-config package, which changes the permissions of the file so that it is no longer world-readable. i.e.:

before
$ ls -l /var/log/installer/cdebconf/questions.dat
-rw-r--r--  1 root root   61052 2005-12-12 01:44 /var/log/installer/cdebconf/questions.dat
after
$ ls -l /var/log/installer/cdebconf/questions.dat
-rw-------  1 root root 61018 2006-03-18 11:36 /var/log/installer/cdebconf/questions.dat

Books on Ubuntu from Amazon

Ubuntu UnleashedUbuntu Hacks : Tips & Tools for Exploring, Using, and Tuning Linux (Hacks)

Del.icio.us Digg Reddit Technorati

Possibly related posts

No comments yet. Be the first.

Leave a reply

Apple Online Store
Apple Online Store