Administrator root password readable in cleartext on Ubuntu Breezy

Posted by tadelste on Mar 8, 2006 7:55 PM EDT
LXer; By Tom Adelstein 		Mail this story
Print this story

Teotihuacan writes on the UbuntuForum: There is a file that contains all the installation logs :

/var/log/installer/cdebconf/questions.dat In this file, there is all the questions asked to the user abd all the user's answers. So, near the end of the file, we can find the user created during the installation... and its password (not hidden).

Moreover, this file can be read by all users (contrary to the syslog).



Personally, the user I have created during the installation is the computer administrator and I had no reason (until now) to change its password after the installation. I've just created a non-administrator user after the installation.



I have researched on this forum about this file and I have found no result. On google, there isn't many results. There is just a link to the Ubuntu Wiki (but for the installation for a cluster)



I think it's risky to store an user's password in a file readable by everybody. (for example if we can login via ssh on an Ubuntu server)



I don't know what you think of this...





He's correct. The log exists and can be read by any users.

Here's an image of it:





I simply removed the values in the file. That should do it. I'm surpirsed it took this long for some to find this issue. But it is easily fixed. It doesn't exist in Dapper. The root password is not visible in Kubuntu but you can see the user name and password.

  Nav
» Read more about: Story Type: Security; Groups: Ubuntu

« Return to the newswire homepage

Subject Topic Starter Replies Views Last Post
It's in Kubuntu, too joedoc 1 2,201 Mar 13, 2006 3:56 AM
Fix uploaded richo123 3 1,953 Mar 12, 2006 8:05 PM

You cannot post until you login.