Password compromise in Ubuntu
Bill Sconce
sconce at in-spec-inc.com
Tue Mar 28 13:51:01 EST 2006
I meant to post this when I first encountered it -- by now everyone may
already know about it. But if not...
Ubuntu Breezy's installer keeps a log of what you tell it during the
question-and-answer dialogue. This unfortunately includes the password
you create for the first user. The first user has sudo privileges.
I've used shred(1) on the log files on my Ubuntu systems. In the future
I think it'll be a good idea to DELETE that first user after getting
the real users set up. (In addition to trusting Ubuntu to have fixed
the problem, which they have for Dapper.) You may want to adopt yet
another approach. But for sure anyone running Ubuntu should know about
the vulnerability.
One URL:
http://digg.com/linux_unix/Ubuntu_password_bug_fixed_in_just_a_few_hours
-Bill
More information about the gnhlug-discuss
mailing list