worldcitizen Δημοσ. 14 Μαρτίου 2006 Δημοσ. 14 Μαρτίου 2006 Απλά μεταφέρω.. Hello, I have noticed something "funny" : There is a file that contains all the installation logs : /var/log/installer/cdebconf/questions.dat In this file, there is all the questions asked to the user abd all the user's answers. So, near the end of the file, we can find the user created during the installation... and its password (not hidden). Then, tell me if I'm wrong : _ in the normal installation mode, the user created can get the root privileges with sudo _ in the expert mode, there is a root account created In both case, it's possible to get an administrator username/password. Moreover, this file can be read by all users (contrary to the syslog). Personally, the user I have created during the installation is the computer administrator and I had no reason (until now) to change its password after the installation. I've just created a non-administrator user after the installation. I have researched on this forum about this file and I have found no result. On google, there isn't many results. There is just a link to the Ubuntu Wiki (but for the installation for a cluster) I think it's risky to store an user's password in a file readable by everybody. (for example if we can login via ssh on an Ubuntu server) I don't know what you think of this... Bye. this is a MAJOR security issue i think, i did a grep on my /var for my password and stopped after just these; /var/log/installer/cdebconf/questions.dat:Value: mypasswd /var/log/installer/cdebconf/questions.dat:Value: mypasswd /var/log/debian-installer/cdebconf/questions.dat:Value: mypasswd /var/log/debian-installer/cdebconf/questions.dat:Value: mypasswd these files are not supposed to have the password in cleartext, and if so they should be promptly removed by the installer after they have been used thanx for this tip! Is it registered as a bug in Breezy? i mean breezy been out for a while Από http://www.ubuntuforums.org/showthread.php?t=143334
Προτεινόμενες αναρτήσεις
Αρχειοθετημένο
Αυτό το θέμα έχει αρχειοθετηθεί και είναι κλειστό για περαιτέρω απαντήσεις.