Hello Hans, WARNING: You have greatly exceeded the critical attention threshold of 90% of Ubuntu users. I could do as you indicate, or I could press the apt-get update button. Plus a get a reassuring 'bling' noise that reminds me that the universe is once again at peace. JMZ On Tuesday 14 March 2006 12:31, der.hans wrote: > Am 13. Mar, 2006 schwätzte Josh Zeidner so: > > Run a package update immediately... ( usually as a rule I do not post > > anything that has been featured on /. ) > > > > https://launchpad.net/distros/ubuntu/+source/shadow/+bug/34606 > > > > http://www.ubuntu.com/usn/usn-262-1 > > It seems to me that the simple fix for this is to just change the password > for the first account created. > > Bug as I understand it: > > During install of official Breezy[0] the passwd given for the first user > account gets stored in plain text readable by anyone on the machine. > > This is a problem because the first user account created automagically > gets sudo access and can become root. Root still has no passwd and one > cannot just login as root. > > In order to exploit this the passwd needs to have not been changed and the > exploiter needs to already be on the box. The exploiter could then login > as the first user created on that box and then sudo to root. > > I see 2 ways to fix this without an upgrade: > > 1. change the passwd for the first user created[1] > 2. remove the entries from /var/log/installer/cdebconf/questions.dat[2] > > > [0] so doesn't affect installs of Breezy beta or upgrades from Hoary or > Breezy beta > > [1] if changing the passwd isn't sufficient someone's already broken in > and the machine needs to be reinstalled[3] > > [2] removing the file is one way of removing the entries > > [3] don't forget to change the passwd before allowing anyone else on the > machine ;-) > > ciao, > > der.hans --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss