 |
ubuntu.com - launchpad.net - ubuntu help
|
|
|||||||
Hello, Unregistered You are browsing a READ only archive of the main support categories pre 4/21/2008. You will not be able to post or reply any threads in this section.
|
|
Server Platforms Discussion regarding any server based ubuntu release. |
|
|
Thread Tools | Display Modes |
March 12th, 2006
|
#1 |
|
First Cup of Ubuntu
 Join Date: Mar 2006
Beans: 10
|
Possible to get the administrator password ?
Hello,
I have noticed something "funny" : There is a file that contains all the installation logs : /var/log/installer/cdebconf/questions.dat In this file, there is all the questions asked to the user abd all the user's answers. So, near the end of the file, we can find the user created during the installation... and its password (not hidden). Then, tell me if I'm wrong : _ in the normal installation mode, the user created can get the root privileges with sudo _ in the expert mode, there is a root account created In both case, it's possible to get an administrator username/password. Moreover, this file can be read by all users (contrary to the syslog). Personally, the user I have created during the installation is the computer administrator and I had no reason (until now) to change its password after the installation. I've just created a non-administrator user after the installation. I have researched on this forum about this file and I have found no result. On google, there isn't many results. There is just a link to the Ubuntu Wiki (but for the installation for a cluster) I think it's risky to store an user's password in a file readable by everybody. (for example if we can login via ssh on an Ubuntu server) I don't know what you think of this... Bye. |
|
|
March 12th, 2006
|
#2 |
|
Way Too Much Ubuntu
 Join Date: Jan 2006
Location: norway
Beans: 242
Ubuntu Breezy 5.10
|
Re: Possible to get the administrator password ?
OMG, your right, ****!
__________________
while( !awake ) { sleep() } |
|
|
|
March 12th, 2006
|
#3 |
|
Ubuntu addict and loving it
 
Join Date: Jun 2005
Location: Malta
Beans: 5,096
Ubuntu 7.10 Gutsy Gibbon
 |
Re: Possible to get the administrator password ?
In Dapper, I looked at the file, and while I could see my username, I couldn't see any password.
|
|
|
|
March 12th, 2006
|
#4 |
|
Just Give Me the Beans!
 
Join Date: Mar 2006
Location: Isle Of Man
Beans: 50
Ubuntu Breezy 5.10
|
Re: Possible to get the administrator password ?
thats a bit freaky....
Cant say i've noticed that.... lol....  |
|
|
|
March 12th, 2006
|
#5 |
|
Way Too Much Ubuntu
Join Date: Jan 2006
Location: norway
Beans: 242
Ubuntu Breezy 5.10
|
Re: Possible to get the administrator password ?
this is a MAJOR security issue i think, i did a grep on my /var for my password and stopped after just these;
/var/log/installer/cdebconf/questions.dat:Value: mypasswd /var/log/installer/cdebconf/questions.dat:Value: mypasswd /var/log/debian-installer/cdebconf/questions.dat:Value: mypasswd /var/log/debian-installer/cdebconf/questions.dat:Value: mypasswd these files are not supposed to have the password in cleartext, and if so they should be promptly removed by the installer after they have been used thanx for this tip! Is it registered as a bug in Breezy? i mean breezy been out for a while
__________________
while( !awake ) { sleep() } Last edited by knalle; March 12th, 2006 at 09:33 AM.. |
|
|
|
March 12th, 2006
|
#6 |
|
Way Too Much Ubuntu
Join Date: Jan 2006
Location: norway
Beans: 242
Ubuntu Breezy 5.10
|
Re: Possible to get the administrator password ?
even freaking worse! the file is readable from ANY registred account, get a ubuntu breezy account and you can be root too!
karl@dundra:/media/share/games/hoi2$ less /var/log/installer/cdebconf/questions.dat shows the root password in the terminal in clear text 
__________________
while( !awake ) { sleep() } |
|
|
|
March 12th, 2006
|
#7 |
|
Way Too Much Ubuntu
Join Date: Nov 2004
Location: Denver, Colorado
Beans: 326
Ubuntu 10.04 Lucid Lynx
|
Re: Possible to get the administrator password ?
Just checked my qustions.dat file and the username/password is NOT there.
|
|
|
|
March 12th, 2006
|
#8 | |
|
Way Too Much Ubuntu
Join Date: Jan 2006
Location: norway
Beans: 242
Ubuntu Breezy 5.10
|
Re: Possible to get the administrator password ?
Quote:
__________________
while( !awake ) { sleep() } |
|
|
|
|
March 12th, 2006
|
#9 |
|
Way Too Much Ubuntu
Join Date: Oct 2005
Location: UK
Beans: 321
|
Re: Possible to get the administrator password ?
OMG. That is one huge security threat. Well done in finding it.
|
|
|
|
March 12th, 2006
|
#10 |
|
Way Too Much Ubuntu
Join Date: Nov 2004
Location: Denver, Colorado
Beans: 326
Ubuntu 10.04 Lucid Lynx
|
Re: Possible to get the administrator password ?
Dude, I just thought I'd add some extra info. I've also got a default Breezy install and the password is not in the above mentioned files. I'm not saying it's not a bug and that's it's not serious, just that it's not quite as simple as the password gets written to the /var/log/installer/cdebconf/questions.dat file every time.
|
|
|
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT -4. The time now is 10:20 AM.