Administrator root password readable in Ubuntu Breezy cleartext on Ubuntu Breezy

[[|]], Ubuntu Breezy has a
and critical bug that allows the first user registered password to be
found by any user by reading the file
/var/log/installer/cdebconf/questions.dat, which is world-readable. The
problem does not affect the Dapper version.

This means admin’s
running Breezy will have some headaches the next couple of weeks. If you
can upload a php/perl/etc file to the server you can read the password out
of var/logs with fopen() and that means you’re done in many scenarios.
Word of advise: don’t do something stupid. If you like security or even
if you don’t, a note on your police file won’t help your

I’ve been using Ubuntu on my laptop for some time now
and must say it never let me down. The guys did a great job. It’s a good
install-and-go/Just Works distro and that’s what I need right now.
Flawless package management, on-the-fly Gnome desktop, OpenOffice, Flash,
Evolution 2.5.x, etc.. I don’t see this bug affecting the popularity of
Ubuntu but then again we all now that critical servers are not their


* [[|Follow thread on]]

**Note to self:** Subtract 4 days and you get
the day [[|Google]] acquired
[[|Writely]]. As
[[|Russell Beattie]]
pointed out, we’ve got ourselves another winner in the Web 2.0
Acquisition Lottery..