Via
[[http://diggdot.us|diggdot.us]], Ubuntu Breezy has a
[[https://launchpad.net/distros/ubuntu/+source/shadow/+bug/34606/+viewstatus|confirmed]]
and critical bug that allows the first user registered password to be
found by any user by reading the file
/var/log/installer/cdebconf/questions.dat, which is world-readable. The
problem does not affect the Dapper version.
This means admin’s
running Breezy will have some headaches the next couple of weeks. If you
can upload a php/perl/etc file to the server you can read the password out
of var/logs with fopen() and that means you’re done in many scenarios.
Word of advise: don’t do something stupid. If you like security or even
if you don’t, a note on your police file won’t help your
curriculum.
I’ve been using Ubuntu on my laptop for some time now
and must say it never let me down. The guys did a great job. It’s a good
install-and-go/Just Works distro and that’s what I need right now.
Flawless package management, on-the-fly Gnome desktop, OpenOffice, Flash,
Evolution 2.5.x, etc.. I don’t see this bug affecting the popularity of
Ubuntu but then again we all now that critical servers are not their
market.
References:
*
[[https://launchpad.net/distros/ubuntu/+bug/34606|https://launchpad.net/distros/ubuntu/+bug/34606]]
* [[http://www.ubuntuforums.org/showthread.php?t=143334|Follow thread on
ubuntuforums.org]]
**Note to self:** Subtract 4 days and you get
the day [[http://www.google.com|Google]] acquired
[[http://www.writely.org|Writely]]. As
[[http://www.russellbeattie.com/notebook/1008877.html|Russell Beattie]]
pointed out, we’ve got ourselves another winner in the Web 2.0
Acquisition Lottery..
