In the Ubuntu forum area, a user posted his findings of how the installer script fails to delete the first password during system installation. The installer log file is world-readable and poses a major security risk because it fails to delete the clear-text record of the primary password. Ubuntu does not use a standard root password for administrator tasks, but requires the user to enter in their password via a utility known as sudo.
An attacker would need to have user-level access to the system (via the console or remotely via ftp or ssh) to read the log file. The bug has already been fixed, and affects only Ubuntu version 5.10. Affected users are urged to upgrade according to the instructions in the security advisory.
Ubuntu has positioned its Linux distribution as a free, simple-to-use desktop operating system with a consistent user interface.
UPDATE: This brief has been updated to correct a typo and to correct references to the root password. Technically, Ubuntu does not use a root password, but instead uses the sudo mechanism to allow users access to system administrator tasks.
Posted by: Kelly Martin