Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Ubuntu stores password as clear text
Published: 2006-03-13

Ubuntu, the popular "Linux for Human Beings" desktop OS, has been found to store the system's primary password in clear text.

In the Ubuntu forum area, a user posted his findings of how the installer script fails to delete the first password during system installation. The installer log file is world-readable and poses a major security risk because it fails to delete the clear-text record of the primary password. Ubuntu does not use a standard root password for administrator tasks, but requires the user to enter in their password via a utility known as sudo.

An attacker would need to have user-level access to the system (via the console or remotely via ftp or ssh) to read the log file. The bug has already been fixed, and affects only Ubuntu version 5.10. Affected users are urged to upgrade according to the instructions in the security advisory.

Ubuntu has positioned its Linux distribution as a free, simple-to-use desktop operating system with a consistent user interface.

UPDATE: This brief has been updated to correct a typo and to correct references to the root password. Technically, Ubuntu does not use a root password, but instead uses the sudo mechanism to allow users access to system administrator tasks.

Posted by: Kelly Martin
    Digg this story   Add to  
Comments Mode:
Ubuntnu stores clear text root password 2006-03-14
Jeff Waugh (2 replies)
Ubuntu, not Ubuntnu 2006-03-14


Privacy Statement
Copyright 2009, SecurityFocus