To avoid having to study last night, I decided to look around my machine (RH6.1) to see if there was anything seriously insecure about it... and I think I found something, maybe someone else has noticed this as well:
I created new accounts on the machine using the console version of linuxconf, and it logged the commands that it executed in /var/log/netconf.log. Problem is, said file is world readable, so there in it were the usernames and passwords (unencrypted) of all the accounts I had made.
Whose fault is this, mine for using linuxconf, RedHat's for putting funny permissions on a file or Linuxconf's for putting private stuff in a world readable file?
Comments much appreciated
--
Steffen
higels at tcd.ie
website:http://matrix.netsoc.tcd.ie/~steffen
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
