LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] slight security flaw?

[ILUG] slight security flaw?

John_White at dell.com John_White at dell.com
Mon Mar 20 09:08:55 GMT 2000 

erm, . . . I'd hardly call it a 'slight' flaw . . . .

At least 2 of 3 are at fault

Linuxconf for storing passwords in a log file **at all** - it's all well and
good root being able to change a password, but you don't want root being
able to look them up. If someone breaks in as root it's harder for them to
purloin accounts unnnoticed if they don't have a big list of cleartext
passwords.

RedHat's if they put the funny permissions on the file (or activley ignored
changing them) otherwise Linuxconf's for not checking that the file it wrote
to didn't have the right permissions (and change them accordingly)

I suppose if you were LOOKING for security flaws, . . . linuxconf is not a
bad place to start so there was some justification for using linuxconf :)

Incidentally, I assume that when run in X it did the same thing . . . . (you
explicitly mentioned console mode)



-----Original Message-----
From: Steffen Higel [mailto:higels at tcd.ie]
Sent: 19 March 2000 13:39
To: ilug at linux.ie
Subject: [ILUG] slight security flaw?


To avoid having to study last night, I decided to look around my machine
(RH6.1) to see if there was anything seriously insecure about it... and I
think I found something, maybe someone else has noticed this as well:
I created new accounts on the machine using the console version of
linuxconf, and it logged the commands that it executed in
/var/log/netconf.log. Problem is, said file is world readable, so there in
it were the usernames and passwords (unencrypted) of all the accounts I had
made.
Whose fault is this, mine for using linuxconf, RedHat's for putting funny
permissions on a file or Linuxconf's for putting private stuff in a world
readable file?
Comments much appreciated

-- 
Steffen

higels at tcd.ie
website:http://matrix.netsoc.tcd.ie/~steffen

-- 
Irish Linux Users' Group: ilug at linux.ie
http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
List maintainer: listmaster at linux.ie

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell