Steffen Higel wrote:
>> To avoid having to study last night, I decided to look around my machine (RH6.1) to see if there was anything seriously insecure about it... and I think I found something, maybe someone else has noticed this as well:
> I created new accounts on the machine using the console version of linuxconf, and it logged the commands that it executed in /var/log/netconf.log. Problem is, said file is world readable, so there in it were the usernames and passwords (unencrypted) of all the accounts I had made.
> Whose fault is this, mine for using linuxconf, RedHat's for putting funny permissions on a file or Linuxconf's for putting private stuff in a world readable file?
> Comments much appreciated
dunno, but log the bug.
in all honesty though, if a large site with untrusted users was using
linux conf for system management... that would be worrisome.
kevin
--
kevin at suberic.net "we were goin' for breakfast. in canada. we
fork()'ed on 37058400 made a deal: if she'd stop hookin', i'd stop
meatspace place: home shootin' people. maybe we were aiming high."
--porter, "payback"
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
