Oli Warner About Contact Subscribe

Massive Security Hole In Ubuntu

Sunday, 12 March 2006 linux security ubuntu

Turns out all the data entered during installation is logged. Including passwords.

I’ve just been informed of this absolutely massive security hole in Ubuntu that allows any user to grab any passwords that were set during setup because they’re stored in a log file for later helping users if they bump into problems. The original thread.

There is a file that contains all the installation logs:

/var/log/installer/cdebconf/questions.dat  

This file contains the answers to the questions asked at setup and near the end of the file, you can find the user created during the installation… and its password.

Then, tell me if I’m wrong :

In both case, it’s possible to get an administrator username/password.

Moreover, this file can be read by all users (contrary to the syslog).

The fastest way to fix this is to just change your password as the only passwords in this log are the ones set through setup (not subsequently). If you made a lot of accounts at setup, then you might find it easier to delve into the file with vi and nuke them all from the log directly.