security issues

[Julio Biason]

On 3/13/06, Lamp <lampajoo at gmail.com> wrote:
> Why on God's green earth was the password ever written to a file in
> the first place?!?!??

I bet on "it was there for debugging proposes, but we forgot to remove
it later". Like the "Dear rich bastard" story that goes around the
internet...

>  I use ubuntu because it's "easy," not expecting
> it to be ultra secure, but this is ridiculous.

Maybe. But answer me this: how many people use your computer? I'm the
only user on this machine, and the only user on my work machine. Even
if every user on the system could read the file and get root access,
the users on this system would be... me. So, it is not that
ridiculous, it is?

If you take in account that there isn't any service listening to
outside world (geez, even sshd isn't installed by default), there
isn't much change people would hack the system. And, even with that,
the user account would probably be the sudo one.

>  To compound the
> problem the explanation given is awful... "since these files were
> world-readable" should have been, "some dumbass wrote code that wrote
> clear text passwords to disk"--the readability of the files is
> irrelevant.    I'm switching distros ASAP, there's no way I can trust
> ubuntu after this.

Well, I think you are being quite rude on this. First, the Ubuntu guys
could silently slip an update with no visible reason and than, months
later, say that there was some mistake on log files. But, as far as I
can see, the problem was disclosured and quickly fixed, no hidden
"there is nothing to see here, move along"; taking the "mea culpa"
approach really won me. That's what I want when dealing with problems:
not "take this, it will be good for your" (liike some distros I've
used), but a full disclosure of the problem, explaining why it is bad
and what was done to fix it.

If you want to change to something else, good for you; I'm sticking with Ubuntu.

--
Julio Biason <julio.biason at gmail.com>