New subject: [suse-security] Unencrypted YOU password readable by all

9 Jul 2003

      Hi,
...
From: Kenny [mailto:kenny-sp@uol.com.br]
In SUSE 8.2 te pass isn't in this file
Yes, because Mark was talking about SuSE Linux Enterprise Server. You buy one year (or at least 3 months) of maintenance and you get a username and password for the ftp-updates. Mark was referring to this password.

And AFAIK YOU is still not capable of connecting to the internet via proxy-servers in 8.2.

Regards,
Stefan
...
On Tue, 8 Jul 2003 16:36:15 +0200
"Mark Perry"  wrote:
...
Hi List,
I just noticed that the Userid and Password for YOU (Yast 
Online Update)
are stored unencrypted in /etc/sysconfig/onlineupdate and 
that file is
readable by anyone.
FYI: this is on IBM zSeries (SLES/8 s390).
This might not be the Userid and Password for access to the 
Linux system
itself, but I for one am uncomfortable about leaving such 
information wide
open.
At the very least it enables unauthorized use of YOU on 
another system
where the "cracker" may already have root access.
Note this same file can optionally also contain a userid 
and password for
access to a proxy server, which may in fact be more of an exposure.
All the Best / Mit Freundlichen Gruessen
Mark G. Perry
IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
Schoenaicher Strasse 220, 71032 Boeblingen, Germany
Email/Sametime: perry@de.ibm.com
Office Tel: (+49)-7031-16-3626
-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here
-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here

RE: [suse-security] Unencrypted YOU password readable by all

Peer Stefan

Ewald Recher

tags

participants (2)