Hi List, I just noticed that the Userid and Password for YOU (Yast Online Update) are stored unencrypted in /etc/sysconfig/onlineupdate and that file is readable by anyone. FYI: this is on IBM zSeries (SLES/8 s390). This might not be the Userid and Password for access to the Linux system itself, but I for one am uncomfortable about leaving such information wide open. At the very least it enables unauthorized use of YOU on another system where the "cracker" may already have root access. Note this same file can optionally also contain a userid and password for access to a proxy server, which may in fact be more of an exposure. All the Best / Mit Freundlichen Gruessen Mark G. Perry IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH Schoenaicher Strasse 220, 71032 Boeblingen, Germany Email/Sametime: perry@de.ibm.com Office Tel: (+49)-7031-16-3626
In SUSE 8.2 te pass isn't in this file
On Tue, 8 Jul 2003 16:36:15 +0200
"Mark Perry"
Hi List, I just noticed that the Userid and Password for YOU (Yast Online Update) are stored unencrypted in /etc/sysconfig/onlineupdate and that file is readable by anyone. FYI: this is on IBM zSeries (SLES/8 s390).
This might not be the Userid and Password for access to the Linux system itself, but I for one am uncomfortable about leaving such information wide open. At the very least it enables unauthorized use of YOU on another system where the "cracker" may already have root access.
Note this same file can optionally also contain a userid and password for access to a proxy server, which may in fact be more of an exposure.
All the Best / Mit Freundlichen Gruessen Mark G. Perry
IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH Schoenaicher Strasse 220, 71032 Boeblingen, Germany Email/Sametime: perry@de.ibm.com Office Tel: (+49)-7031-16-3626
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
Kenny
-
Mark Perry