Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] Unencrypted YOU password readable by all
  • From: "Peer Stefan" <stefan.peer@xxxxxxxx>
  • Date: Wed, 9 Jul 2003 08:58:57 +0200
  • Message-id: <01B66D0A11EB3E439676C0EAA891D89F0EE641@xxxxxxxxxxxxxxx>
Hi,
> From: Kenny [mailto:kenny-sp@xxxxxxxxxx]
> In SUSE 8.2 te pass isn't in this file

Yes, because Mark was talking about SuSE Linux Enterprise Server. You buy one year (or at least 3 months) of maintenance and you get a username and password for the ftp-updates. Mark was referring to this password.

And AFAIK YOU is still not capable of connecting to the internet via proxy-servers in 8.2.

Regards,
Stefan

>
> On Tue, 8 Jul 2003 16:36:15 +0200
> "Mark Perry" <PERRY@xxxxxxxxxx> wrote:
>
> > Hi List,
> > I just noticed that the Userid and Password for YOU (Yast
> Online Update)
> > are stored unencrypted in /etc/sysconfig/onlineupdate and
> that file is
> > readable by anyone.
> > FYI: this is on IBM zSeries (SLES/8 s390).
> >
> > This might not be the Userid and Password for access to the
> Linux system
> > itself, but I for one am uncomfortable about leaving such
> information wide
> > open.
> > At the very least it enables unauthorized use of YOU on
> another system
> > where the "cracker" may already have root access.
> >
> > Note this same file can optionally also contain a userid
> and password for
> > access to a proxy server, which may in fact be more of an exposure.
> >
> > All the Best / Mit Freundlichen Gruessen
> > Mark G. Perry
> >
> > IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
> > Schoenaicher Strasse 220, 71032 Boeblingen, Germany
> > Email/Sametime: perry@xxxxxxxxxx
> > Office Tel: (+49)-7031-16-3626
> >
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> >
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>

< Previous Next >
Follow Ups