Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] Unencrypted YOU password readable by all
  • From: Kenny <kenny-sp@xxxxxxxxxx>
  • Date: Tue, 8 Jul 2003 16:58:28 -0300
  • Message-id: <20030708165828.6d617928.kenny-sp@xxxxxxxxxx>
In SUSE 8.2 te pass isn't in this file

On Tue, 8 Jul 2003 16:36:15 +0200
"Mark Perry" <PERRY@xxxxxxxxxx> wrote:

> Hi List,
> I just noticed that the Userid and Password for YOU (Yast Online Update)
> are stored unencrypted in /etc/sysconfig/onlineupdate and that file is
> readable by anyone.
> FYI: this is on IBM zSeries (SLES/8 s390).
>
> This might not be the Userid and Password for access to the Linux system
> itself, but I for one am uncomfortable about leaving such information wide
> open.
> At the very least it enables unauthorized use of YOU on another system
> where the "cracker" may already have root access.
>
> Note this same file can optionally also contain a userid and password for
> access to a proxy server, which may in fact be more of an exposure.
>
> All the Best / Mit Freundlichen Gruessen
> Mark G. Perry
>
> IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
> Schoenaicher Strasse 220, 71032 Boeblingen, Germany
> Email/Sametime: perry@xxxxxxxxxx
> Office Tel: (+49)-7031-16-3626
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>

< Previous Next >
This Thread
References