Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Unencrypted YOU password readable by all
  • From: "Mark Perry" <PERRY@xxxxxxxxxx>
  • Date: Tue, 8 Jul 2003 16:36:15 +0200
  • Message-id: <OF8961F1E7.BA17430E-ONC1256D5D.004F615D-C1256D5D.005064C1@xxxxxxxxxx>
Hi List,
I just noticed that the Userid and Password for YOU (Yast Online Update)
are stored unencrypted in /etc/sysconfig/onlineupdate and that file is
readable by anyone.
FYI: this is on IBM zSeries (SLES/8 s390).

This might not be the Userid and Password for access to the Linux system
itself, but I for one am uncomfortable about leaving such information wide
open.
At the very least it enables unauthorized use of YOU on another system
where the "cracker" may already have root access.

Note this same file can optionally also contain a userid and password for
access to a proxy server, which may in fact be more of an exposure.

All the Best / Mit Freundlichen Gruessen
Mark G. Perry

IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
Schoenaicher Strasse 220, 71032 Boeblingen, Germany
Email/Sametime: perry@xxxxxxxxxx
Office Tel: (+49)-7031-16-3626


< Previous Next >
This Thread
Follow Ups