[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Unencrypted YOU password readable by all
In SUSE 8.2 te pass isn't in this file
On Tue, 8 Jul 2003 16:36:15 +0200
"Mark Perry" <PERRY@xxxxxxxxxx> wrote:
> Hi List,
> I just noticed that the Userid and Password for YOU (Yast Online Update)
> are stored unencrypted in /etc/sysconfig/onlineupdate and that file is
> readable by anyone.
> FYI: this is on IBM zSeries (SLES/8 s390).
> This might not be the Userid and Password for access to the Linux system
> itself, but I for one am uncomfortable about leaving such information wide
> At the very least it enables unauthorized use of YOU on another system
> where the "cracker" may already have root access.
> Note this same file can optionally also contain a userid and password for
> access to a proxy server, which may in fact be more of an exposure.
> All the Best / Mit Freundlichen Gruessen
> Mark G. Perry
> IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
> Schoenaicher Strasse 220, 71032 Boeblingen, Germany
> Email/Sametime: perry@xxxxxxxxxx
> Office Tel: (+49)-7031-16-3626
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here