Yesterday a fellow in the #plug channel posted the URL to the forum thread where it was revealed that Ubuntu had a critical security bug. It’s since been slashdotted.
According to the bug report, it turns out that the normal Breezy Badger 5.10 install saves your first user’s password in a clear-text file on the system, readable by all. By default, this first user is the one set up with full sudo privileges. If this password was not changed after the install anyone logging onto this system can read this file and get root access.
Damn! That’s BAD!
I spread the news to IRC channels where I knew it would be of use, the reaction was “eeek!” all over the place as people checked the clear-text file and found their password sitting there for all to see.
An official fix via apt (just `apt-get update && apt-get upgrade` and you’re set) was out within 9 hours of discovery and a security alert was sent out on ubuntu-security-announce. Since it’s an installation file all you actually need to do is delete the file from your system (or chmod it, but why would you want to keep it?) and change your password.
I love Ubuntu, my first reaction was to try and make excuses for them.
But there is no excuse, maintaining password security is fundamental.
I’ll continue to use Ubuntu on my laptop, I do updates regularly, I don’t have other users on my laptop and I am subscribed the the security announce list. But on mission-critical machines? Not a chance. Sorry Ubuntu dear, you are clearly not yet mature enough for that.