Has anyone else noticed that on Cobalt CacheRAQ's the root password is stored in cleartext in the file /etc/ADMINPW ? I thought it was a quirk or something when I first found it, but it's on all 5 of our CacheRAQ's....even the ones I've just restored from CD. How much sense does this make? Storing the *root* password in cleartext in a file that is mod 644 ?!?! <Or any file for that matter> I contacted Cobalt support and their answer was basically, "Oh well...the only account on the system is root so they would have to already know the password to get in anyway" What?!?! First of all, we do add 1 non-privileged account to all our CacheRAQ's so we can telnet and/or SSH into the machine and then disallow telnet access to the root account. <To telnet into a machine as root is just STUPID...that's what su is for.> Secondly, how many times have crackers exploited daemons otherthan telnetd to get the contents of a file sent to them? A buffer overflow in squid or apache could result in them getting the contents of this file!!
Cobalt told me that the only way I could get them to fix this problem was to hire "Professional Services" to re-work the entire user-interface for $200 an hour. Personally I see this as a security flaw that they should fix ASAP. There's NO reason for this file to be there. I realize that I could just not use the user-interface to change the password, but if I'm not going to use the interface I might as well buy a box from VAR Systems or Penguin Computing. The beauty of a cobalt is the easy web administration. I may be paranoid....but this is just unacceptable. What does everyone else think about this? Benson Hill Internet Systems Engineer bhill@xxxxxxx --------- Voice: 662.840.6464 Ext. 208 Personal eFax: 508.445.6416 AFO TeleFax: 662.840.6350 Protect your Family with American Family Filtering! For fast and safe Internet, click http://www.afo.net/cust.htm?1469
Attachment:
pgp4myL8ecXpv.pgp
Description: PGP signature