[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Cleartext Root Password

I totally agree on this. Should your impression be true - I have to trust you
since I don't own any CacheRAQs, we just use regular Raq3s for web accounts - this
would be stupid definititely.

Btw I do not think just SUing is a safer thing to do - passwords are transmitted
in clear text, and sniffing them is in no way harder to do - su does not provide
for security, just for obscurity, which is worth exactly nothing. Secure shell
(SSH) is the only (closely, because there still is the regular shell risks) safe
way to permit interactive use.

Also, there is no technical reason I can think of for storing passwords in
cleartext. crypt() is available in most any language I can think of, and is not
hard to code at all, so there should _never_ be a reason to store passwords in
cleartext. Making this mod 0644 not even makes it even worse, but renders security
a lovely feature obviously available only with regular Linux boxes... I don't
think anyone should have to *BUY* "professional" (HUGE '"' in this case!) services
to remove this 'feature' (it's not a bug - it's failure by design). Have you
looked into any of the Perl files what this is being used for? Writing a fix
should be pretty straigtforward; in case Cobalt should require 200$/hour, I'd
definitely do it for much less...

Jan Tietze

P.S.: "American Family Filtering" is for loonies. I probably won't have to comment
on the AFA, do I? I get their announcements (and so-called 'alerts') on a regular
basis... They are anti-homosexual, anti-libertarian, anti-equal rights. Maybe you
would like to comment on this by email...

Benson Hill wrote:

> Has anyone else noticed that on Cobalt CacheRAQ's the root
> password is stored in cleartext in the file /etc/ADMINPW ?
>
> I thought it was a quirk or something when I first found it,
> but it's on all 5 of our CacheRAQ's....even the ones I've just
> restored from CD.
>
> How much sense does this make? Storing the *root* password in
> cleartext in a file that is mod 644 ?!?! <Or any file for that matter>
>
> I contacted Cobalt support and their answer was basically,
> "Oh well...the only account on the system is root so they would
> have to already know the password to get in anyway"
>
> What?!?!  First of all, we do add 1 non-privileged account to all
> our CacheRAQ's so we can telnet and/or SSH into the machine
> and then disallow telnet access to the root account.
> <To telnet into a machine as root is just STUPID...that's what su is for.>
>
> Secondly, how many times have crackers exploited daemons other
> than telnetd to get the contents of a file sent to them?  A buffer overflow
> in squid or apache could result in them getting the contents of this file!!
>
> Cobalt told me that the only way I could get them to fix this problem
> was to hire "Professional Services" to re-work the entire user-interface
> for $200 an hour.
>
> Personally I see this as a security flaw that they should fix ASAP.
> There's NO reason for this file to be there.
>
> I realize that I could just not use the user-interface to change the password,
> but if I'm not going to use the interface I might as well buy a box from
> VAR Systems or Penguin Computing.  The beauty of a cobalt is the
> easy web administration.
>
> I may be paranoid....but this is just unacceptable.
> What does everyone else think about this?
>
> Benson Hill
> Internet Systems Engineer
> bhill@xxxxxxx
> ---------
> Voice: 662.840.6464 Ext. 208
> Personal eFax: 508.445.6416
> AFO TeleFax: 662.840.6350
>
> Protect your Family with American Family Filtering!
> For fast and safe Internet, click http://www.afo.net/cust.htm?1469
>
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature