Package: login Version: 1:4.0.3-30.7 Severity: critical Tags: security Justification: root security hole
It seems that /var/log/btmp is created as a world readable file. This is insecure (and it is reported by 'tiger') because this file contains failed logins , including unknown usernames. It is possible for a user to see the root password (and others too) by running /usr/bin/lastb. Tiger reports this as an error: # Checking for existence of log files... --FAIL-- [logf005f] Log file /var/log/btmp permission should be 660 -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686-smp Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages login depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libpam-modules 0.76-22 Pluggable Authentication Modules f ii libpam-runtime 0.76-22 Runtime support for the PAM librar ii libpam0g 0.76-22 Pluggable Authentication Modules l -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]