Ubuntu closes root hole
A flaw in the module pam_motd (message of the day), which displays the daily motto and other information after login (to the shell), can be exploited under Ubuntu to expand access rights. Attackers can exploit this vulnerability to gain root access. Ubuntu has already provided a patch for the flaw. Operators of multi-users systems should install it as soon as possible because directions are already in circulation via Twitter on how to exploit the flaw to get access rights to the password file /etc/shadow. The file can then not only be read, but changed.
The problem is the result of the excessively high access rights with which pam_motd stores or modifies the file motd.legal-notice in the user's local cache directory after login. That file is designed to show whether the legal notice was displayed, but the module performs that function with root rights. With a symlink from the cache to the password file, the owner can be changed with a new login.
According to the developers, the problem only occurs on Ubuntu; other Linux systems are reportedly not affected. Ubuntu has remedied the flaw by taking root rights away from the module for access to the file motd.legal-notice (under .cache).