Deprecated: Function set_magic_quotes_runtime() is deprecated in /var/www/forums.zonbu.com/common.php on line 106 Zonbu Forums • View topic - Cleartext password shows up in Metalog
Left ZonbuGet Zonbu NowLeft
Welcome! Sign In to My Zonbu 		Right
Home Separator WhatIsZonbu Separator WhyZonbu Separator Pricing Separator GetItNow Separator Support Separator Extension
Home2 Separator WhatIsZonbu2 Separator WhyZonbu2 Separator Pricing2 Separator GetItNow2 Separator Support2 Separator Extension2

Cleartext password shows up in Metalog

Discuss any specific to the Community/Developer edition of the Zonbu OS: installation, modification, or running within a virtual machine.
Post a reply

Cleartext password shows up in Metalog

Postby MarlonNelson on Sun Mar 09, 2008 9:42 am

I activated Metalog. Recently, I've noticed my password showing up in the log.

everything/log-2008-03-08-01:00:01:Mar 7 16:51:37 [sudo] pcor : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/PCoR/cachefs/authentify_changepwd.sh XXXXXXXX

This seems like a bad idea.

Any chance this could be fixed?
MarlonNelson
 
Posts: 38
Joined: Sat Dec 22, 2007 4:49 pm
Top

Re: Cleartext password shows up in Metalog

Postby maniac on Sun Mar 09, 2008 5:47 pm

MarlonNelson wrote:I activated Metalog. Recently, I've noticed my password showing up in the log.

everything/log-2008-03-08-01:00:01:Mar 7 16:51:37 [sudo] pcor : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/PCoR/cachefs/authentify_changepwd.sh XXXXXXXX

This seems like a bad idea.

Any chance this could be fixed?

Hmm. After looking at that script (and some related ones), the options appear somewhat limited.

Suppressing the log of sudo commands is one solution but appears heavy handed.
chpasswd does allow you to pass it encrypted passwords, but smbpasswd doesn't.

Side note - You may want to search other files for plain text passwords. CUPS configuration files (to print on remote servers) saves the PW in plain text. I found an evolution file w/ a plain text password as well.

A full fix may require an encrypted hard disk or file system (since the way to enable developer edition is published in the public).
--Mark
maniac
 
Posts: 54
Joined: Tue Dec 11, 2007 7:46 pm
Top

Re: Cleartext password shows up in Metalog

Postby MarlonNelson on Sun Mar 09, 2008 6:46 pm

I was thinking of trying the following changes, but I'm reluctant to tweak this part of the zonbu infrastructure:

# diff /usr/bin/PCoR/cachefs/authentify_changepwd.sh authentify_changepwd.sh
Code: Select all
2,4c2,4
<
< echo -e "${1}\n${1}" | smbpasswd -a pcor -s
< echo pcor:${1} | chpasswd -m
---
> read pwd
> echo -e "${pwd}\n${pwd}" | smbpasswd -a pcor -s
> echo pcor:${pwd} | chpasswd -m


# diff /usr/bin/PCoR/cachefs/authentify.sh authentify.sh
Code: Select all
54c54,55
<       /usr/bin/sudo /usr/bin/PCoR/cachefs/authentify_changepwd.sh "${1}"
---
>       PWD="${1}"
>       /usr/bin/sudo /usr/bin/PCoR/cachefs/authentify_changepwd.sh <<<$PWD


# diff /usr/bin/PCoR/cachefs/changepwd.py changepwd.py
Code: Select all
69c69
<               p = subprocess.Popen([SUDO, PCOR_CHPASSWD, self.new],
---
>               p = subprocess.Popen([SUDO, PCOR_CHPASSWD],
71c71
<               p.communicate()
---
>               p.communicate(self.new)
MarlonNelson
 
Posts: 38
Joined: Sat Dec 22, 2007 4:49 pm
Top

Re: Cleartext password shows up in Metalog

Postby plasmaroo on Mon Mar 10, 2008 10:45 am

If you could please file a bug for this that would be appreciated.

Thanks!
plasmaroo
Site Admin
 
Posts: 31
Joined: Sat Mar 17, 2007 12:28 pm
Top

Re: Cleartext password shows up in Metalog

Postby MarlonNelson on Mon Mar 10, 2008 1:02 pm

Done! http://bugzilla.zonbu.com/show_bug.cgi?id=1321
MarlonNelson
 
Posts: 38
Joined: Sat Dec 22, 2007 4:49 pm
Top
Post a reply

Return to Community/Developer Zonbu OS

Who is online

Users browsing this forum: No registered users and 1 guest

cron
About us  |  Press  |  Developer  |  Contact us  |  Hiring  |  Privacy Policy  |  LegalAll rights reserved
All trademarks on legal page
Copyright © 2008 Zonbu
Down