Cleartext passwords logged

linuxmuster / linuxmuster-webui7

Next generation web interface for linuxmuster.net v7.

https://www.linuxmuster.net

GNU General Public License v3.0

12 stars 8 forks source link

Cleartext passwords logged #236

Closed FlorianKrammel closed 2 years ago

FlorianKrammel commented 2 years ago

Plugin: lnm_users File: views.py Function: handle_api_users_password( )

The parameter "password" contains the cleartext password e. g. from global-admin an is shown in the logs (journalctl).

kiarn commented 2 years ago

Hello @FlorianKrammel ,

Thanks for the report, I can confirm. It's necessary to handle this with pexpect, but I'm afraid I will not have the time to solve this the next 2 weeks. I will show at it then.

Arnaud

kiarn commented 2 years ago

Hello,

I made some deep investigations, and there's 2 points to correct :

Ajenti logs all subprocess commands in DEBUG mode. Fix is prepared to let the possibility to hide sensitive commands and will be available with the next release.
the second point is the fact that sophomorix-passwd is run with sudo, which logs all commands in /var/log/auth.log. I made a PR here to fix this : https://github.com/linuxmuster/linuxmuster-base7/pull/142

Arnaud