Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#41978 - [util-linux] Login may leak password
Attached to Project:
Arch Linux
Opened by Philipp (hollunder) - Monday, 15 September 2014, 12:58 GMT
Last edited by Dave Reisner (falconindy) - Tuesday, 16 September 2014, 11:56 GMT
Opened by Philipp (hollunder) - Monday, 15 September 2014, 12:58 GMT
Last edited by Dave Reisner (falconindy) - Tuesday, 16 September 2014, 11:56 GMT
|
DetailsDescription:
On login the password can be leaked/echoed at least to the screen. This might not seem like a major issue as you can just wait a bit before typing the password. But what about automated logins? Are they also affected? It is clear that login ceases its control over the input between the username and password promt, which seems very wrong to me. Additional info: * package version(s) Current and past versions going back a number of months. * config and/or log files etc. No special configuration. Steps to reproduce: Set the system up without any login manager. Type the user name, hit enter and immediately type the password. The time interval seems to be somewhat random but if you're quick enough your whole password or part of it gets echoed to the screen. |
This task depends upon
Closed by Dave Reisner (falconindy)
Tuesday, 16 September 2014, 11:56 GMT
Reason for closing: Not a bug
Additional comments about closing: Nothing for Arch to do, and login can't buffer input for a prompt that it isn't providing itself.
Tuesday, 16 September 2014, 11:56 GMT
Reason for closing: Not a bug
Additional comments about closing: Nothing for Arch to do, and login can't buffer input for a prompt that it isn't providing itself.
1) agetty(8) prompts you for your username.
2) You enter your username, press enter.
3) agetty spawns login(1) with the provided username as an argument.
4) login(1) does some validation, and then asks PAM to start a new session. If /etc/pam.d/login contains pam_unix.so, you might be prompted for a password. You might have some other method of authentication like a Yubikey or secure card, or a biometric device, or an OTP token, or... the list goes on.
There's a gap of time in here between you hitting enter at the end of step 2, and a potential step 4 where you're prompted for a password via pam_unix.so. login itself can't buffer input because it isn't responsible for getting the password. If you blank all input but don't necessarily accept it, how does the user know (other than the presence of the password prompt) what they've already entered?
I tend to think this is just PEBKAC, but I'm quite sure that there's nothing for Arch to do here. Feel free to contact upstream util-linux (probably util-linux@vger.kernel.org) if you think that things can be done better.