Bug 50681

Summary: gdm logs my password
Product: [Retired] Red Hat Raw Hide Reporter: Jonathan Kamens <h1k6zn2m>
Component: gdmAssignee: Havoc Pennington <hp>
Status: CLOSED RAWHIDE QA Contact: Aaron Brown <abrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-08-02 15:31:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Kamens 2001-08-02 01:13:11 UTC 
I accidentally typed my password in the username field of a gdm login
screen -- I thought the screen was locked rather than logged out, and I
typed the password before the monitor had a change to wake up.

Imagine my surprise when my password was logged in cleartext in
/var/log/messages!  "gdm[1384]: Couldn't authenticate XXXX"

It is a cardinal rule of designing login interfaces that you never log
information typed by the user, for just this reason.
Comment 1 Havoc Pennington 2001-08-02 15:31:09 UTC 
Someone just reported this same bug for another reason, you can enter "%s%s%s"
as your password and get some uninitialized memory reads. Looks like it's "turn
off gdm logging crack" day.
Comment 2 Havoc Pennington 2001-08-02 16:44:39 UTC 
gdm-2.2.3.1-11 should resolve this.