Bug 101052 - smb printer - ps shows clear passwd
smb printer - ps shows clear passwd
Product: Fedora
Classification: Fedora
Component: cups (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
Ben Levenson
: Security
: 111771 113349 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2003-07-28 16:13 EDT by Terry Davis
Modified: 2007-11-30 17:10 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-12 04:58:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Terry Davis 2003-07-28 16:13:27 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030516
Mozilla Firebird/0.6

Description of problem:
If you set up an SMB printer using the GUI (i did), you can see the clear text
password in the process list:

[user@machine user]$ ps xauwww | grep smb
root      3027  0.0  0.3  4516 1736 ?        S    14:57   0:00
smb://user:password@DOMAIN/machine/HP-108 17 user (stdin) 1 cpi=12 lpi=7
page-bottom=36 page-left=36 page-right=36 page-top=36 scaling=100 wrap

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup smb printer
2. ps xauwww | grep smb
3. View the password

Actual Results:  You can see the password

Expected Results:  Password should be ********

Additional info:
Comment 1 Tim Waugh 2004-01-13 03:57:13 EST
*** Bug 113349 has been marked as a duplicate of this bug. ***
Comment 2 Doncho N. Gunchev 2004-05-29 20:25:49 EDT
Using CUPS'w web interface you can see the password looking at the
priter's details also (RH9 at least).
Comment 3 Josh Bressers 2004-06-18 17:54:43 EDT
*** Bug 111771 has been marked as a duplicate of this bug. ***
Comment 4 Nicholas Miell 2005-05-12 03:31:08 EDT
smbspool can take a device URI three ways: in argv[0], in argv[1], or in the
DEVICE_URI environment variable.

Using DEVICE_URI instead of passing it on the command line should hide sensitive
information from all uses.
Comment 5 Tim Waugh 2005-05-12 04:58:14 EDT
Not only that, but it *must* use DEVICE_URI since cups now masks the
authentication details out from the URI it passes as argv[0].

This has been the case for a couple of releases now, I'm sure.

Note You need to log in before you can comment on or make changes to this bug.