Bug 50681 - gdm logs my password
Summary: gdm logs my password
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: gdm
Version: 1.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Havoc Pennington
QA Contact: Aaron Brown
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-08-02 01:13 UTC by Jonathan Kamens
Modified: 2007-04-18 16:35 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2001-08-02 15:31:16 UTC
Embargoed:

Attachments (Terms of Use)

Description Jonathan Kamens 2001-08-02 01:13:11 UTC 
I accidentally typed my password in the username field of a gdm login
screen -- I thought the screen was locked rather than logged out, and I
typed the password before the monitor had a change to wake up.

Imagine my surprise when my password was logged in cleartext in
/var/log/messages!  "gdm[1384]: Couldn't authenticate XXXX"

It is a cardinal rule of designing login interfaces that you never log
information typed by the user, for just this reason.
Comment 1 Havoc Pennington 2001-08-02 15:31:09 UTC 
Someone just reported this same bug for another reason, you can enter "%s%s%s"
as your password and get some uninitialized memory reads. Looks like it's "turn
off gdm logging crack" day.
Comment 2 Havoc Pennington 2001-08-02 16:44:39 UTC 
gdm-2.2.3.1-11 should resolve this.
Note You need to log in before you can comment on or make changes to this bug.