Hi, > > Then, an untrustworthy colleague goes to the computer, and just > > reads /var/lib/cdebconf/questions.dat: installer's password is there, > > plain, clear text. > > Did you actually check this? The password templates are of type 'password' > and thus the value should be in /var/lib/cdebconf/passwords.dat (and thus > encoded) instead of in plain text in questions.dat. Well, you can still db_get the password, can't you? > Also, if you look at the postinst script for network-console, you'll see > that the template already *is* cleared after the password is asked. Oh, my bad, you're right. I've actually read it, but for some reason, I overlooked the exact thing I was searching for... > The only case in which AFAICT what you describe can be true is when the > template is preseeded [1] while the network-console component is not yet > loaded (because then the template could be created as a regular template > instead of as a password one). As preseeding passwords in itself already > lowers security, I don't really think this is an important bug. > > Please verify that you really do see readable passwords and describe the > exact scenario (architecture / image / installation method used) in which > you do. As said earlier, I was, for some reason, sure that the postinst script didn't clear the passwords... So, please ignore this first "issue", as it wasn't here in the first place. Regards, Thibaut Girka.
Attachment:
signature.asc
Description: This is a digitally signed message part