Ubuntu
base-passwd package

Xubuntu 18.04 passwd file in etc displays passwd unencrypted

Bug #1851300 reported by Mélodie
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
base-passwd (Ubuntu)
Invalid
Undecided
Unassigned
pam (Ubuntu)
Expired
Undecided
Unassigned
shadow (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Hello,

I have a workshop where I provide mostly Ubuntu community editions in computers and help people coming with computers already setup with a *buntu version. A lady came to me as she couldn't master her computer, (there is someone in town who installs Ubuntu editions without teaching his clients how to deal with their machines).

She has an Ubuntu Xfce (Xubuntu) 18.04.x which is what she currently uses, especially as she doesn't know how to boot to the othe OS. :s

So I chrooted from a live to recreate her Xubuntu user passwd, and oh surprise! The /etc/passwd file was showing her password in plain text, unencrypted. (I could read it easily, it was her family name!).

I have not had the time to dig further, check other editions and versions exept the ones I use, however I think, as it has happend in the paste, the persons in charge should look into it and check all recent Ubuntu and community versions editions (if relevant).

Thanks for your work!

Best regards,
Mélodie

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Changed in base-passwd (Ubuntu):
status: New → Incomplete
Changed in pam (Ubuntu):
status: New → Incomplete
Changed in shadow (Ubuntu):
status: New → Incomplete
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I've selected the most likely packages to be involved, based on a guess. Without knowing how the user attempted to set their password though, this is going to be pretty impossible to track down.

/etc/passwd hasn't had passwords stored in it by default for something like 25 years. My best guess at the moment is some vastly inappropriate tool was used somewhere along the way (with suspicion leaning towards web-based 'consoles').

If you can figure out how this happened (or better yet, tell us how to recreate it), please do report back and mark the bug New again.

Thanks

Revision history for this message
Colin Watson (cjwatson) wrote :

This is certainly nothing to do with base-passwd: while it populates initial system accounts in /etc/passwd, it doesn't deal with managing entries there that correspond to user accounts.

Changed in base-passwd (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for shadow (Ubuntu) because there has been no activity for 60 days.]

Changed in shadow (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for pam (Ubuntu) because there has been no activity for 60 days.]

Changed in pam (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.