Ubuntu
kdebase package

/var/run/kdm/kdmrc world readable w/ passwords

Bug #260922 reported by Brad Huntting
256
Affects Status Importance Assigned to Milestone
kdebase (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: kdebase

/etc/init.d/kdm runs genkdmconf to create (among other things) /var/run/kdm/kdmrc as a copy of /etc/kde3/kdm/kdmrc. If autologin is used, these files will both contain user passwords in plain text. They must not be world readable. But even if you 'chmod 600 /etc/kde3/kdm/kdmrc' the copy created by /etc/init.d/kdm at boot time is world readable!

To fix this apply the attached patch to /etc/init.d/kdm.

brad
P.S. The same patch (give or take a few line numbers) could probably also be applied to /etc/init.d/kdm-kde4.

ProblemType: Bug
Architecture: i386
Date: Sun Aug 24 12:51:23 2008
DistroRelease: Ubuntu 8.04
Package: kdm 4:3.5.9-0ubuntu7.3
PackageArchitecture: i386
SourcePackage: kdebase
Uname: Linux 2.6.24-19-generic i686

See original description
Tags: apport-bug
Revision history for this message
Brad Huntting (huntting) wrote :
description: updated
Kees Cook (kees)
Changed in kdebase:
status: New → Confirmed
Revision history for this message
Terence Simpson (tsimpson) wrote :

As far as I can tell, no passwords are stored in kdmrc (at least in KDE4), even with Auto-Login and/or Password-less Login features enabled. Can you provide an example of this happening? (Obviously without disclosing any passwords on your system)

Changed in kdebase:
status: Confirmed → Incomplete
Revision history for this message
Brad Huntting (huntting) wrote : Re: [Bug 260922] Re: /var/run/kdm/kdmrc world readable w/ passwords

Unfortunately, I copied my kdmrc file from a kde3 installation which
most certianly does store clear text passwords in the file. Perhaps
kde4 has fixed this.

brad

On 1/23/09, Terence Simpson <email address hidden> wrote:
> As far as I can tell, no passwords are stored in kdmrc (at least in
> KDE4), even with Auto-Login and/or Password-less Login features enabled.
> Can you provide an example of this happening? (Obviously without
> disclosing any passwords on your system)
>
> ** Changed in: kdebase (Ubuntu)
> Status: Confirmed => Incomplete
>
> --
> /var/run/kdm/kdmrc world readable w/ passwords
> https://bugs.launchpad.net/bugs/260922
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in "kdebase" source package in Ubuntu: Incomplete
>
> Bug description:
> Binary package hint: kdebase
>
> /etc/init.d/kdm runs genkdmconf to create (among other things)
> /var/run/kdm/kdmrc as a copy of /etc/kde3/kdm/kdmrc. If autologin is used,
> these files will both contain user passwords in plain text. They must not
> be world readable. But even if you 'chmod 600 /etc/kde3/kdm/kdmrc' the copy
> created by /etc/init.d/kdm at boot time is world readable!
>
> To fix this apply the attached patch to /etc/init.d/kdm.
>
>
> brad
> P.S. The same patch (give or take a few line numbers) could probably also
> be applied to /etc/init.d/kdm-kde4.
>
>
> ProblemType: Bug
> Architecture: i386
> Date: Sun Aug 24 12:51:23 2008
> DistroRelease: Ubuntu 8.04
> Package: kdm 4:3.5.9-0ubuntu7.3
> PackageArchitecture: i386
> SourcePackage: kdebase
> Uname: Linux 2.6.24-19-generic i686
>

Revision history for this message
Jonathan Thomas (echidnaman) wrote :

If you find this to still be an issue in KDE4, please reopen the bug. Until then I'm marking this bug as fixed since it can't be reproduced. Thanks for your bug report.

Changed in kdebase:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.