the login password is stored in the user's keyring
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNOME Keyring |
Fix Released
|
Medium
|
|||
gnome-keyring (Ubuntu) |
Fix Released
|
High
|
Martin Pitt | ||
Lucid |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Binary package hint: gnome-keyring
Summary: Lucid desktop installer would save the user's password in his / her gnome default keyring ("login") under name "Unlock password for: User Keys". This is a security breach. Malicious applications would be able to read the user's login password since the keyring is unlocked via PAM during login.
Steps to reproduce:
1. Install Lucid via beta 2 Live CD. Create user abc with password "def"
2. Finish the installation and reboot into your new system
3. Login, Applications / Accessories / Passwords and Encryption Keys
Expected:
4a No keys are stored
Actual:
4b one key with name "Unlock password for: User Keys" and Key ID 1. content: "def", technical details reads:
serial number: 1:USER:DEFAULT
manufacturer: Gnome Keyring
summary: |
- Lucid installer leaves user password in Gnome keyring + password stored in new user's keyring after installation |
Changed in gnome-keyring (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
visibility: | private → public |
Changed in gnome-keyring (Ubuntu): | |
importance: | High → Critical |
importance: | Critical → High |
Changed in gnome-keyring (Ubuntu Lucid): | |
assignee: | nobody → Canonical Desktop Team (canonical-desktop-team) |
summary: |
- password stored in new user's keyring after installation + the login password stored in the user's keyring |
summary: |
- the login password stored in the user's keyring + the login password is stored in the user's keyring |
Changed in gnome-keyring: | |
status: | Unknown → New |
Changed in gnome-keyring: | |
status: | New → Fix Released |
Changed in gnome-keyring: | |
importance: | Unknown → Medium |
It would appear this is being created by gnome-keyring itself if you login and don't have a login keyring.