Subiquity Shows Guided Storage Passphrase in Plaintext with Read-all Permissions

@Afraz, thanks for the report.

With the 20.04.3 ISO, such as can be found at
https://releases.ubuntu.com/focal/ubuntu-20.04.3-live-server-amd64.iso
I was not able to see this issue.

Cloud-init did fix an issue where the password was written out, and that fix is in 20.04.3 but not the 20.04.0 iso.
https://bugs.launchpad.net/cloud-init/+bug/1918303

Which iso did you use? If you did use 20.04.3 can you give me more detailed reproduction steps?

Hiya,

Thanks for looking intot this.

I used the 20.04.3 ISO, from the Ubuntu website (https://ubuntu.com/download/server).

Whilst writing up the steps I took, I managed to reproduce the issue in a VM on MacOS, running the latest Virtualbox:

1. Boot from USB to a physical laptop (though for this attempt it was a VM as mentioned)
2. Select UK English as language
3. When the screen offering to update the installer comes up, select yes. This says that it's going to upgrade the current version of 21.08.2 to version 21.12.2
4. Change both the keyboard layout and variant to "English UK"
5. Configure Wi-Fi (not ethernet), next choose no proxy, and the default mirror that's offered (for me this was http://nl.archive.ubuntu.com/ubuntu)
6. For disk setup, choose almost vanilla options to use the entire disk, with the only change being to "Encrypt the LVM group with LUKS"
7. Check box to install OpenSSH server
8. When offered the option of importing an SSH key, opt to do so from Github
9. At the "Featured Server Snaps" selection screen, choose only "canonical-livepath"
10. Allow the installation to finish completely, along with the security updates (do not hit "Cancel update and reboot")

I'm sure a lot of that isn't relevant, but it's included for the sake of completeness, and because I've seen stranger things ;)

The logfiles I mentioned should be available in the `/var/logs/installer/` directory, even after reboots. An example of one of the lines:

```
2022-02-08 09:23:46,896 INFO aiohttp.access:233 [08/Feb/2022:09:23:46 +0000] "POST /storage/guided?choice=%7B%22disk_id%22:+%22disk-sda%22,+%22use_lvm%22:+true,+%22password%22:+%22PASSWORD_THAT_SHOULD_NOT_BE_HERE%22%7D HTTP/1.1" 200 15640 "-" "Python/3.8 aiohttp/3.6.2"
```

Cheers,
Afraz

P.S. One small detail I forgot is that at the end of the installation, I (both times) forgot to remove the install media, and got a message saying such. I removed it then, and hit reboot again

I'm sure it's irrelevant, but ¯\_(ツ)_/¯

Thanks so much for the detailed information, I was able to see the problem. Yes, that needs to be resolved.

Please use CVE-2022-0555 for this issue.

Thanks for the detailed description, Afraz.

Dan, is there a reason to keep this bug private?

Thanks

@Seth - I left it private as that was the default. Is there a criteria suggestion you can point to for when to leave it private versus marking public?

https://github.com/canonical/subiquity/pull/1181
https://github.com/canonical/subiquity/pull/1182

Dan, there's no perfectly clear guidelines; some security issues like buffer overflows or shell injections can lead to problems if they're widely known before fixes are available, but information leaks can be remediated by admins before fixes are available if only they knew about it.

So that's why I thought making this public sooner would be better: it's at least possible an admin can learn about this, now, and clean up old logs. (Not likely, but possible..)

I hope that makes sense. I haven't yet figured out quite how to say what I feel about this. :)

Thanks