"setup-data.conf" is saved as plaintext
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Boxes |
Confirmed
|
Undecided
|
|||
gnome-boxes (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
gnome-boxes saves "setup-data.conf" and all it's containing info - such as usernames, passwords, and private license codes - as plaintext.
This can be considered a security risk and can allow leakage of such content much easier to get into the wrong hands.
File location: '/home/
ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: gnome-boxes (not installed)
ProcVersionSign
Uname: Linux 4.18.0-
ApportVersion: 2.20.10-0ubuntu13
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Thu Nov 8 08:34:50 2018
InstallationDate: Installed on 2018-08-17 (83 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
ProcEnviron:
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gnome-boxes
UpgradeStatus: Upgraded to cosmic on 2018-10-19 (19 days ago)
Looks like upstream used to store the password as plaintext but changed this a while ago to instead store it in the keyring - https:/ /github. com/GNOME/ gnome-boxes/ commit/ ac552985647ebb6 d7ee924cd77f0b9 3df44b4ff0
I suggest filing an issue directly upstream if you believe the current behaviour is not secure so that it can be discussed directly with the developers https:/ /gitlab. gnome.org/ GNOME/gnome- boxes/issues
Thanks