Fix published in
latest amd64 stable 20.05.2 1874 -
arm64 stable 20.05.2 1875 -
ppc64el stable 20.05.2 1876 -
s390x stable 20.05.2 1873 -
Images respin pending
--
The server installer, perhaps other installers, will log LUKS passwords used on the system via:
- installer/subiquity-curtin-install.conf
- {volume: disk-sda, key: ...
- curtin/install.log
get_path_to_storage_volume for volume dm_crypt-0({'volume': 'disk-sda', 'key': ...
get_path_to_storage_volume for volume dm_crypt-0({'volume': 'disk-sda', 'key': ...
- syslog
May 11 22:27:25 ubuntu-server curtin_log.2310[2592]: merged config: {'sources': {'ubuntu00': 'cp:///media/filesystem'}, 'stages': ['early', 'partitioning', 'extract', 'curthooks', 'hook', 'late'], 'extract_commands': {'builtin': ['curtin', 'extract']}, 'hook_commands': {'builtin': ['curtin', 'hook']}, 'partitioning_commands': {'builtin': ['curtin', 'block-meta', 'simple']}, 'curthooks_commands': {'builtin': ['curtin', 'curthooks'], '000-configure-run': ['/snap/bin/subiquity.subiquity-configure-run'], '001-configure-apt': ['/snap/bin/subiquity.subiquity-configure-apt', '/snap/subiquity/1866/usr/bin/python3', 'true']}, 'late_commands': {'builtin': []}, 'network_commands': {'builtin': ['curtin', 'net-meta', 'auto']}, 'apply_net_commands': {'builtin': []}, 'install': {'log_file': '/var/log/curtin/install.log', 'error_tarfile': '/var/log/curtin/curtin-error-logs.tar', 'save_install_config': '/var/log/installer/curtin-install-cfg.yaml', 'save_install_log': '/var/log/installer/curtin-install.log', 'target': '/target', 'unmount': 'disabled'}, 'apt': {'preserve_sources_list': False, 'primary': [{'arches': ['amd64', 'i386'], 'uri': 'http://se.archive.ubuntu.com/ubuntu'}, {'arches': ['default'], 'uri': 'http://ports.ubuntu.com/ubuntu-ports'}]}, 'debconf_selections': {'subiquity': ''}, 'grub': {'probe_additional_os': True, 'terminal': 'unmodified'}, 'kernel': {'package': 'linux-generic'}, 'pollinate': {'user_agent': {'subiquity': '20.05.1_1866'}}, 'reporting': {'subiquity': {'identifier': 'curtin_event.2310', 'type': 'journald'}}, 'storage': {'config': [{'ptable': 'gpt', 'serial': 'XXX', 'wwn': 'XXX', 'path': '/dev/nvme0n1', 'wipe': 'superblock', 'preserve': False, 'name': '', 'grub_device': False, 'type': 'disk', 'id': 'disk-nvme0n1'}, {'serial': 'XXX', 'wwn': 'XXX', 'path': '/dev/sda', 'wipe': 'superblock', 'preserve': False, 'name': '', 'grub_device': False, 'type': 'disk', 'id': 'disk-sda'}, {'device': 'disk-nvme0n1', 'size': 536870912, 'wipe': 'superblock', 'flag': 'boot', 'number': 1, 'preserve': False, 'grub_device': True, 'type': 'partition', 'id': 'partition-0'}, {'fstype': 'fat32', 'volume': 'partition-0', 'preserve': False, 'type': 'format', 'id': 'format-0'}, {'device': 'disk-nvme0n1', 'size': 127496355840, 'wipe': 'superblock', 'flag': '', 'number': 2, 'preserve': False, 'type': 'partition', 'id': 'partition-1'}, {'fstype': 'btrfs', 'volume': 'partition-1', 'preserve': False, 'type': 'format', 'id': 'format-1'}, {'device': 'format-1', 'path': '/', 'type': 'mount', 'id': 'mount-1'}, {'volume': 'disk-sda', 'key': ...
We shouldn't be logging this passphrase to disk, even inside the encrypted portion, because it's too easy for the password to leak, as it has here.
Thanks
Status changed to 'Confirmed' because the bug affects multiple users.