Passwords instead of Full Names

Bug #123425 reported by Dainaccio on 2007-07-01
8
Affects Status Importance Assigned to Milestone
ubiquity (Ubuntu)
High
Evan

Bug Description

I was installing Gutsy in a new HD in my PC (not upgrading).
During the wizard I decided to import users from a Feisty in the same PC.
I selected the users, left empty the "full name" box and I filled the "password" box for everyone.
At the first execution of the OS I went to System-> Administration->Users and the list of the users showed in "plain text" the password in the column "full name".

Unlucky I deleted the OS and I can't try to repeat the procedure. Maybe someone should try to do the same to confirm the bug.

Kees Cook (kees) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

This bug did not have a package associated with it, which is important for ensuring that it gets looked at by the proper developers. You can learn more about finding the right package at [WWW] https://wiki.ubuntu.com/Bugs/FindRightPackage. I have classified this bug as a bug in ubiquity.

Changed in ubiquity:
importance: Undecided → High
Evan (ev) on 2007-09-18
Changed in ubiquity:
assignee: nobody → evand
status: New → Confirmed
Evan (ev) wrote :

This was a glaring error on my part in not quoting specific shell variables.
As mentioned this can only be trigged for users created by migration-assistant that do not have a full name set. It does *not* affect the default user (the one that can sudo) as the code to create that user is always handled by user-setup, regardless of whether or not the account information is gathered from migration-assistant. Any accounts that are affected by this will not be able to log in.

Changed in ubiquity:
status: Confirmed → Fix Committed
cablop (cablop) wrote :

Feisty desktop installer has the same bug. I think it is a security issue because it allow the steal of privacy data, in fact the password.

I think you must fix feisty isos too

migration-assistant (0.5.0) gutsy; urgency=low

  * Handle more than one installed copy of Windows (LP: #97081).
  * Error if unable to mount Linux partitions.
  * Bump installer-menu-item to 6400.
  * Close directories in ma-search-users.
  * Don't unmount devices when we can avoid having to.
  * Look for registry files case-insensitively.
  * Quote arguments to add_user (LP: #123425).
  * Use stat instead of the DT_ macros to avoid issues with fuse.
  * Add a debug log.

 -- Evan Dandrea <email address hidden> Tue, 31 Jul 2007 20:21:35 -0400

Changed in ubiquity:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers