Calling SetPassword() on the AccountsService results in a crypted password included on the command line. This seems to me to be minor security hole. It is the equivalent of having /etc/shadow readable by non-root users (albeit only for those who change their password via the AccountsService). Any other local user can (in a default linux configuration) see the command lines of any other process on the system. The relevant code is in src/user.c in the user_change_password_authorized_cb() function: argv[0] = "/usr/sbin/usermod"; argv[1] = "-p"; argv[2] = strings[0]; argv[3] = "--"; argv[4] = user->user_name; argv[5] = NULL; strings[0] has been set to the crypted password in user_set_password(). The crypted password has been passed from the client (ie: gnome-control-center).
ugghh
we should probably just drop this and get attachment 63941 [details] [review] (from bug 51833) in (with changes to make sure we don't repeat the same mistake)
Hmm, right, that would not be along the spans path in the first place. Oh well, I can try one of the other workarounds I had earlier...
Oops, wrong bug report, sorry.
*** Bug 66055 has been marked as a duplicate of this bug. ***
Apparently this is CVE-2012-6655
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/accountsservice/accountsservice/issues/8.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.