Package: accountsservice Version: 0.6.37-3 Severity: normal Tags: security Hi,
accountsservice passes (encrypted) passwords as command line arguments to usermod: +--- | argv[0] = "/usr/sbin/usermod"; | argv[1] = "-p"; | argv[2] = strings[0]; +---[ src/user.c ] Command line arguments, and thus the (encrypted) password, are by default readable by every local user. Please use some other means to set passwords that do not involve passing them as command line arguments, for example by using chpasswd which allows passing user name and password via stdin. Ansgar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
