Issue #6857 has been reported by Mark Heily.
----------------------------------------
Bug #6857: password disclosure when changing a user's password
https://projects.puppetlabs.com/issues/6857
Author: Mark Heily
Status: Unreviewed
Priority: Normal
Assignee:
Category:
Target version:
Affected Puppet version: 2.6.4
Keywords:
Branch:
When puppet-agent changes a user's password in /etc/shadow, the hashed values
of the old and new passwords are printed in a log message. An example:
notice: /Stage[main]/User[root]/password: is $1$abcdef12$SeCrEtPaSSword,
should be $1$cbgb133$VerySecretPassword
This is a security risk, since Puppet log messages can be exposed to
non-privileged users through a variety of mechanisms. It would be best if the
passwords were stripped out of the log message, and replaced with something
generic like this:
notice: /Stage[main]/User[root]/password: should be changed
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
