Issue #6857 has been updated by Ben Hughes. Status changed from Unreviewed to Investigating Assignee set to Ben Hughes
In what ways can the puppet agent logs become exposed to non root users? ---------------------------------------- Bug #6857: password disclosure when changing a user's password https://projects.puppetlabs.com/issues/6857 Author: Mark Heily Status: Investigating Priority: Normal Assignee: Ben Hughes Category: Target version: Affected Puppet version: 2.6.4 Keywords: Branch: When puppet-agent changes a user's password in /etc/shadow, the hashed values of the old and new passwords are printed in a log message. An example: notice: /Stage[main]/User[root]/password: is $1$abcdef12$SeCrEtPaSSword, should be $1$cbgb133$VerySecretPassword This is a security risk, since Puppet log messages can be exposed to non-privileged users through a variety of mechanisms. It would be best if the passwords were stripped out of the log message, and replaced with something generic like this: notice: /Stage[main]/User[root]/password: should be changed -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
