Issue #6857 has been updated by Mark Heily.
Here are some of the scenarios: 1. In some systems, /var/log/messages (or the equivalent) may be world readable. 1. When obtaining vendor support, you are often asked to provide the system logs to the vendor. This is definitely the case with Oracle for Solaris support, I can't speak to other vendors. 1. Reporting systems such as Puppet Dashboard may want to allow non-root users (such as Management types) to view the reports. 1. syslogd can be configured to forward messages over the network to a centralized syslog server. This protocol does not use encryption, so the messages could be sniffed along the way. If there is value in displaying the password hashes, could Puppet be modified to only display the password hashes at debug level? This would reduce the risk, as most clients will not generate debug messages during normal operation. ---------------------------------------- Bug #6857: password disclosure when changing a user's password https://projects.puppetlabs.com/issues/6857 Author: Mark Heily Status: Investigating Priority: Normal Assignee: Ben Hughes Category: Target version: Affected Puppet version: 2.6.4 Keywords: Branch: When puppet-agent changes a user's password in /etc/shadow, the hashed values of the old and new passwords are printed in a log message. An example: notice: /Stage[main]/User[root]/password: is $1$abcdef12$SeCrEtPaSSword, should be $1$cbgb133$VerySecretPassword This is a security risk, since Puppet log messages can be exposed to non-privileged users through a variety of mechanisms. It would be best if the passwords were stripped out of the log message, and replaced with something generic like this: notice: /Stage[main]/User[root]/password: should be changed -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
