[Desktop-packages] [Bug 1803993] Re: Password appears on the VT1 screen
Unfortunately I can't reproduce this bug, even with the 0.9.3-1ubuntu7.18.04.1 version of plymouth installed, so I can't say for sure that it's fixed with plymouth 0.9.3-1ubuntu7.18.04.2. Also note that the [test case] in the description is wrong, that would be correct with the systemd change made earlier, but that change was reverted upstream and in ubuntu, so the test case steps aren't an accurate indication that the bug is fixed or not. Anyone on this bug able to reproduce the main problem, of key output (e.g. passwords) being printed on the console and visible between login sessions, and/or during shutdown? If not, I think we should consider this bug fixed. ** Changed in: systemd (Ubuntu) Status: Confirmed => Invalid ** Changed in: plymouth (Ubuntu) Status: Invalid => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1803993 Title: Password appears on the VT1 screen Status in gdm3 package in Ubuntu: Invalid Status in plymouth package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Invalid Bug description: [Impact] * The keyboard on the graphical login screen started on VT1 may stop working and or keypresses including passwords are leaked to the terminal console running 'behind' the graphical login screen or environment. [Test Case] * Reboot after installing the fixed systemd package. * Install sysdig * Start sysdig on a remote connection or on a terminal console: $ sudo sysdig evt.type=ioctl | grep request=4B4 * While sysdig is running log in and out 3 times in GDM and press a few keys in the graphical session to see if keyboard still works * Log in and out on an other terminal console, too, running a few commands while being logged in to ensure that keyboard is working. * Observe that on terminal consoles the monitored keyboard setter ioctl is called with argument=3, but where the graphical screen is active only argument=4 is used, unlike with the buggy version observed in https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/comments/14 [Regression Potential] * The fix checks the current keyboard mode of the VT and allows only safe mode switches. The potential regression could be not allowing a valid mode switch keeping a keyboard in a non-operational mode. Testing covers that by typing the keyboard. (continued from bug 1767918) This was found when an administrative error made /home directory inaccessible. Any users that tried to login after that, were not able to (which is expected) but their password appears on the VT1 screen. Under normal circumstances, VT1 is not visible. But once the system was sent into this compromised mode, one can press ctrl+alt+F1 and then ctrl+alt+F2 and get a momentary glance at VT1. One can keep toggling between these key combinations in order to make out the password(s) on VT1. As a further test, I wanted to see if a non-super user could cause this condition, and it is in fact possible. As a regular user, I made their own home directory not writable and then removed ~/.config and logged out. Then logged in as that user again, and although that user can't login the system does go into that mode where passwords appear on VT1 and are viewable with the key combinations mentioned herein. Further, any other users that login will see no problem, but when they logon their passwords also appear on VT1 and are viewable. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.3 Uname: Linux 4.19.2-041902-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Nov 19 08:32:59 2018 InstallationDate: Installed on 2018-08-25 (85 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1803993] Re: Password appears on the VT1 screen
This is still not fixed. ** Changed in: systemd (Ubuntu) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1803993 Title: Password appears on the VT1 screen Status in gdm3 package in Ubuntu: Invalid Status in plymouth package in Ubuntu: Invalid Status in systemd package in Ubuntu: Confirmed Bug description: [Impact] * The keyboard on the graphical login screen started on VT1 may stop working and or keypresses including passwords are leaked to the terminal console running 'behind' the graphical login screen or environment. [Test Case] * Reboot after installing the fixed systemd package. * Install sysdig * Start sysdig on a remote connection or on a terminal console: $ sudo sysdig evt.type=ioctl | grep request=4B4 * While sysdig is running log in and out 3 times in GDM and press a few keys in the graphical session to see if keyboard still works * Log in and out on an other terminal console, too, running a few commands while being logged in to ensure that keyboard is working. * Observe that on terminal consoles the monitored keyboard setter ioctl is called with argument=3, but where the graphical screen is active only argument=4 is used, unlike with the buggy version observed in https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/comments/14 [Regression Potential] * The fix checks the current keyboard mode of the VT and allows only safe mode switches. The potential regression could be not allowing a valid mode switch keeping a keyboard in a non-operational mode. Testing covers that by typing the keyboard. (continued from bug 1767918) This was found when an administrative error made /home directory inaccessible. Any users that tried to login after that, were not able to (which is expected) but their password appears on the VT1 screen. Under normal circumstances, VT1 is not visible. But once the system was sent into this compromised mode, one can press ctrl+alt+F1 and then ctrl+alt+F2 and get a momentary glance at VT1. One can keep toggling between these key combinations in order to make out the password(s) on VT1. As a further test, I wanted to see if a non-super user could cause this condition, and it is in fact possible. As a regular user, I made their own home directory not writable and then removed ~/.config and logged out. Then logged in as that user again, and although that user can't login the system does go into that mode where passwords appear on VT1 and are viewable with the key combinations mentioned herein. Further, any other users that login will see no problem, but when they logon their passwords also appear on VT1 and are viewable. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.3 Uname: Linux 4.19.2-041902-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Nov 19 08:32:59 2018 InstallationDate: Installed on 2018-08-25 (85 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1803993] Re: Password appears on the VT1 screen
This bug was fixed in the package systemd - 240-6ubuntu9 --- systemd (240-6ubuntu9) eoan; urgency=medium * Fix typpo in storage test. File: debian/tests/storage https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f28aa5fe4ab175b99b6ea702559c59ca473b4ca8 * Fix bashism File: debian/extra/dhclient-enter-resolved-hook https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=0725c1169ddde4f41cacba7af3e546704e2206be systemd (240-6ubuntu8) eoan; urgency=medium * Only restart resolved on changes in dhclient enter hook. This prevents spurious restarts of resolved on rebounds when the addresses did not change. (LP: #1805183) Author: Julian Andres Klode File: debian/extra/dhclient-enter-resolved-hook https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=258893bae8cbb12670e4807636fe8f7e9fb5407a * Wait for cryptsetup unit to start, before stopping. Patch from cascardo. Plus small refactor for readability. (LP: #1814373) File: debian/tests/storage https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b65aa350be7e61c65927fbc0921a750fcfaa51cd * Wait for systemctl is-system-running state. File: debian/tests/boot-smoke https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=776998f1f55c445b6e385cab69a4219c42d00838 systemd (240-6ubuntu7) eoan; urgency=medium * Revert "Add check to switch VTs only between K_XLATE or K_UNICODE" This reverts commit 60407728a1a453104e3975ecfdf25a254dd7cc44. Files: - debian/patches/Add-check-to-switch-VTs-only-between-K_XLATE-or-K_UNICODE.patch - debian/patches/Move-verify_vc_kbmode-to-terminal-util.c-as-vt_verify_kbm.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=18029ab5ff436bfb3b401f24cd1e3a4cf2a1579c * Cherrypick missing systemd-stable patches to unbreak wireguard peer endpoints. Signed-off-by: Dimitri John Ledkov (LP: #1825378) Author: Dan Streetman Files: - debian/patches/network-wireguard-fixes-sending-wireguard-peer-setti.patch - debian/patches/network-wireguard-use-sd_netlink_message_append_sock.patch - debian/patches/sd-netlink-introduce-sd_netlink_message_append_socka.patch - debian/patches/test-network-add-more-checks-in-NetworkdNetDevTests..patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4046f515e40c4dc80d18d2303466737f1f451f11 * Remove expected failure from passing test. Signed-off-by: Dimitri John Ledkov (LP: #1829450) Author: Dan Streetman File: debian/tests/systemd-fsckd https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c43b12037d08555dc1d26593307726d7c7992df0 * Fix false negative checking for running jobs after boot. Signed-off-by: Dimitri John Ledkov (LP: #1825997) Author: Dan Streetman File: debian/tests/boot-smoke https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=aeb01631efbaf3fe851dee15d496e0b66b5c347f * Cherrypick ask-password: prevent buffer overrow when reading from keyring. Signed-off-by: Dimitri John Ledkov (LP: #1814373) Author: Dan Streetman File: debian/patches/ask-password-prevent-buffer-overrow-when-reading-fro.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6d6e9cbd4fc6e018031a4762e88f2c3aa19e24e8 -- Dimitri John Ledkov Thu, 30 May 2019 21:45:50 +0100 ** Changed in: systemd (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1803993 Title: Password appears on the VT1 screen Status in gdm3 package in Ubuntu: Invalid Status in plymouth package in Ubuntu: Invalid Status in systemd package in Ubuntu: Fix Released Bug description: [Impact] * The keyboard on the graphical login screen started on VT1 may stop working and or keypresses including passwords are leaked to the terminal console running 'behind' the graphical login screen or environment. [Test Case] * Reboot after installing the fixed systemd package. * Install sysdig * Start sysdig on a remote connection or on a terminal console: $ sudo sysdig evt.type=ioctl | grep request=4B4 * While sysdig is running log in and out 3 times in GDM and press a few keys in the graphical session to see if keyboard still works * Log in and out on an other terminal console, too, running a few commands while being logged in to ensure that keyboard is working. * Observe that on terminal consoles the monitored keyboard setter ioctl is called with argument=3, but where the graphical screen is active only argument=4 is used, unlike with the buggy version observed in https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/comments/14
[Desktop-packages] [Bug 1803993] Re: Password appears on the VT1 screen
** Changed in: gdm3 (Ubuntu) Status: Confirmed => Invalid ** Changed in: plymouth (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1803993 Title: Password appears on the VT1 screen Status in gdm3 package in Ubuntu: Invalid Status in plymouth package in Ubuntu: Invalid Status in systemd package in Ubuntu: In Progress Bug description: (continued from bug 1767918) This was found when an administrative error made /home directory inaccessible. Any users that tried to login after that, were not able to (which is expected) but their password appears on the VT1 screen. Under normal circumstances, VT1 is not visible. But once the system was sent into this compromised mode, one can press ctrl+alt+F1 and then ctrl+alt+F2 and get a momentary glance at VT1. One can keep toggling between these key combinations in order to make out the password(s) on VT1. As a further test, I wanted to see if a non-super user could cause this condition, and it is in fact possible. As a regular user, I made their own home directory not writable and then removed ~/.config and logged out. Then logged in as that user again, and although that user can't login the system does go into that mode where passwords appear on VT1 and are viewable with the key combinations mentioned herein. Further, any other users that login will see no problem, but when they logon their passwords also appear on VT1 and are viewable. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.3 Uname: Linux 4.19.2-041902-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Nov 19 08:32:59 2018 InstallationDate: Installed on 2018-08-25 (85 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1803993] Re: Password appears on the VT1 screen
It looks like systemd is changing the mode (see argument=3) on VT1 on logouts. #define K_RAW 0x00 #define K_XLATE 0x01 #define K_MEDIUMRAW 0x02 #define K_UNICODE 0x04 #define K_OFF 0x04 #define KDGKBMODE 0x4B44 /* gets current keyboard mode */ #define KDSKBMODE 0x4B45 /* sets current keyboard mode */ test@test-Standard-PC-i440FX-PIIX-1996:~$ sudo sysdig evt.type=ioctl | grep request=4B45 [sudo] password for test: 5657343 15:21:51.819076315 1 Xorg (1069) > ioctl fd=11(/dev/tty1) request=4B45 argument=4 5657453 15:21:51.820019063 0 systemd-logind (575) > ioctl fd=22(/dev/tty1) request=4B45 argument=3 5753055 15:21:52.771635876 0 systemd-logind (575) > ioctl fd=21(/dev/tty1) request=4B45 argument=4 20723813 15:49:41.368621972 1 systemd (23717) > ioctl fd=3(/dev/tty2) request=4B45 argument=3 22605710 15:53:04.107253025 1 systemd-logind (575) > ioctl fd=23(/dev/tty3) request=4B45 argument=4 22612602 15:53:04.142057934 1 Xorg (24089) > ioctl fd=11(/dev/tty3) request=4B45 argument=4 24077108 15:53:28.705600119 0 Xorg (24089) > ioctl fd=11(/dev/tty3) request=4B45 argument=4 24077278 15:53:28.706353493 1 systemd-logind (575) > ioctl fd=24(/dev/tty3) request=4B45 argument=3 24626343 15:53:58.336589416 0 systemd-logind (575) > ioctl fd=22(/dev/tty1) request=4B45 argument=3 24804326 15:53:59.385872243 0 systemd-logind (575) > ioctl fd=21(/dev/tty1) request=4B45 argument=4 25515114 15:54:12.915072995 1 systemd-logind (575) > ioctl fd=23(/dev/tty3) request=4B45 argument=4 25520504 15:54:12.929480424 1 Xorg (25112) > ioctl fd=11(/dev/tty3) request=4B45 argument=4 26921037 15:54:46.872029874 1 Xorg (25112) > ioctl fd=11(/dev/tty3) request=4B45 argument=4 26921239 15:54:46.872654795 1 systemd-logind (575) > ioctl fd=24(/dev/tty3) request=4B45 argument=3 27104852 15:54:53.870639078 1 systemd-logind (575) > ioctl fd=23(/dev/tty3) request=4B45 argument=4 27112208 15:54:53.894217722 1 Xorg (25697) > ioctl fd=11(/dev/tty3) request=4B45 argument=4 28677455 15:55:44.581119464 0 Xorg (25697) > ioctl fd=11(/dev/tty3) request=4B45 argument=4 28678288 15:55:44.592966138 1 systemd-logind (575) > ioctl fd=24(/dev/tty3) request=4B45 argument=3 ** Also affects: systemd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1803993 Title: Password appears on the VT1 screen Status in gdm3 package in Ubuntu: Confirmed Status in plymouth package in Ubuntu: Confirmed Status in systemd package in Ubuntu: New Bug description: (continued from bug 1767918) This was found when an administrative error made /home directory inaccessible. Any users that tried to login after that, were not able to (which is expected) but their password appears on the VT1 screen. Under normal circumstances, VT1 is not visible. But once the system was sent into this compromised mode, one can press ctrl+alt+F1 and then ctrl+alt+F2 and get a momentary glance at VT1. One can keep toggling between these key combinations in order to make out the password(s) on VT1. As a further test, I wanted to see if a non-super user could cause this condition, and it is in fact possible. As a regular user, I made their own home directory not writable and then removed ~/.config and logged out. Then logged in as that user again, and although that user can't login the system does go into that mode where passwords appear on VT1 and are viewable with the key combinations mentioned herein. Further, any other users that login will see no problem, but when they logon their passwords also appear on VT1 and are viewable. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.3 Uname: Linux 4.19.2-041902-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Nov 19 08:32:59 2018 InstallationDate: Installed on 2018-08-25 (85 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1803993] Re: Password appears on the VT1 screen
^^^ That is probably just to verify this really isn't a duplicate of bug 1767918, and that you have the fix for bug 1767918 already. ** Summary changed: - GDM is Exploitable as a Password Collector + Password appears on the VT1 screen ** Changed in: gdm3 (Ubuntu) Status: New => Incomplete ** Also affects: plymouth (Ubuntu) Importance: Undecided Status: New ** Changed in: plymouth (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1803993 Title: Password appears on the VT1 screen Status in gdm3 package in Ubuntu: Incomplete Status in plymouth package in Ubuntu: Incomplete Bug description: This was found when an administrative error made /home directory inaccessible. Any users that tried to login after that, were not able to (which is expected) but their password appears on the VT1 screen. Under normal circumstances, VT1 is not visible. But once the system was sent into this compromised mode, one can press ctrl+alt+F1 and then ctrl+alt+F2 and get a momentary glance at VT1. One can keep toggling between these key combinations in order to make out the password(s) on VT1. As a further test, I wanted to see if a non-super user could cause this condition, and it is in fact possible. As a regular user, I made their own home directory not writable and then removed ~/.config and logged out. Then logged in as that user again, and although that user can't login the system does go into that mode where passwords appear on VT1 and are viewable with the key combinations mentioned herein. Further, any other users that login will see no problem, but when they logon their passwords also appear on VT1 and are viewable. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.3 Uname: Linux 4.19.2-041902-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Nov 19 08:32:59 2018 InstallationDate: Installed on 2018-08-25 (85 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
