Instead of respawning the account daemon from the postinst, I think it
would be better to just let D-Bus relaunch it on demand to keep its
environment standard (rather than getting the environment of whatever
was running dpkg).
The "--" fixes look good, thanks.
I think the username string comment was misunderstood. I was saying that
since 'adduser' accepts "-", ".", and "_", then so should
accountsservice, but it seems that the username filter regular
expression doesn't allow those characters (and should be fixed).
The file size check as the root user is a problem because it is an
information leak (it can be used to test for the existence of files,
etc). If the size check is going to be used at all, it should be done
during the copy (as the real user), to avoid information leaks or ToCToU
races.
I'd still like to see some kind of solution for passing the password in
the clear over D-Bus. "apg" is just used to generate a password, IIUC,
not to do the hashing.
** Changed in: accountsservice (Ubuntu)
Assignee: Kees Cook (kees) => Rodrigo Moya (rodrigo-moya)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/785680
Title:
[MIR] accountsservice
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/785680/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
