| Summary: | password should be percent-encoded and never sent to log | ||
|---|---|---|---|
| Product: | [Applications] systemsettings | Reporter: | Erik Quaeghebeur <bugs.kde.org> |
| Component: | kcm_printer_manager | Assignee: | Daniel Nicoletti <dantti12> |
| Status: | CONFIRMED --- | ||
| Severity: | grave | CC: | christoph.lutz, kubry, nate, plasma-bugs-null, postix |
| Priority: | NOR | ||
| Version First Reported In: | 5.21.5 | ||
| Target Milestone: | --- | ||
| Platform: | Other | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed/Implemented In: | ||
| Sentry Crash Report: | |||
|
Description
Erik Quaeghebeur
2021-09-03 12:53:02 UTC
eek, cleartext passwords in logs == VHI priority This still happens on Kubuntu 24.04: Enter some credentials (e.g. for a smb-printer) and find the password in cleartext in journalctl + in /var/log/syslog.
It's rather easy to reproduce (I did with print-manager 4:23.08.5-0ubuntu4):
1) call "systemsettings kcm_printer_manager"
2) add new printer
3) select Other Network Printers --> Windows Printer via SAMBA
4) enter a string into the password field
See each keystroke while you enter the above mentioned string (in cleartext) in the stderr output of the systemsettings command.
And if you start the systemsettings via K-Menu (which utilizes the plasmashell that was started by a systemd --user service), all the above mentioned output is passed directly into the systemd-journal.
Is it really necessary to log each single key stroke? And like Erik, I would really appreciate a more privacy respecting logging here... The nasty thing here is, that nobody expects to find his personal password somewhere in the log files.
My first mitigation will be:
in /usr/share/applications/kcm_printer_manager.desktop:
change
Exec=systemsettings kcm_printer_manager
to
Exec=sh -c "systemsettings kcm_printer_manager 2>/dev/null"
and /usr/share/applications/systemsettings.desktop:
change
Exec=systemsettings
to
Exec=sh -c "systemsettings 2>/dev/null"
Just for Completeness:
I solved this issue for my environment by adding this Xsession.d dropin:
cat /etc/X11/Xsession.d/91qt_suppress_default-debug_logging
# -*- sh -*-
# Xsession.d script to set the env variables to stop Qt from logging in debug mode.
#
# This file is sourced by Xsession(5), not executed.
QT_LOGGING_RULES="default.debug=false"
export QT_LOGGING_RULES
if [ -x "/usr/bin/dbus-update-activation-environment" ]; then
dbus-update-activation-environment --verbose --systemd QT_LOGGING_RULES
fi
Background:
print-manager-21.12.3/add-printer/ChooseSamba.cpp uses lines like these
qDebug() << 1 << url;
to log it's output (without any logging category, which means logging is done to "default" category). And the above setting ensures that default.debug no more produces logging output in the complete plasma-Session.
`print-manager-21.12.3/add-printer/ChooseSamba.cpp` doesn't exist anymore as of [1]. The new print manager kcm [2] doesn't seem to be affected by the bug on first sight. I haven't verified it though. --- [1] https://invent.kde.org/plasma/print-manager/-/commit/c41cb06aa8c2f63391281883598988328355eb7d > Remove the legacy app: add-printer > add-printer features has been superceded by the print manager kcm [2] https://invent.kde.org/plasma/print-manager/-/blob/master/src/kcm/printermanager.cpp |