Bug 67461

Summary: root password passed in clear text when adding printers
Product: [Unmaintained] kcontrol Reporter: Alan J. Raveling <alanjr>
Component: kcmprintmgrAssignee: KDEPrint Devel Mailinglist <kde-print-devel>
Status: RESOLVED WAITINGFORINFO    
Severity: normal CC: chaofeng111
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Alan J. Raveling 2003-11-07 00:35:06 UTC 
Version:            (using KDE KDE 3.1.3)
Installed from:    Debian testing/unstable Packages
OS:          Linux

When adding a printer to a local machine, I am prompted for the root password.  By chance, the local machine's root password begins with an exclaimation mark (!).  When I provided the root password, an error was returned saying that an event was not found.  The event it sited happened to the the rest of my root passwor after the exclaimation mark.  As soon as I changed my root password to something that did not have ! at the beginning I was able to successfully add printers.
Upon futher investigation into the matter, it seems that anyone, with carefull looking, can catch the root password by whatching the processes of the computer when adding a printer.
I feel this is a security hole which should be fixed.
Comment 1 Michael Goffioul 2004-02-25 14:20:05 UTC 
Could you provide some screenshot of the error dialog you get. When adding a printer, passwords are managed at CUPS-level: CUPS requests a password, KDEPrint catches the request and popup the password dialog, the password is fed back to CUPS. I don't see where you could get such an error notification.
(Sorry for the late answer).