[Bug 10441] New: accidental full text password expose to local users possible

bugzilla at busybox.net bugzilla at busybox.net
Sun Oct 22 16:17:39 UTC 2017


https://bugs.busybox.net/show_bug.cgi?id=10441

            Bug ID: 10441
           Summary: accidental full text password expose to local users
                    possible
           Product: Busybox
           Version: 1.26.x
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: surae at yandex.ru
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

busybox's getty takes supplies typed username as arg to busibox's login
process, which itself asks for username again in case of auth failure, for 3
times! Then if username typed first was erroneus it is kept for the session
time

root      2170  0.0  0.0   1528     4 tty1     Ss   16:04   0:00 /bin/login --
adsfasdfasdf

Once I've accidentally typed password instead of login on console getty prompt
it exposes my whole password to local users for entire session period!

It is bad for security!

Should we remove username prompt from login.c, or make it check if username
supplied by getty was non-existent?

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list