https://bugs.kde.org/show_bug.cgi?id=441948
Christoph Lutz <christoph.l...@rohde-schwarz.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Status|REPORTED |CONFIRMED
CC| |christoph.lutz@rohde-schwar
| |z.com
--- Comment #2 from Christoph Lutz <christoph.l...@rohde-schwarz.com> ---
This still happens on Kubuntu 24.04: Enter some credentials (e.g. for a
smb-printer) and find the password in cleartext in journalctl + in
/var/log/syslog.
It's rather easy to reproduce (I did with print-manager 4:23.08.5-0ubuntu4):
1) call "systemsettings kcm_printer_manager"
2) add new printer
3) select Other Network Printers --> Windows Printer via SAMBA
4) enter a string into the password field
See each keystroke while you enter the above mentioned string (in cleartext) in
the stderr output of the systemsettings command.
And if you start the systemsettings via K-Menu (which utilizes the plasmashell
that was started by a systemd --user service), all the above mentioned output
is passed directly into the systemd-journal.
Is it really necessary to log each single key stroke? And like Erik, I would
really appreciate a more privacy respecting logging here... The nasty thing
here is, that nobody expects to find his personal password somewhere in the log
files.
My first mitigation will be:
in /usr/share/applications/kcm_printer_manager.desktop:
change
Exec=systemsettings kcm_printer_manager
to
Exec=sh -c "systemsettings kcm_printer_manager 2>/dev/null"
and /usr/share/applications/systemsettings.desktop:
change
Exec=systemsettings
to
Exec=sh -c "systemsettings 2>/dev/null"
--
You are receiving this mail because:
You are watching all bug changes.
