assume this is not relevant to uss at this time?
** Changed in: ubuntu-system-settings (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unity8 in Ubuntu.
https://bugs.launchpad.net/bugs/1234983
Title:
greeter pin stored in plain text with hidden demo greeter code
Status in The Unity 8 shell:
In Progress
Status in “ubuntu-system-settings” package in Ubuntu:
Invalid
Status in “unity8” package in Ubuntu:
New
Bug description:
In previous images, there was a setting to setup a PIN or password for
unlocking the greeter. This feature is no longer exposed in the user
interface, so this is not a particularly important bug to fix and can
likely just be closed when proper PAM support is used.
Nevertheless:
# cat /home/phablet/.unity8-greeter-demo
[General]
password=pin
passwordValue=1234
# ls -l /home/phablet/.unity8-greeter-demo
-rw-r--r-- 1 phablet phablet 42 Sep 20 21:36
/home/phablet/.unity8-greeter-demo
If the demo code is going to be reintroduced into the user interface,
it should not store the PIN/password in plain text because people may
not realize it and store an important credential there. It could
probably remain if both of these were done:
1. the file is 'chmod 600'
2. you used a proper hashing algorithm (see 'man crypt'-- ie, use SHA-512
with a randomly generated salt when the password is set)
If implementing the above, please contact the security team since we
would want to review the implementation details.
$ adb shell system-image-cli -i
current build number: 78
device name: mako
channel: stable
last update: 2013-10-03 13:05:32
version version: 78
version ubuntu: 20131003
version device: 20131002.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/unity8/+bug/1234983/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
