Cryptsetup-helper logs encryption password
Closed, DuplicatePublic

Description

I have received an incoming security issue about our cryptsetup-helper program that works as part of the OEM install (in this case the June 2018 release). The cryptsetup-helper script that runs as part of /run/gnome-initial-setup logs the LUKS password the user sets into /var/log/auth.log because it accepts the password on the command line as part of the --password argument!

To reproduce:

  1. Run through normal OEM install
  2. Reboot and set LUKS passphrase
  3. Login, open terminal, and type: sudo grep cryptsetup-helper /var/log/auth.log
  4. Read password in plain text!

Options to remedy:

  1. Disable logging for this script
  2. Provide the password to cryptsetup-helper.py without passing it on the command line
mak closed this task as a duplicate of T379: Create pureos-disk-encryption service.

I am aware of this for a long time, it can only properly be fixed by making a proper service out of this tool, which I have not had the time to do yet due to piles upon piles of other critical tasks.
I might actually implement the service soon though, in the process of fixing swap-related boot issues.

In the mean time could you add a task that erases/truncates /var/log/auth.log after that script runs?

mak added a comment.Nov 29 2018, 11:37 PM

That doesn't help, the journal also contains the changes.
The good thing is that you'll only ever be able to read the password if you have root access on a drive that has already been unlocked using that password.

Add Comment