touch-packages team mailing list archive

Thread
Date

[Bug 1234983] Re: greeter pin stored in plain text with hidden demo greeter code

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1234983@xxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Jul 2014 16:27:39 -0000
Reply-to: Bug 1234983 <1234983@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package unity8 -
8.00+14.10.20140729.1-0ubuntu1

---------------
unity8 (8.00+14.10.20140729.1-0ubuntu1) utopic; urgency=low

  [ Michael Terry ]
  * Check user's pin/password using PAM, instead of a plaintext keyfile.
    New build dependency: libpam0g-dev for phone unlock with PAM (LP:
    #1234983)
 -- Ubuntu daily release <ps-jenkins@xxxxxxxxxxxxxxxxxxx>   Tue, 29 Jul 2014 23:36:30 +0000

** Changed in: unity8 (Ubuntu)
       Status: New => Fix Released

** Changed in: ubuntu-system-settings (Ubuntu)
       Status: Invalid => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unity8 in Ubuntu.
https://bugs.launchpad.net/bugs/1234983

Title:
  greeter pin stored in plain text with hidden demo greeter code

Status in The Unity 8 shell:
  In Progress
Status in “ubuntu-system-settings” package in Ubuntu:
  Fix Released
Status in “unity8” package in Ubuntu:
  Fix Released

Bug description:
  In previous images, there was a setting to setup a PIN or password for
  unlocking the greeter. This feature is no longer exposed in the user
  interface, so this is not a particularly important bug to fix and can
  likely just be closed when proper PAM support is used.

  Nevertheless:

  # cat /home/phablet/.unity8-greeter-demo
  [General]
  password=pin
  passwordValue=1234

  # ls -l /home/phablet/.unity8-greeter-demo
  -rw-r--r-- 1 phablet phablet 42 Sep 20 21:36 /home/phablet/.unity8-greeter-demo

  If the demo code is going to be reintroduced into the user interface,
  it should not store the PIN/password in plain text because people may
  not realize it and store an important credential there. It could
  probably remain if both of these were done:

  1. the file is 'chmod 600'
  2. you used a proper hashing algorithm (see 'man crypt'-- ie, use SHA-512 with a randomly generated salt when the password is set)

  If implementing the above, please contact the security team since we
  would want to review the implementation details.

  $ adb shell system-image-cli -i
  current build number: 78
  device name: mako
  channel: stable
  last update: 2013-10-03 13:05:32
  version version: 78
  version ubuntu: 20131003
  version device: 20131002.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity8/+bug/1234983/+subscriptions