16

So, my computer crashed during the night and when I came to work in the morning I had the following screen on. Consoledump I did not type the password a single time after the crash.

It appears to be related to ecryptfs, but the password is my loginpassword.

So any idea which process could have written my password into the console?

Gjordis
  • 261
  • 1
  • 5
  • Is it just your password on that line alone, with nothing else? – forest Jun 15 '18 at 06:39
  • Just my password nothing else. And I'm quite sure I have not made the usual "accidentally typed my password into the console when not asked" -error. Also checked my bash_history, that it was not there. – Gjordis Jun 15 '18 at 06:40
  • That's very odd. The answer to the question in the title is yes. It obviously needs to handle the plain password at some point in time. I don't know why it would be written to the console during a crash, though. Were you able to take a crash dump? FWIW, I doubt it's related to ecryptfs. That error just seems to be a generic error due to a corrupt filesystem. The password coming after the ecryptfs lines is likely coincidence. – forest Jun 15 '18 at 06:42
  • Don't have the coredump anymore. Used the Ubuntu-tool to send it, and read through the plain text parts finding nothing interesting. Anyway to see those infos again? – Gjordis Jun 15 '18 at 06:45
  • If you deleted it, then probably not without attempting forensic recovery. – forest Jun 15 '18 at 06:49
  • I didn't delete it, but not familiar on the process of retrieving it from... somewhere. – Gjordis Jun 15 '18 at 07:00
  • I'm not sure where it is put by default in Ubuntu. Now that Ubuntu uses systemd, I think it's kept as a binary blob in journald's weird database. – forest Jun 15 '18 at 07:01
  • Could you have an encrypted home directory? In that case the in time encryptor/decryptor might have kept a copy of your password - even if it somewhat hurts a bit... – Serge Ballesta Jun 15 '18 at 12:23
  • @SergeBallesta Yes, my home directory is also encrypted with standard ubuntu encryption, which uses ecryptfs aswell. Would be weird if it would cache it like this, since doesnt it actually use the big hash-key for decrypting? – Gjordis Jun 20 '18 at 10:45

1 Answers1

1

In fact, it can be worst. I just take some check on Ubuntu Crash Reporting and I found this.

Bug reports about crashes which are automatically generated by the Apport system are now private by default. This avoids exposing potentially sensitive data like passwords to the public. Those bug reports are now inspected by a trusted Ubuntu developer before marking it public.

There is no indication which version(s) is/are affected. IMHO, to prevent password leak, you should either upgrade Apport or disabled it.

This issue is documented/highlight under Apport wiki

Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords, credit card numbers, serial numbers, and other private material.

(update) This issue need further scrutinize, because there are confusion of ecryptfs and login passphrase vs mount passphrase.

mootmoot
  • 2,387
  • 10
  • 16
  • 3
    But why would apport itself have access to my password? I think the Apport case is for cases where some other process prints or stores the password and it gets included in the dump. – Gjordis Jun 15 '18 at 08:56
  • 1
    There is no confusion. The password shown on the console is my userpassword which is no way used with my encrypted LVM, and only used the open the Gnome-keyring containing the actual home-directory ecryptfs password – Gjordis Jun 20 '18 at 12:33
  • @Gjordis than this is obvious Apport issue. – mootmoot Jun 20 '18 at 12:41
  • 1
    @mootmoot What is being displayed on the screen is a regular kernel oops/panic/whatever, it has nothing to do with Apport. – forest Jun 20 '18 at 12:52
  • 1
    If some other application (like in this case) logs, prints or caches insecurely some sensitive information, THEN apport is/was in risk of exposing them. But this requires and underlying badly designed software or a glitch. Apport does not handle passwords or password-inputs in any way unless its a part of the dump or log. – Gjordis Jun 20 '18 at 16:50