Bug 40287 - App Center log shows the password of user
App Center log shows the password of user
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.1
All All
: P5 normal (vote)
: UCS 4.1-0-errata
Assigned To: Dirk Wiesenthal
Florian Best
Depends on:
  Show dependency treegraph
Reported: 2015-12-17 22:48 CET by Jussi Lehto
Modified: 2016-02-04 14:09 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Jussi Lehto 2015-12-17 22:48:27 CET
The log file appcenter.log in the directory /var/log/univention/ shows in plain text the password of the user that is installing the application, as following:

21135 actions.register                 15-12-17 23:30:44 [   DEBUG]: Calling with Namespace(apps=None, do_it=None, help='==SUPPRESS==', noninteractive=False, password='PASSWORD_EXAMPLE', pwdfile=None, register_task=None, username='USERNAME_EXAMPLE')

The debug level of the system I was using was set to 2.

I think the log files shouldn't show the password of the user for security reasons.
Comment 1 Dirk Wiesenthal univentionstaff 2015-12-18 10:41:52 CET
Thanks for the report!

Fixed in
  univention-appcenter 5.0.19-34.92.201512181038

- self.debug('Calling with %r' % namespace)
+ self.debug('Calling %s' % self.get_action_name())
Comment 2 Florian Best univentionstaff 2015-12-22 19:14:34 CET
Yes, the password is not logged anymore.

@Dirk: There is also some logging of command arguments for docker but it seems only to contain password-files :)

Comment 3 Janek Walkenhorst univentionstaff 2016-02-04 14:09:56 CET