Univention Bugzilla – Bug 54348
UDM is logging password hashes
Last modified: 2022-04-06 17:31:10 CEST
It was noticed that password hashes are logged into directory-manager-rest.log. In the scenario where we initially observed the behaviour the password is set through the Kelvin-API. Ít is reproducable in that way once the password was set the second time. 17.01.22 13:51:38 INFO ( 1218) : 200 GET /udm/users/user/uid=karlauer,cn=lehrer,cn=users,ou=SchuleA,dc=mydomain,dc=intranet (0.0.0.0) 11.19ms 17.01.22 13:51:38 INFO ( 1218) : 200 GET /udm/users/user/?filter=(%26(!(uid%3Dkarlauer))(mailPrimaryAddress%3Dkarlauer@mydomain.intranet))&position=dc%3Dmydomain,dc%3Dintranet&scope=sub&hidden=true (0.0.0.0) 115.27ms 17.01.22 13:51:38 INFO ( 1218) : 200 GET /udm/groups/group/cn=lehrer-schulea,cn=groups,ou=SchuleA,dc=mydomain,dc=intranet (0.0.0.0) 8.09ms 17.01.22 13:51:38.639 ADMIN ( ERROR ) : == [$6$CLaER3Q.QluXlaR7$mnVbxTWFbhMctowNO48sPoLRrq8mA2EJt/OudW5dyliS5mOkwDt2QOEEeU6oJsBO6a3F9HuewGCJaMFNUOnSS/] == [$6$CLaER3Q.QluXlaR7$0qTXGesA6hV1PTu7YglvWAcZj6bvI970tMTJAtvDgZ0aOTi9VMvFMmgS3CtOA.McUgCmh8uD7.Mt4BBtTHzPc/] 17.01.22 13:51:38 INFO ( 1218) : 204 PATCH /udm/users/user/uid=karlauer,cn=lehrer,cn=users,ou=SchuleA,dc=mydomain,dc=intranet (0.0.0.0) 61.91ms Note directory/manager/rest/debug/level was set "0" during the test The problem most likely originates in modules/univention/admin/password.py: ud.debug(ud.ADMIN, ud.ERROR, '\n== [%s]\n== [%s]' % (password_hash, line))
univention-directory-manager-modules (15.0.11-40) 11a63db0ef8c | Bug #54348: removed lines logging UDM password hashes
OK: password hashes are not logged anymore OK: YAML
<https://errata.software-univention.de/#/?erratum=5.0x281>