7.193: emailpki_debug.log stores credentials in plane ascii text

[Wolperdinger]

Hi folks,

when playing around with the files in /tmp I had to discover that emailpki_debug.log stores diffent credentials in plain ascii text.

Starting with some less important information - for at least me, don't know how other's think about it - of the DSL account information (user name and password) to personal informations stored with the 'astaro user interface'. The latter one is in my point of view critical: No one, neither domain admin, firewall admin or whatever, should/must know personal credentials of other users! Even worse, the file itself has access mode 644, so a login user without root/admin-permissions can get the informations.

Just think about the fact an external service supplier can get very sensitive information no one would hand him out voluntarily!

Dear astaro developers, you should really pay a little more attention to your debug code. A firewall system is a high security system which should not store sensitive data in plaine text - in case of a successfully intrusion there might be pretty valuable information available.

You should really fix all that password weaknesses as soon as possible - at least it should been solved with the GA of Astaro 7.2

With reagards

Wolperdinger

[bitonw]

is it possible that in the 'beta' test versions those files are logging this kind of info for debug purposes?

[tom]

The emailpki-debug.log will be gone in 7.300.

We try to avoid storing un-hashed passwords. Sometimes this is not possible for technical reasons. We'll check if we can tighten permissons on the mentioned file.