nocomment's Journal: sudo stores password in plaintext

OK I'll admit it. I was bored. I was just tinkering around with various /dev/* and piping the output to various others.

That's when I came across a few interesting things (namely xchat leaves all kinds of stuff in memory for days after you last logged on).

But most scary was this command 'strings /dev/mem', which revealed to me my own password. This is particalarly scary since this is an ubuntu system and my user is essentially 'root'.

bryan
-my password was here-
sudo su -
-my password was here again-

It appears to be me logging in to either the console or gdm, and then running sudo su - and typing my password.

It even stores the password when auth fails

[RichiH]

I am not in the sudoers file, still, my password is cached in clear text when I try to sudo. I don't know what advantage this has over magic cookies, storing the password hash (to check if the password changed since last successful auth) or just _any_ other mechnanism, but I don't think there is any.. Would be interesting to know if that page is set noswap or not. Not that it would matter if you are using suspend-to-disk..

My attempts on two machines

[HTH NE1]

% strings /dev/mem
strings: Warning: '/dev/mem' is not an ordinary file
% cat /dev/mem | strings
cat: /dev/mem: Permission denied

% strings /dev/mem
strings: /dev/mem: Permission denied
%

But then I'm not wheel on those machines.

Re:

[tomhudson]

$ su root
$ password:
# cat /dev/mem | strings | grep MY_PASSWORD

... shows several copies of my password ..

doesn't work as a non-privileged user, though