On 2020-02-06 19:46, Josef Reidinger wrote:
Also we should maybe somehow mention that when Y2DEBUG is set to 1, then it logs everything including passwords as it logs also on UI layer ( by default not enabled ).
Is this true and tested and confirmed, or is this an urban legend in the
making?
Careful what information we are spreading; some people might mistake
such a wild guess for serious information. I am pretty sure that the UI
does NOT log any passwords. Never ever. The code doesn't any CONTAIN any
yuiDebug() call, let alone leaking any confidential information, much
less passwords or even single keystrokes.
https://github.com/libyui/libyui/blob/master/src/YInputField.cc
https://github.com/libyui/libyui-qt/blob/master/src/YQInputField.cc
https://github.com/libyui/libyui-ncurses/blob/master/src/NCInputField.cc
I also took great care to explicitly NOT log any passwords in the macro
that we write during installation.
So, where did you see any password information leaked by the UI? I am
very sure that this does not happen.
If any other YaST component logs large hashes that may also contain
passwords, that's another matter; but in that case, this is where we
need to fix things.
Kind regards
--
Stefan Hundhammer