** Package changed: apparmor (Ubuntu) => policykit-1 (Ubuntu) ** Bug watch added: Debian Bug tracker #1093276 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093276
** Also affects: policykit-1 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093276 Importance: Unknown Status: Unknown ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/2095001 Title: Very weird and dangerous bug in systemd's sudoing (polkit?) process Status in policykit-1 package in Ubuntu: New Status in policykit-1 package in Debian: Unknown Bug description: Hello, I have a YubiKey (of type "Security Key NFC"). I configured it under Linux, following their guide: https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F In particular, I've protected the running of "sudo" and "sudo-i" calls, by requiring a touch to the YubiKey after typing the password. More precisely, I added this line to these files: --- /etc/pam.d/sudo{,-i} auth required pam_u2f.so --- I just discovered the following very troubling fact: when calling, as a user, on the command line, a command that requires root privileges, I'm asked to enter my password (automatic sudo from systemd?/polkit?). This seems OK. But if I type my (correct) password, but then do not validate it by hitting return, then let the login/sudo timeout trigger, then *my actual password get copy-pasted on the command line!!!!* Example: ``` [✘] user@localmachine:~$ service ollama stop ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ==== Authentication is required to stop 'ollama.service'. Authenticating as: USER,,, (user) Password: Failed to stop ollama.service: Connection timed out ### <- Here I type my password, do not validate it with "Return", then let the timeout trigger See system logs and 'systemctl status ollama.service' for details. polkit-agent-helper-1: pam_authenticate failed: Authentication failure [✘] user@localmachine:~$ MyPassw0rd! ``` I'm not sure what mechanism is at work here, but this is VERY bad!!! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/2095001/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
