When I run set | less as a user, my root password is displayed in the last line of rules.

I'm a bit concerned about this.

I'm running Slackware 13.1 32bit.

set is supposed to display variables. I just checked on my computer and my root password is not displayed in 'set'. Evidently some script or program has placed it there.

The sudoers file perhaps?
Do you have an auto-su program of some sort?

I tested it in -current (32bit) and it did not show the password. If my last command was "su" before running "set | less" it will keep that variable _=su as the last line. It did not show my root password though.

I think as long as you are not using the superuser command from an untrusted user, you'd be ok. I would try, at all cost, to avoid using "su" from an untrusted user account.

That's what happened. It was after I had logged in as su to do a few things. However, I have tried to recreate the situation and I'm happy to say it's not happening anymore.

Good enough I guess.

I don't have any auto-su programs. It was after logging in and out of su when it happened.

My guess is that you tried to su while you were already root, thus su didn't prompt you for a password but you didn't notice and as you were expecting to have to type it your fingers carried on on autopilot and typed your password on the command line.
'set' shows the last command you typed on the _= so if you accidentally typed your password in like this it will show up.

You should be able to confirm that this is what has happened by checking roots .bash_history (which you probably ought to clear out to remove traces of the password).


Not saying this is what did happen, but it's a plausible explanation.

2 members found this post helpful.

I checked roots .bash_history for the password and it came up negative. It's quite baffling, but at least it's not happening anymore.