Bug 1419 - World readable bash history files
World readable bash history files
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: rootfiles (Show other bugs)
5.2
All Linux
high Severity medium
: ---
: ---
Assigned To: Cristian Gafton
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-03-04 04:36 EST by tarvin
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-04-09 17:31:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description tarvin 1999-03-04 04:36:01 EST
The bash history file security problem mentioned in
http://www.wired.com/news/news/technology/story/18109.html
also applies to Red Hat:

The users' (including root's) .bash_history files are
created World readable. I consider this a potentially high
security problem.

A proposed fix:
Include empty .bash_history files in the "skel" and
"rootfiles" RPM packages and make the files non-World
readable.

An other solution might be to patch bash so that it doesn't
create World readble history files.
Comment 1 seva 1999-03-15 03:35:59 EST
Please read that article again... it talks about Cobalt misconfiguring
their Cube product, this is not a problem with Red Hat Linux...

To verify, add new user (useradd foo), change to that user (su - foo),
type in some commands (ls -l), logout, change to that user again
(su - foo), look at .bash_history:
-rw-------   1 foo      foo             6 Mar 15 02:27 .bash_history

As well as this quote from the articel which you posted, but failed to
read:

"He was unable to find similar exposure on sites running the Linux OS
that did not use the Cobalt RaQ."

/Seva
Comment 2 Preston Brown 1999-03-29 17:24:59 EST
This problem does not exist in Red Hat Linux 5.9 beta, but I was able
to determine that on a number of 5.2 boxes, ~root/.bash_history is
world readable.  However, I'm not sure it merits a security release.
Cristian, what is your opinion of the situation?
Comment 3 Michael K. Johnson 1999-04-09 17:31:59 EDT
This is not a security issue -- the commands that root runs are
available in ps listings while they are running anyway.

Note You need to log in before you can comment on or make changes to this bug.