Red Hat Bugzilla – Bug 1419
World readable bash history files
Last modified: 2008-05-01 11:37:49 EDT
The bash history file security problem mentioned in
also applies to Red Hat:
The users' (including root's) .bash_history files are
created World readable. I consider this a potentially high
A proposed fix:
Include empty .bash_history files in the "skel" and
"rootfiles" RPM packages and make the files non-World
An other solution might be to patch bash so that it doesn't
create World readble history files.
Please read that article again... it talks about Cobalt misconfiguring
their Cube product, this is not a problem with Red Hat Linux...
To verify, add new user (useradd foo), change to that user (su - foo),
type in some commands (ls -l), logout, change to that user again
(su - foo), look at .bash_history:
-rw------- 1 foo foo 6 Mar 15 02:27 .bash_history
As well as this quote from the articel which you posted, but failed to
"He was unable to find similar exposure on sites running the Linux OS
that did not use the Cobalt RaQ."
This problem does not exist in Red Hat Linux 5.9 beta, but I was able
to determine that on a number of 5.2 boxes, ~root/.bash_history is
world readable. However, I'm not sure it merits a security release.
Cristian, what is your opinion of the situation?
This is not a security issue -- the commands that root runs are
available in ps listings while they are running anyway.