Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Security hole in history handling for root
- X-seq: zsh-workers 26224
- From: "Richard Hartmann" <richih.mailinglist@xxxxxxxxx>
- To: "Zsh Workers" <zsh-workers@xxxxxxxxxx>
- Subject: Security hole in history handling for root
- Date: Thu, 1 Jan 2009 15:32:47 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=qva2MjF9G8o6dIRXZBm7c5TQmjg9gMf4/V00Sh4dJEk=; b=OXyM1bXzvQzJq/3f+ObYJklTUkF1IT99NzA5oPxzLflm52dfCQR/98bLd0iFprO1UI yyHk5zwPZUfhPR/ZhSLXCD5wNoQJlqXJyhIGufF0+qFSH1MwSDwhCLiDOTW5UjmsUGOs 5LPRTkA+ZpC/Q90TpHW5t44jGAcR51hDL5C6M=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=spR0i5IwYu/5z8jJ9BEguayYPIkroFwp55DNgSvOocRGSrfWAlx+U5+U6V5rVvtt0O aLDqMupS63XyO2hFwBzLzuMicU2hYE0Q0LLvD7BXX+Nl5u+DUF7vqr6+NUcn9p6KjbLJ 52YM/K4YVE4Gx2zC+T5KeHGyKGkQh1FEv1ioI=
- Mailing-list: contact zsh-workers-help@xxxxxxxxxx; run by ezmlm
Hi all,
zsh does not complain when loading from or writing
to a history file which is not owned by root or 600.
My suggestion is that a warning similar to compaudit's
is introduced, both on loading and writing. People who
share history between root and their normal users might
appreciate an option to turn this off, but personally, I
think that is bad style, anyway.
For reference:
roadwarrior ~ # l .zsh_history
-rw-rw-rw- 1 richih richih 78515 2009-01-01 15:23 .zsh_history
roadwarrior ~ # zsh
roadwarrior ~ # mv .zsh zsh
roadwarrior ~ # ln -s /home/richih/.zsh .zsh
roadwarrior ~ # zsh
zsh compinit: insecure directories, run compaudit for list.
Ignore insecure directories and continue [y] or abort compinit [n]?
Richard
Messages sorted by:
Reverse Date,
Date,
Thread,
Author