|
| From: | anonymous |
| Subject: | [screen-devel] [bug #45381] sudo screen - bash logs root commands to user .bash_history |
| Date: | Tue, 23 Jun 2015 12:54:58 +0000 |
| User-agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 |
URL:
<http://savannah.gnu.org/bugs/?45381>
Summary: sudo screen - bash logs root commands to user
.bash_history
Project: GNU Screen
Submitted by: None
Submitted on: Tue 23 Jun 2015 12:54:57 PM UTC
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: 4.2.1
Fixed Release: None
Planned Release: None
Work Required: None
_______________________________________________________
Details:
If screen is started via sudo, then the bash logs all commands typed by root
to the .bash_history file of the user that issued the sudo command. They are
then readable by that user.
This is a security issue.
Observed both in the latest commit (d77e2be25149c8593c611bc785e16fc062cb26c4)
as well as in Ubuntu 14.04 (Screen version 4.01.00devel (GNU) 2-May-06).
Example:
address@hidden:/mnt/medium/user/git/screen$ sudo src/screen
[screen is starting]
address@hidden:/mnt/medium/user/git/screen# echo THIS_IS_SECRET__R_O_O_T__STUFF
THIS_IS_SECRET__R_O_O_T__STUFF
address@hidden:/mnt/medium/user/git/screen#
[screen is terminating]
address@hidden:/mnt/medium/user/git/screen$ tail -1 ~/.bash_history
echo THIS_IS_SECRET__R_O_O_T__STUFF
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?45381>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
| [Prev in Thread] | Current Thread | [Next in Thread] |