|
From: | anonymous |
Subject: | [screen-devel] [bug #45381] sudo screen - bash logs root commands to user .bash_history |
Date: | Tue, 23 Jun 2015 12:54:58 +0000 |
User-agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 |
URL: <http://savannah.gnu.org/bugs/?45381> Summary: sudo screen - bash logs root commands to user .bash_history Project: GNU Screen Submitted by: None Submitted on: Tue 23 Jun 2015 12:54:57 PM UTC Category: None Severity: 3 - Normal Priority: 5 - Normal Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any Release: 4.2.1 Fixed Release: None Planned Release: None Work Required: None _______________________________________________________ Details: If screen is started via sudo, then the bash logs all commands typed by root to the .bash_history file of the user that issued the sudo command. They are then readable by that user. This is a security issue. Observed both in the latest commit (d77e2be25149c8593c611bc785e16fc062cb26c4) as well as in Ubuntu 14.04 (Screen version 4.01.00devel (GNU) 2-May-06). Example: address@hidden:/mnt/medium/user/git/screen$ sudo src/screen [screen is starting] address@hidden:/mnt/medium/user/git/screen# echo THIS_IS_SECRET__R_O_O_T__STUFF THIS_IS_SECRET__R_O_O_T__STUFF address@hidden:/mnt/medium/user/git/screen# [screen is terminating] address@hidden:/mnt/medium/user/git/screen$ tail -1 ~/.bash_history echo THIS_IS_SECRET__R_O_O_T__STUFF _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?45381> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/
[Prev in Thread] | Current Thread | [Next in Thread] |