bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: If $HISTFILE is set to /dev/null and you execute more commands than

From: Jonathan Hankins
Subject: Re: If $HISTFILE is set to /dev/null and you execute more commands than $HISTFILESIZE, /dev/null is deleted.
Date: Fri, 30 Jan 2015 14:50:27 -0600
I agree about being able to use named pipes, etc. as HISTFILE.  My concern is that I think there may be a code path that leads to rename() and open(O_TRUNC...) being called on something that isn't a regular file.  Furthermore, I think that if someone can manipulate a user's HISTFILE setting maliciously, there may be a code path to cause an unwitting overwrite of a file whose name ends in hyphen.  

Specifically, if lib/readline/histfile.c:{append,write}_history() get called, in turn history_do_write() is called, which results in an open with append or a trunc, and when overwrite is set, a rename to HISTFILE + "-".  It doesn't look like the return value from rename(output, bakname) is tested, and if the open() on HISTFILE fails, it does a rename(bakname, output) to "restore" the backup, also not checking the return value from rename().  I believe this could even do something bad such as renaming /etc/shadow- to /etc/shadow, clobbering the current /etc/shadow, etc. (assuming you are root).

Aside from the case where the user running bash is root, I think it's not uncommon for users to have group write access to a variety of things in /dev.

If I can get some time, I will play around with it over the weekend and see if I can confirm my suspicions.

-Jonathan Hankins


On Fri, Jan 30, 2015 at 1:25 PM, Chet Ramey <chet.ramey@case.edu> wrote:
On 1/30/15 2:09 PM, Jonathan Hankins wrote:
> A test with the POSIX S_ISREG macro on HISTFILE will determine if it, or
> the file it points to in the case of a symlink, is a regular file.
>
> Just looked through the source, and it looks like general.c:file_exists()
> does not do any special handling of non-regular files, and
> lib/readline/histfile.c:history_do_write() calls open() and rename() on
> HISTFILE without checking if it is a non-regular file, which I imagine
> could lead to various "bad things" in the case of pipes, char and block
> devices, etc. such as what the OP pointed about about "/dev/null".

Well, like always, it depends.  The current implementation allows a user
to use a named pipe with a different program running to be a `history
file'.  That flexibility can be valuable.

I don't think that readline should be attempting to do backups of non-
regular files, though.  The history file truncation code, which is called
when HISTFILESIZE is changed, already rejects attempts to use non-regular
files.

--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/




--
------------------------------------------------------------------------
Jonathan Hankins    Homewood City Schools

The simplest thought, like the concept of the number one,
has an elaborate logical underpinning. - Carl Sagan

jhankins@homewood.k12.al.us
------------------------------------------------------------------------

reply via email to
[Prev in Thread] Current Thread [Next in Thread]