[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] encrypt the bash history

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] encrypt the bash history
From: Erik Falor <ewfalor@xxxxxxxxx>
Date: Fri, 4 Feb 2011 12:36:40 -0700

On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 02/04/11 16:13, Valdis.Kletnieks@xxxxxx wrote:
> > On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
> >> what is the best way to encrypt the bash_history file?
> >> I try using crypt/decrypt with GPG when login/logout. It works, but not
> >> safe enough.
> > 
> > Explain what the threat model is, and why GPG isn't safe enough?  It's kind 
> > of
> > hard to recommend "best" when we don't understand what the criteria are...
> > 
> 
> The "way" is not safe enough. root can login as me (su - user) and
> bash_history will be decrypted. I try to find any better way to crypt
> and make unreadable the bash_history file from any other users,
> including root.

Not to mention the fact that your .bash_history file is unencrypted
the entire time you're logged in.  A better alternative, if you're
that anxious about your shell history falling into the wrong hands, is
to disable it entirely:

unset HISTFILE
HISTSIZE=0

You can also tell bash to not record commands that begin with a space:
HISTCONTROL=ignorespace

More fine-grained control can be achieved with the HISTIGNORE
variable.  See the 'Shell Variables' section of the bash(1) manpage.

Finally, I wrote these functions to toggle history recording on/off
in a shell.  I like how this works, when I remember to run it beforehand:

# turn off history recording
function offtherecord()
{
    if [[ -n "$HISTFILE" ]]; then
        OLDHISTFILE=$HISTFILE
        unset HISTFILE
    fi
    if [[ -n "$HISTSIZE" ]]; then
        OLDHISTSIZE=$HISTSIZE
        HISTSIZE=0
    fi
}

# turn on history recording
function ontherecord()
{
    if [[ -n "$OLDHISTFILE" ]]; then
        HISTFILE=$OLDHISTFILE
        unset OLDHISTFILE
    fi
    if [[ -n "$HISTSIZE" ]]; then
        HISTSIZE=$OLDHISTSIZE
        unset OLDHISTSIZE
    fi
}

Once you've run offtherecord, you lose all of your history for that shell until
you log back in.

-- 
Erik Falor
Registered Linux User #445632 http://counter.li.org

Attachment: pgpcVqtKEYK4L.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] encrypt the bash history
  - From: Zerial.

References:
- [Full-disclosure] encrypt the bash history
  - From: Zerial.
- Re: [Full-disclosure] encrypt the bash history
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] encrypt the bash history
  - From: Zerial.

Prev by Date: Re: [Full-disclosure] microsoft attacking program?
Next by Date: Re: [Full-disclosure] encrypt the bash history
Previous by thread: Re: [Full-disclosure] encrypt the bash history
Next by thread: Re: [Full-disclosure] encrypt the bash history
Index(es):
- Date
- Thread