Security hole in history handling for root

Security hole in history handling for root

[Richard Hartmann]

Hi all,

zsh does not complain when loading from or writing
to a history file which is not owned by root or 600.

My suggestion is that a warning similar to compaudit's
is introduced, both on loading and writing. People who
share history between root and their normal users might
appreciate an option to turn this off, but personally, I
think that is bad style, anyway.

For reference:

roadwarrior ~ # l .zsh_history
-rw-rw-rw- 1 richih richih 78515 2009-01-01 15:23 .zsh_history
roadwarrior ~ # zsh
roadwarrior ~ # mv .zsh zsh
roadwarrior ~ # ln -s /home/richih/.zsh .zsh
roadwarrior ~ # zsh
zsh compinit: insecure directories, run compaudit for list.
Ignore insecure directories and continue [y] or abort compinit [n]?


Richard

Re: Security hole in history handling for root

[Richard Hartmann]

Bump.

This is a potential security issue. If you only look at one
of my bumps, look at this one.


Richard

On Thu, Jan 1, 2009 at 15:32, Richard Hartmann
<richih.mailinglist@gmail.com> wrote:
> Hi all,
>
> zsh does not complain when loading from or writing
> to a history file which is not owned by root or 600.
>
> My suggestion is that a warning similar to compaudit's
> is introduced, both on loading and writing. People who
> share history between root and their normal users might
> appreciate an option to turn this off, but personally, I
> think that is bad style, anyway.
>
> For reference:
>
> roadwarrior ~ # l .zsh_history
> -rw-rw-rw- 1 richih richih 78515 2009-01-01 15:23 .zsh_history
> roadwarrior ~ # zsh
> roadwarrior ~ # mv .zsh zsh
> roadwarrior ~ # ln -s /home/richih/.zsh .zsh
> roadwarrior ~ # zsh
> zsh compinit: insecure directories, run compaudit for list.
> Ignore insecure directories and continue [y] or abort compinit [n]?
>
>
> Richard
>

Re: Security hole in history handling for root

[Peter Stephenson]

Richard Hartmann wrote:
> Bump.
> 
> This is a potential security issue.
>
>> zsh does not complain when loading from or writing
>> to a history file which is not owned by root or 600.

Is it?  zsh doesn't look at initialisation files, either.  That's surely
much more significant because they will be executed without any
indication.  In the case of history, you get to see it unless you use !.
If you can overwrite someone's history, you can overwrite their .zshrc.
Are you worried about an imported HISTFILE variable?  There are lots of
potentially dangerous environment variables we don't sanitize (PATH,
ZDOTDIR, ...).

Or is this only a problem with shared history?  I think Wayne added some
arrangements to make history from elsewhere appear different which could
presumably be extended.

If I can be convinced there is something specific in this case, as
opposed to a general security hole that needs much more thinking about,
it can be dealt with, but I haven't seen why yet.

(By the way, I realise Bart suggested you repost things, but the net
effect is likely to be that I increase my threshold below which I ignore
things even further.  If all these sorts of things are to be tackled we
NEED repeat NEED repeat NEED more people to work on bug fixes.)

-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070

Re: Security hole in history handling for root

[Richard Hartmann]

On Wed, Jan 21, 2009 at 18:18, Peter Stephenson <pws@csr.com> wrote:

> If I can be convinced there is something specific in this case, as
> opposed to a general security hole that needs much more thinking about,
> it can be dealt with, but I haven't seen why yet.

In that case, don't bother. As the RC files are checked, I assumed you
wanted to get a report for everything which goes in that direction.


> (By the way, I realise Bart suggested you repost things, but the net
> effect is likely to be that I increase my threshold below which I ignore
> things even further.  If all these sorts of things are to be tackled we
> NEED repeat NEED repeat NEED more people to work on bug fixes.)

Would if I could, but I am not firm enough in C to be of any deeper
help. sorry.

Would it help you or anyone if there was a bug tracker? SF.net offers
one or I could set one up, if you want me to.


Richard

Re: Security hole in history handling for root

[Peter Stephenson]

Richard Hartmann wrote:
> On Wed, Jan 21, 2009 at 18:18, Peter Stephenson <pws@csr.com> wrote:
> 
> > If I can be convinced there is something specific in this case, as
> > opposed to a general security hole that needs much more thinking about,
> > it can be dealt with, but I haven't seen why yet.
> 
> In that case, don't bother. As the RC files are checked, I assumed you
> wanted to get a report for everything which goes in that direction.

The only files checked are the completion ones.  I think the feeling
there was that with a sprawling and unfamiliar system where the test
could easily be added at the function level it was worthwhile.  I am not
aware of any security tests for any files used by the main shell.

Obviously a shell is powerful enough that you can dig a huge hole for
yourself; I'm interested in clearing up zsh-specific things where we've
let users in for some new form of attack, but not for solving the
general problem of shell security, which needs to be done by security
experts.

> Would it help you or anyone if there was a bug tracker? SF.net offers
> one or I could set one up, if you want me to.

It would help a great deal if someone *maintained* the SF bug tracker.
This is quite a big job in its own right.  Obviously this would involve
following the lists pretty closely and soliciting opinions, but it
wouldn't need any programming knowledge.  We could probably limit its
use to things that didn't get fixed within a day or so, since there's
often quite a lot of turnover.

-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070

Re: Security hole in history handling for root

[Richard Hartmann]

On Wed, Jan 21, 2009 at 19:04, Peter Stephenson <pws@csr.com> wrote:

> It would help a great deal if someone *maintained* the SF bug tracker.
> This is quite a big job in its own right.  Obviously this would involve
> following the lists pretty closely and soliciting opinions, but it
> wouldn't need any programming knowledge.  We could probably limit its
> use to things that didn't get fixed within a day or so, since there's
> often quite a lot of turnover.

Feel free to add richih@sf.net to the project with admin rights to the
bug tracker.


Richard