I agree about being able to use named pipes, etc. as HISTFILE. My concern is that I think there may be a code path that leads to rename() and open(O_TRUNC...) being called on something that isn't a regular file. Furthermore, I think that if someone can manipulate a user's HISTFILE setting maliciously, there may be a code path to cause an unwitting overwrite of a file whose name ends in hyphen.
Specifically, if lib/readline/histfile.c:{append,write}_history() get called, in turn history_do_write() is called, which results in an open with append or a trunc, and when overwrite is set, a rename to HISTFILE + "-". It doesn't look like the return value from rename(output, bakname) is tested, and if the open() on HISTFILE fails, it does a rename(bakname, output) to "restore" the backup, also not checking the return value from rename(). I believe this could even do something bad such as renaming /etc/shadow- to /etc/shadow, clobbering the current /etc/shadow, etc. (assuming you are root). Aside from the case where the user running bash is root, I think it's not uncommon for users to have group write access to a variety of things in /dev. If I can get some time, I will play around with it over the weekend and see if I can confirm my suspicions. -Jonathan Hankins On Fri, Jan 30, 2015 at 1:25 PM, Chet Ramey <chet.ra...@case.edu> wrote: > On 1/30/15 2:09 PM, Jonathan Hankins wrote: > > A test with the POSIX S_ISREG macro on HISTFILE will determine if it, or > > the file it points to in the case of a symlink, is a regular file. > > > > Just looked through the source, and it looks like general.c:file_exists() > > does not do any special handling of non-regular files, and > > lib/readline/histfile.c:history_do_write() calls open() and rename() on > > HISTFILE without checking if it is a non-regular file, which I imagine > > could lead to various "bad things" in the case of pipes, char and block > > devices, etc. such as what the OP pointed about about "/dev/null". > > Well, like always, it depends. The current implementation allows a user > to use a named pipe with a different program running to be a `history > file'. That flexibility can be valuable. > > I don't think that readline should be attempting to do backups of non- > regular files, though. The history file truncation code, which is called > when HISTFILESIZE is changed, already rejects attempts to use non-regular > files. > > -- > ``The lyf so short, the craft so long to lerne.'' - Chaucer > ``Ars longa, vita brevis'' - Hippocrates > Chet Ramey, ITS, CWRU c...@case.edu > http://cnswww.cns.cwru.edu/~chet/ > > -- ------------------------------------------------------------------------ Jonathan Hankins Homewood City Schools The simplest thought, like the concept of the number one, has an elaborate logical underpinning. - Carl Sagan jhank...@homewood.k12.al.us ------------------------------------------------------------------------