I agree about being able to use named pipes, etc. as HISTFILE.  My concern
is that I think there may be a code path that leads to rename() and
open(O_TRUNC...) being called on something that isn't a regular file.
Furthermore, I think that if someone can manipulate a user's HISTFILE
setting maliciously, there may be a code path to cause an unwitting
overwrite of a file whose name ends in hyphen.

Specifically, if lib/readline/histfile.c:{append,write}_history() get
called, in turn history_do_write() is called, which results in an open with
append or a trunc, and when overwrite is set, a rename to HISTFILE + "-".
It doesn't look like the return value from rename(output, bakname) is
tested, and if the open() on HISTFILE fails, it does a rename(bakname,
output) to "restore" the backup, also not checking the return value from
rename().  I believe this could even do something bad such as renaming
/etc/shadow- to /etc/shadow, clobbering the current /etc/shadow, etc.
(assuming you are root).

Aside from the case where the user running bash is root, I think it's not
uncommon for users to have group write access to a variety of things in
/dev.

If I can get some time, I will play around with it over the weekend and see
if I can confirm my suspicions.

-Jonathan Hankins


On Fri, Jan 30, 2015 at 1:25 PM, Chet Ramey <chet.ra...@case.edu> wrote:

> On 1/30/15 2:09 PM, Jonathan Hankins wrote:
> > A test with the POSIX S_ISREG macro on HISTFILE will determine if it, or
> > the file it points to in the case of a symlink, is a regular file.
> >
> > Just looked through the source, and it looks like general.c:file_exists()
> > does not do any special handling of non-regular files, and
> > lib/readline/histfile.c:history_do_write() calls open() and rename() on
> > HISTFILE without checking if it is a non-regular file, which I imagine
> > could lead to various "bad things" in the case of pipes, char and block
> > devices, etc. such as what the OP pointed about about "/dev/null".
>
> Well, like always, it depends.  The current implementation allows a user
> to use a named pipe with a different program running to be a `history
> file'.  That flexibility can be valuable.
>
> I don't think that readline should be attempting to do backups of non-
> regular files, though.  The history file truncation code, which is called
> when HISTFILESIZE is changed, already rejects attempts to use non-regular
> files.
>
> --
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
>                  ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, ITS, CWRU    c...@case.edu
> http://cnswww.cns.cwru.edu/~chet/
>
>


-- 
------------------------------------------------------------------------
Jonathan Hankins    Homewood City Schools

The simplest thought, like the concept of the number one,
has an elaborate logical underpinning. - Carl Sagan

jhank...@homewood.k12.al.us
------------------------------------------------------------------------

Reply via email to