Mag Gam on 1 Sep 2007 13:52:43 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] shell script help...

  • From: "Mag Gam" <magawake@gmail.com>
  • To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
  • Subject: Re: [PLUG] shell script help...
  • Date: Sat, 1 Sep 2007 09:52:32 -0400
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=LjL/7mtz24UipiAF+m58/EdcD9Sco/SbOKWLHolrtS0bvHJUZQyGuKcnzAaNCTcwNpKXDdn7/P/XzvH/pdXeFCCuKLwgFYM+UOP4DIIGW/ZYEC9GkhfKVg2kNPm1yiEZkKJSSFOEeU8IMl00DWNNWOCCcLleZV8n96F+Q1EUU4M=
  • Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
  • Sender: plug-bounces@lists.phillylinux.org

Would wrapping "script" do better user auditing? or are there any downsides for that?



On 9/1/07, Mag Gam < magawake@gmail.com> wrote:
Wow..didn't think about this.
B. Subshell, invoked with invalid or non-existant history file
       $ HISTFILE="" bash
               {nefarious commands...}
       $ exit
       $ logout





On 9/1/07, Matthew Rosewarne < mukidohime@case.edu> wrote:
On Saturday 01 September 2007, Mag Gam wrote:
> I am in the process of writing a shell script to take history file (fc -l)
> and backup it up, while appending it.
>
> My strategy is, once the user exits out of his shell, i will dump the
> history into a file by using a trap() with EXIT. The file will be appended
> by the username... (ie, username.history.date

I would not attempt to rely on this for any measure of security, as it can be
easily circumvented by users.  For example, one could:

A: Subshell, then remove the history file
        $ bash
                {nefarious commands...}
        $ exit
        $ rm ~/.bash_history
        $ logout

B. Subshell, invoked with invalid or non-existant history file
        $ HISTFILE="" bash
                {nefarious commands...}
        $ exit
        $ logout

All of this could just as easily be hidden in a script, making it very
difficult to catch.  It would be a better idea to use IDS/auditing software
than to rely on something controlled by the user.

___________________________________________________________________________
Philadelphia Linux Users Group         --         http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug




___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug