Terminal flaw - reported by Mark Krenz @ www.climagic.org

[bigbangnet]

Go read the article please, it reports a flaw in terminal that allows a user to view your scrollback buffer that ends up on your /tmp filesystem over time including data passed back through an SSH connection

It was also reported on slashdot.org.

What do you guys think ? Any input would be appreciated.
_________________
I'm a noob, be gentle with me. TEACH ME

[NeddySeagoon]

bigbangnet,

You still have /tmp on disk ?

Its not safe with /tmp on shmfs either, but at least thats not sold on or scrapped with the disk.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[aCOSwt]

[bigbangnet]

Well, I'm at work right now so I can't check right now. But I followed that handbook instructions and I don't remember changing anything related to /tmpfs or the like.
_________________
I'm a noob, be gentle with me. TEACH ME

[bigbangnet]

[Etal]

[NeddySeagoon]

bigbangnet,

If you followed the handbook, /tmp is a subdir on /

/tmp is cleared on boot. The means the files are disgarded, the data they used to contain is stil on your HDD in the unallocated space.
With modern systems, a small /tmp is RAM is more than adequate, as long as you don't put DVD images there before you burn them.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[aCOSwt]

[NeddySeagoon]

aCOSwt,

:)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[bigbangnet]

[bigbangnet]

[PaulBredbury]

[wcg]

Things that only root can do seem to me a waste of time to worry
about. root could log everything you type at the keyboard if root
wanted to. root can also log the contents of every network
packet that leaves or enters the machine. If a rogue process is
running as root, you are probably screwed and need to erase
your filesystems and restore from backup.

A more likely threat would be some rogue process running
as you that you inadvertently downloaded as a web plugin
or that was hatched by some web or email or multimedia embedded
script that is exploiting a weakness in your browser, email client,
or jukebox to scrounge around in your home directory, in /var/log/,
in any directories in /tmp/ owned by you, and so on.

(When was the last time you actually used a terminal's scrollback
buffer, anyway? Do you really need this enabled? You could set the
size to 0.)
_________________
TIA

[suso]

Hi. I'm Mark Krenz, the reporter of the flaw. I'm also a Gentoo user.

What many people seem to be missing on this is that once the scrollback buffer data is written to disk, even if the file gets deleted, the data is still there on the disk until that part of the disk is overwritten. Indeed, Gentoo's install handbook does not say anything about using tmpfs and its only mentioned on the hardened selinux instructions, which are buried pretty deep in the list of docs on the Gentoo site. So anyone who says "you should have been using tmpfs" should consider that most people probably aren't reading the advanced docs or getting this information.

Many people seemed to have missed the "memo" about using tmpfs on your Linux system. It was on display in the local planning office for the last nine months.

In the past week I've gone through and tested the default installs of 30 distributions of Linux as well as the FreeBSD, NetBSD and OpenBSD and only the most recent Arch Linux uses tmpfs for /tmp by default. In fact, none of them offer tmpfs as an option during partitioning. A few of them offer to clean /tmp, which ends up putting /tmp on tmpfs, but its turned off by default and only available if you go into advanced options.

I think there is a reason that many distributions do not default to having /tmp on tmpfs even though its been possible for many years. If you do so, then you affect the ability to recover from crashes in certain programs that use it for storing their running data. For example Audacity uses /tmp/audacity-user by default for temporary data. So forcing people to use tmpfs is not an ideal solution unless we move this change upstream to the many programs that have been expecting /tmp to be a physical filesystem for years. This is why I think the solution for this must be to change the libvte code so that it doesn't use the disk like this.

Also, the part about people needing root access to run strings is meaningless as well. If someone else gets a hold of your disk, then they can access the data there. If you sell your computer without wiping the disk, they can get access to the data there. You can't account for all the ways in which people use and dispose of their computers, so this report needs to reach as many people as possible so that they are aware of the problem and can deal with it accordingly if they need to.

So to make a long story short. This problem is significant for everybody in some way. Please take it seriously.
_________________
Use saferdomainsearch.com to safely search for domain availability.

[PaulBredbury]

[suso]

I'm sorry you don't understand. I'll try to make it clear. The short of it is that not everyone uses computers the way we do. Here are a few examples in which the situation could get very bad for someone:

*Example A: A consultant who does sysadmin work goes to a variety of companies with their laptop and uses SSH to access systems and see sensitive data on those systems with normal commands like cat, grep, etc. The consultant and the companies think that everything is ok because the consulant is using SSH, doesn't have their swap turned on and the consultant doesn't deliberately save any data in their terminal or from the remote server. So no data from the servers that the consultant accessed should be on the constant's laptop. Since the consultant is convinced of this as well, they don't worry about encrypting their laptop, etc. and then the laptop gets stolen, lost or sold. The person who gets the laptop now has access to lots of data at multiple companies simply by reading the drive and searching for things like "username@remotehost".

*Example B: A company sets up "pseudo dumb terminal" computers for a group of people to access a text based script through SSH on a server where they add their medical information in order to renew their insurance for this year. Since the company assumes that since no data was stored on the actual terminals, they don't bother with wiping the drives on those computers that they are using like dumb terminals. Now medical information for several people are on drives that are not managed.

*Example C: A user level exploit comes out that allows someone to use someone else's browser to read the contents of files in /proc/*/fd, which includes the contents of the user's scrollback buffers that haven't been closed.

This isn't the typical kind of security issue where it gets patched upstream and people upgrade in the next release and are no longer vulnerable. Users need to know about this because part of the fix is to clean up the data that has already leaked onto their drives over the past 3 years.
_________________
Use saferdomainsearch.com to safely search for domain availability.

[PaulBredbury]

[suso]

Well good for the queen then. I'm glad she has such diligent people under her wing.
_________________
Use saferdomainsearch.com to safely search for domain availability.