View previous topic :: View next topic |
Author |
Message |
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Thu Oct 04, 2018 1:01 am Post subject: On the matter of dotfiles |
|
|
My dotfiles repo is public, and I was wondering if there any concern of having my package.use information on there.
I doubt there is, but I would like people's opinion of setting up a symlink for package.use pointing to a file in my dotfiles directory.
Having package.use as a symlink doesn't seem to break anything as far as I can tell... _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
saturnalia0 Tux's lil' helper
Joined: 13 Oct 2016 Posts: 136
|
Posted: Thu Oct 04, 2018 1:57 am Post subject: |
|
|
I don't see the point of adding a symlink to version control, so instead of creating a symlink for package.use and adding it to version control, I'd simply not add package.use to version control, without creating a symlink at all.
Alternatively you can keep a public dotfiles repository and a private one.
That being said I don't see why sharing that particular file would be of any concern. If someone was specifically targeting you they could check your useflags to look for software you have with known vulnerabilities (to the attacker), but that seems highly unlikely. |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Thu Oct 04, 2018 7:04 am Post subject: |
|
|
saturnalia0 wrote: | That being said I don't see why sharing that particular file would be of any concern. If someone was specifically targeting you they could check your useflags to look for software you have with known vulnerabilities (to the attacker), but that seems highly unlikely. |
Alright that's what I figured as well but I wasn't sure. Thanks!
saturnalia0 wrote: | I don't see the point of adding a symlink to version control, so instead of creating a symlink for package.use and adding it to version control, I'd simply not add package.use to version control, without creating a symlink at all. |
Sorry if I wasn't clear. I meant making moving /etc/portage/package.use into my dotfiles folder, so ~/dotfiles/package.use. Now I make a symbolic link in /etc/portage/ that points to the file in my dotfiles folder.[/b] _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
Muso Veteran
Joined: 22 Oct 2002 Posts: 1052 Location: The Holy city of Honolulu
|
Posted: Thu Oct 04, 2018 7:46 am Post subject: Re: On the matter of dotfiles |
|
|
zamlz wrote: | My dotfiles repo is public, and I was wondering if there any concern of having my package.use information on there.
I doubt there is, but I would like people's opinion of setting up a symlink for package.use pointing to a file in my dotfiles directory.
Having package.use as a symlink doesn't seem to break anything as far as I can tell... |
Just never put your zsh/bash dot files online. Mind you, every sliver of data you share will help in the enumeration of your system, but some data is more valuable;
Most dot files are fine, but if someone asks for your /etc/shadow, do not trust them.
With that being said, would you mind posting your /etc/shadow file with the "Code" bb codes? You know, for skids! _________________ "You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop! |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Thu Oct 04, 2018 10:07 am Post subject: Re: On the matter of dotfiles |
|
|
Muso wrote: | Just never put your zsh/bash dot files online. |
Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?
best ... khay |
|
Back to top |
|
|
Muso Veteran
Joined: 22 Oct 2002 Posts: 1052 Location: The Holy city of Honolulu
|
Posted: Thu Oct 04, 2018 4:36 pm Post subject: Re: On the matter of dotfiles |
|
|
khayyam wrote: | Muso wrote: | Just never put your zsh/bash dot files online. |
Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?
best ... khay |
Post exploit, during privilege escalation, checking those is part of the process. _________________ "You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop! |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Thu Oct 04, 2018 5:16 pm Post subject: Re: On the matter of dotfiles |
|
|
Muso wrote: | Just never put your zsh/bash dot files online. |
khayyam wrote: | Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress? |
Muso wrote: | Post exploit, during privilege escalation, checking those is part of the process. |
Musu ... what? You'll have to explain.
best ... khay |
|
Back to top |
|
|
Muso Veteran
Joined: 22 Oct 2002 Posts: 1052 Location: The Holy city of Honolulu
|
Posted: Thu Oct 04, 2018 9:20 pm Post subject: Re: On the matter of dotfiles |
|
|
khayyam wrote: | Muso wrote: | Just never put your zsh/bash dot files online. |
khayyam wrote: | Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress? |
Muso wrote: | Post exploit, during privilege escalation, checking those is part of the process. |
Musu ... what? You'll have to explain.
best ... khay |
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ _________________ "You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop! |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Thu Oct 04, 2018 9:49 pm Post subject: |
|
|
That's a whole lot of nothing. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Thu Oct 04, 2018 10:17 pm Post subject: Re: On the matter of dotfiles |
|
|
Muso wrote: | Just never put your zsh/bash dot files online. |
khayyam wrote: | Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress? |
Muso wrote: | Post exploit, during privilege escalation, checking those is part of the process. |
khayyam wrote: | Musu ... what? You'll have to explain. |
Muso wrote: | https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ |
Muso ... that explains nothing, so again, what sort of exposure exists from "put[ing] zsh/bash dot files online"?
best ... khay |
|
Back to top |
|
|
Muso Veteran
Joined: 22 Oct 2002 Posts: 1052 Location: The Holy city of Honolulu
|
Posted: Thu Oct 04, 2018 10:51 pm Post subject: Re: On the matter of dotfiles |
|
|
khayyam wrote: | Muso wrote: | Just never put your zsh/bash dot files online. |
khayyam wrote: | Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress? |
Muso wrote: | Post exploit, during privilege escalation, checking those is part of the process. |
khayyam wrote: | Musu ... what? You'll have to explain. |
Muso wrote: | https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ |
Muso ... that explains nothing, so again, what sort of exposure exists from "put[ing] zsh/bash dot files online"?
best ... khay |
Specifically, sharing them online. As I said in my initial post, every sliver of data you share helps in the enumeration of your system. The history of commands entered is not something one should share.
Example, mistyping su, hitting enter, then typing the root password and hitting enter gets your root password stored in your ~/.zsh_history file. That sort of information should not be shared online. _________________ "You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop! |
|
Back to top |
|
|
kitsunenokenja Tux's lil' helper
Joined: 20 Jan 2004 Posts: 131
|
Posted: Thu Oct 04, 2018 11:44 pm Post subject: Re: On the matter of dotfiles |
|
|
Muso wrote: |
Example, mistyping su, hitting enter, then typing the root password and hitting enter gets your root password stored in your ~/.zsh_history file. That sort of information should not be shared online. |
Why would anyone include such a file in a repo? There is nothing requiring everything under ~/.* to be included. Only files like .bashrc and .vimrc would go to the repo. Naturally if .bashrc (or any other run control script really) that still contains something sensitive like a password, it's the owner's own damn fault for making it public.
Lastly, even if there is such an error such as in the example you provided, I would suggest promptly editing the history file and eliminating the corresponding entry to destroy the record of a password in plain text. _________________ ProtonMail - Free encrypted e-mail from Switzerland
Let's Encrypt - Free SSL cert organisation |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Fri Oct 05, 2018 12:33 am Post subject: Re: On the matter of dotfiles |
|
|
kitsunenokenja wrote: | Why would anyone ...? | Isn't that asked of most security missteps? Maybe they didn't think of it, made a mistake, didn't know better. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21628
|
Posted: Fri Oct 05, 2018 1:43 am Post subject: |
|
|
When I read "zsh/bash dotfiles", I think exclusively of the files that the user maintains: .bashrc, .bash_profile, .bash_logout, and the corresponding zsh files. Generated files, such as .bash_history, may start with a dot, but I don't think of them as dotfiles because I don't directly read or customize them. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Fri Oct 05, 2018 2:21 am Post subject: |
|
|
.bash* _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Muso Veteran
Joined: 22 Oct 2002 Posts: 1052 Location: The Holy city of Honolulu
|
Posted: Fri Oct 05, 2018 2:32 am Post subject: Re: On the matter of dotfiles |
|
|
kitsunenokenja wrote: | Muso wrote: |
Example, mistyping su, hitting enter, then typing the root password and hitting enter gets your root password stored in your ~/.zsh_history file. That sort of information should not be shared online. |
Why would anyone include such a file in a repo? There is nothing requiring everything under ~/.* to be included. |
I'm just being thorough. People do all sorts of weird things. _________________ "You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop! |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Oct 05, 2018 8:40 am Post subject: Re: On the matter of dotfiles |
|
|
khayyam wrote: | Muso ... that explains nothing, so again, what sort of exposure exists from "put[ing] zsh/bash dot files online"? |
Muso wrote: | Specifically, sharing them online. As I said in my initial post, every sliver of data you share helps in the enumeration of your system. The history of commands entered is not something one should share. |
Muso ... "specifically, sharing them online" is not an answer, it's stated in the question. You shouldn't share them online, because that would be sharing them online? As for "every sliver of data", what kind of data (excluding history, because these are are not considered dotfiles)? Are you saying I shouldn't include my social security number, DoB, and such, in my .zshrc? There is nothing to be gleaned from zsh/bash dotfiles under every normal circumstance, unless your saying that some alias, or function, exposes something of the host system. So, saying "never put your zsh/bash dot files online" is just nonsense, you might as well say "don't put your SSN, DoB, etc, in your dotfiles and then post them online" ... which might be considered in some far off circumstance "good advice", but it's no reason for thinking that the content of zsh/bash dotfiles are exposing anything.
best ... khay |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Mon Oct 08, 2018 10:29 pm Post subject: |
|
|
I would never add history files to my repo lol. I'm pretty particular about what I put in my dotfiles repo. You made it seem like sharing a zshrc file would be the end of the world, but as long as there isn't anything controversial on it, it should be fine lol. _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
|