Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
On the matter of dotfiles
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
zamlz
n00b
n00b


Joined: 22 Jul 2017
Posts: 39

PostPosted: Thu Oct 04, 2018 1:01 am    Post subject: On the matter of dotfiles Reply with quote

My dotfiles repo is public, and I was wondering if there any concern of having my package.use information on there.
I doubt there is, but I would like people's opinion of setting up a symlink for package.use pointing to a file in my dotfiles directory.
Having package.use as a symlink doesn't seem to break anything as far as I can tell...
_________________
AI/ML/Robotics/Linux - zamlz
Back to top
View user's profile Send private message
saturnalia0
Tux's lil' helper
Tux's lil' helper


Joined: 13 Oct 2016
Posts: 95

PostPosted: Thu Oct 04, 2018 1:57 am    Post subject: Reply with quote

I don't see the point of adding a symlink to version control, so instead of creating a symlink for package.use and adding it to version control, I'd simply not add package.use to version control, without creating a symlink at all.

Alternatively you can keep a public dotfiles repository and a private one.

That being said I don't see why sharing that particular file would be of any concern. If someone was specifically targeting you they could check your useflags to look for software you have with known vulnerabilities (to the attacker), but that seems highly unlikely.
Back to top
View user's profile Send private message
zamlz
n00b
n00b


Joined: 22 Jul 2017
Posts: 39

PostPosted: Thu Oct 04, 2018 7:04 am    Post subject: Reply with quote

saturnalia0 wrote:
That being said I don't see why sharing that particular file would be of any concern. If someone was specifically targeting you they could check your useflags to look for software you have with known vulnerabilities (to the attacker), but that seems highly unlikely.


Alright that's what I figured as well but I wasn't sure. Thanks!

saturnalia0 wrote:
I don't see the point of adding a symlink to version control, so instead of creating a symlink for package.use and adding it to version control, I'd simply not add package.use to version control, without creating a symlink at all.


Sorry if I wasn't clear. I meant making moving /etc/portage/package.use into my dotfiles folder, so ~/dotfiles/package.use. Now I make a symbolic link in /etc/portage/ that points to the file in my dotfiles folder.[/b]
_________________
AI/ML/Robotics/Linux - zamlz
Back to top
View user's profile Send private message
Muso
Veteran
Veteran


Joined: 22 Oct 2002
Posts: 1002
Location: The Holy city of Honolulu

PostPosted: Thu Oct 04, 2018 7:46 am    Post subject: Re: On the matter of dotfiles Reply with quote

zamlz wrote:
My dotfiles repo is public, and I was wondering if there any concern of having my package.use information on there.
I doubt there is, but I would like people's opinion of setting up a symlink for package.use pointing to a file in my dotfiles directory.
Having package.use as a symlink doesn't seem to break anything as far as I can tell...


Just never put your zsh/bash dot files online. Mind you, every sliver of data you share will help in the enumeration of your system, but some data is more valuable;

Most dot files are fine, but if someone asks for your /etc/shadow, do not trust them.


With that being said, would you mind posting your /etc/shadow file with the "Code" bb codes? You know, for skids!
_________________
"You can lead a horticulture but you can't make her think" ~ Dorothy Parker
"It's not a big truck. It's a series of tubes." ~ Senator Ted Stevens describing the Internet
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Oct 04, 2018 10:07 am    Post subject: Re: On the matter of dotfiles Reply with quote

Muso wrote:
Just never put your zsh/bash dot files online.

Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

best ... khay
Back to top
View user's profile Send private message
Muso
Veteran
Veteran


Joined: 22 Oct 2002
Posts: 1002
Location: The Holy city of Honolulu

PostPosted: Thu Oct 04, 2018 4:36 pm    Post subject: Re: On the matter of dotfiles Reply with quote

khayyam wrote:
Muso wrote:
Just never put your zsh/bash dot files online.

Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

best ... khay


Post exploit, during privilege escalation, checking those is part of the process.
_________________
"You can lead a horticulture but you can't make her think" ~ Dorothy Parker
"It's not a big truck. It's a series of tubes." ~ Senator Ted Stevens describing the Internet
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Oct 04, 2018 5:16 pm    Post subject: Re: On the matter of dotfiles Reply with quote

Muso wrote:
Just never put your zsh/bash dot files online.

khayyam wrote:
Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

Muso wrote:
Post exploit, during privilege escalation, checking those is part of the process.

Musu ... what? You'll have to explain.

best ... khay
Back to top
View user's profile Send private message
Muso
Veteran
Veteran


Joined: 22 Oct 2002
Posts: 1002
Location: The Holy city of Honolulu

PostPosted: Thu Oct 04, 2018 9:20 pm    Post subject: Re: On the matter of dotfiles Reply with quote

khayyam wrote:
Muso wrote:
Just never put your zsh/bash dot files online.

khayyam wrote:
Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

Muso wrote:
Post exploit, during privilege escalation, checking those is part of the process.

Musu ... what? You'll have to explain.

best ... khay


https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
_________________
"You can lead a horticulture but you can't make her think" ~ Dorothy Parker
"It's not a big truck. It's a series of tubes." ~ Senator Ted Stevens describing the Internet
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6015

PostPosted: Thu Oct 04, 2018 9:49 pm    Post subject: Reply with quote

That's a whole lot of nothing.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Oct 04, 2018 10:17 pm    Post subject: Re: On the matter of dotfiles Reply with quote

Muso wrote:
Just never put your zsh/bash dot files online.

khayyam wrote:
Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

Muso wrote:
Post exploit, during privilege escalation, checking those is part of the process.

khayyam wrote:
Musu ... what? You'll have to explain.

Muso wrote:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Muso ... that explains nothing, so again, what sort of exposure exists from "put[ing] zsh/bash dot files online"?

best ... khay
Back to top
View user's profile Send private message
Muso
Veteran
Veteran


Joined: 22 Oct 2002
Posts: 1002
Location: The Holy city of Honolulu

PostPosted: Thu Oct 04, 2018 10:51 pm    Post subject: Re: On the matter of dotfiles Reply with quote

khayyam wrote:
Muso wrote:
Just never put your zsh/bash dot files online.

khayyam wrote:
Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

Muso wrote:
Post exploit, during privilege escalation, checking those is part of the process.

khayyam wrote:
Musu ... what? You'll have to explain.

Muso wrote:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Muso ... that explains nothing, so again, what sort of exposure exists from "put[ing] zsh/bash dot files online"?

best ... khay


Specifically, sharing them online. As I said in my initial post, every sliver of data you share helps in the enumeration of your system. The history of commands entered is not something one should share.

Example, mistyping su, hitting enter, then typing the root password and hitting enter gets your root password stored in your ~/.zsh_history file. That sort of information should not be shared online.
_________________
"You can lead a horticulture but you can't make her think" ~ Dorothy Parker
"It's not a big truck. It's a series of tubes." ~ Senator Ted Stevens describing the Internet
Back to top
View user's profile Send private message
kitsunenokenja
Tux's lil' helper
Tux's lil' helper


Joined: 20 Jan 2004
Posts: 131

PostPosted: Thu Oct 04, 2018 11:44 pm    Post subject: Re: On the matter of dotfiles Reply with quote

Muso wrote:

Example, mistyping su, hitting enter, then typing the root password and hitting enter gets your root password stored in your ~/.zsh_history file. That sort of information should not be shared online.


Why would anyone include such a file in a repo? There is nothing requiring everything under ~/.* to be included. Only files like .bashrc and .vimrc would go to the repo. Naturally if .bashrc (or any other run control script really) that still contains something sensitive like a password, it's the owner's own damn fault for making it public.

Lastly, even if there is such an error such as in the example you provided, I would suggest promptly editing the history file and eliminating the corresponding entry to destroy the record of a password in plain text.
_________________
ProtonMail - Free encrypted e-mail from Switzerland
Let's Encrypt - Free SSL cert organisation
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18157

PostPosted: Fri Oct 05, 2018 12:33 am    Post subject: Re: On the matter of dotfiles Reply with quote

kitsunenokenja wrote:
Why would anyone ...?
Isn't that asked of most security missteps? Maybe they didn't think of it, made a mistake, didn't know better.
_________________
Those who know what's best for us must rise and save us from ourselves.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14373

PostPosted: Fri Oct 05, 2018 1:43 am    Post subject: Reply with quote

When I read "zsh/bash dotfiles", I think exclusively of the files that the user maintains: .bashrc, .bash_profile, .bash_logout, and the corresponding zsh files. Generated files, such as .bash_history, may start with a dot, but I don't think of them as dotfiles because I don't directly read or customize them.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18157

PostPosted: Fri Oct 05, 2018 2:21 am    Post subject: Reply with quote

.bash*
_________________
Those who know what's best for us must rise and save us from ourselves.
Back to top
View user's profile Send private message
Muso
Veteran
Veteran


Joined: 22 Oct 2002
Posts: 1002
Location: The Holy city of Honolulu

PostPosted: Fri Oct 05, 2018 2:32 am    Post subject: Re: On the matter of dotfiles Reply with quote

kitsunenokenja wrote:
Muso wrote:

Example, mistyping su, hitting enter, then typing the root password and hitting enter gets your root password stored in your ~/.zsh_history file. That sort of information should not be shared online.


Why would anyone include such a file in a repo? There is nothing requiring everything under ~/.* to be included.


I'm just being thorough. People do all sorts of weird things.
_________________
"You can lead a horticulture but you can't make her think" ~ Dorothy Parker
"It's not a big truck. It's a series of tubes." ~ Senator Ted Stevens describing the Internet
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Fri Oct 05, 2018 8:40 am    Post subject: Re: On the matter of dotfiles Reply with quote

khayyam wrote:
Muso ... that explains nothing, so again, what sort of exposure exists from "put[ing] zsh/bash dot files online"?

Muso wrote:
Specifically, sharing them online. As I said in my initial post, every sliver of data you share helps in the enumeration of your system. The history of commands entered is not something one should share.

Muso ... "specifically, sharing them online" is not an answer, it's stated in the question. You shouldn't share them online, because that would be sharing them online? As for "every sliver of data", what kind of data (excluding history, because these are are not considered dotfiles)? Are you saying I shouldn't include my social security number, DoB, and such, in my .zshrc? There is nothing to be gleaned from zsh/bash dotfiles under every normal circumstance, unless your saying that some alias, or function, exposes something of the host system. So, saying "never put your zsh/bash dot files online" is just nonsense, you might as well say "don't put your SSN, DoB, etc, in your dotfiles and then post them online" ... which might be considered in some far off circumstance "good advice", but it's no reason for thinking that the content of zsh/bash dotfiles are exposing anything.

best ... khay
Back to top
View user's profile Send private message
zamlz
n00b
n00b


Joined: 22 Jul 2017
Posts: 39

PostPosted: Mon Oct 08, 2018 10:29 pm    Post subject: Reply with quote

I would never add history files to my repo lol. I'm pretty particular about what I put in my dotfiles repo. You made it seem like sharing a zshrc file would be the end of the world, but as long as there isn't anything controversial on it, it should be fine lol.
_________________
AI/ML/Robotics/Linux - zamlz
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum