On the matter of dotfiles

Message

zamlz · Post by **zamlz** » Thu Oct 04, 2018 1:01 am

My dotfiles repo is public, and I was wondering if there any concern of having my package.use information on there.
I doubt there is, but I would like people's opinion of setting up a symlink for package.use pointing to a file in my dotfiles directory.
Having package.use as a symlink doesn't seem to break anything as far as I can tell...

saturnalia0 · Post by **saturnalia0** » Thu Oct 04, 2018 1:57 am

I don't see the point of adding a symlink to version control, so instead of creating a symlink for package.use and adding it to version control, I'd simply not add package.use to version control, without creating a symlink at all.

Alternatively you can keep a public dotfiles repository and a private one.

That being said I don't see why sharing that particular file would be of any concern. If someone was specifically targeting you they could check your useflags to look for software you have with known vulnerabilities (to the attacker), but that seems highly unlikely.

zamlz · Post by **zamlz** » Thu Oct 04, 2018 7:04 am

saturnalia0 wrote:That being said I don't see why sharing that particular file would be of any concern. If someone was specifically targeting you they could check your useflags to look for software you have with known vulnerabilities (to the attacker), but that seems highly unlikely.

Alright that's what I figured as well but I wasn't sure. Thanks!

saturnalia0 wrote:I don't see the point of adding a symlink to version control, so instead of creating a symlink for package.use and adding it to version control, I'd simply not add package.use to version control, without creating a symlink at all.

Sorry if I wasn't clear. I meant making moving /etc/portage/package.use into my dotfiles folder, so ~/dotfiles/package.use. Now I make a symbolic link in /etc/portage/ that points to the file in my dotfiles folder.[/b]

Muso · Post by **Muso** » Thu Oct 04, 2018 7:46 am

zamlz wrote:My dotfiles repo is public, and I was wondering if there any concern of having my package.use information on there.
I doubt there is, but I would like people's opinion of setting up a symlink for package.use pointing to a file in my dotfiles directory.
Having package.use as a symlink doesn't seem to break anything as far as I can tell...

Just never put your zsh/bash dot files online. Mind you, every sliver of data you share will help in the enumeration of your system, but some data is more valuable;

Most dot files are fine, but if someone asks for your /etc/shadow, do not trust them.

With that being said, would you mind posting your /etc/shadow file with the "Code" bb codes? You know, for skids!

khayyam · Post by **khayyam** » Thu Oct 04, 2018 10:07 am

Muso wrote:Just never put your zsh/bash dot files online.

Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

best ... khay

Muso · Post by **Muso** » Thu Oct 04, 2018 4:36 pm

khayyam wrote:
Muso wrote:Just never put your zsh/bash dot files online.
Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

best ... khay

Post exploit, during privilege escalation, checking those is part of the process.

khayyam · Post by **khayyam** » Thu Oct 04, 2018 5:16 pm

Muso wrote:Just never put your zsh/bash dot files online.

khayyam wrote:Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

Muso wrote:Post exploit, during privilege escalation, checking those is part of the process.

Musu ... what? You'll have to explain.

best ... khay

Muso · Post by **Muso** » Thu Oct 04, 2018 9:20 pm

khayyam wrote:
Muso wrote:Just never put your zsh/bash dot files online.

khayyam wrote:Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

Muso wrote:Post exploit, during privilege escalation, checking those is part of the process.
Musu ... what? You'll have to explain.

best ... khay

https://blog.g0tmi1k.com/2011/08/basic- ... scalation/

Ant P. · Post by **Ant P.** » Thu Oct 04, 2018 9:49 pm

That's a whole lot of nothing.

khayyam · Post by **khayyam** » Thu Oct 04, 2018 10:17 pm

Muso wrote:Just never put your zsh/bash dot files online.

khayyam wrote:Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

Muso wrote:Post exploit, during privilege escalation, checking those is part of the process.

khayyam wrote:Musu ... what? You'll have to explain.

Muso wrote:https://blog.g0tmi1k.com/2011/08/basic- ... scalation/

Muso ... that explains nothing, so again, what sort of exposure exists from "put[ing] zsh/bash dot files online"?

best ... khay

Muso · Post by **Muso** » Thu Oct 04, 2018 10:51 pm

khayyam wrote:
Muso wrote:Just never put your zsh/bash dot files online.

khayyam wrote:Muso ... why is that? That is the least likely source of valuable, or exploitable, information. Plus, what would be the ingress?

Muso wrote:Post exploit, during privilege escalation, checking those is part of the process.

khayyam wrote:Musu ... what? You'll have to explain.

Muso wrote:https://blog.g0tmi1k.com/2011/08/basic- ... scalation/
Muso ... that explains nothing, so again, what sort of exposure exists from "put[ing] zsh/bash dot files online"?

best ... khay

Specifically, sharing them online. As I said in my initial post, every sliver of data you share helps in the enumeration of your system. The history of commands entered is not something one should share.

Example, mistyping su, hitting enter, then typing the root password and hitting enter gets your root password stored in your ~/.zsh_history file. That sort of information should not be shared online.

kitsunenokenja · Post by **kitsunenokenja** » Thu Oct 04, 2018 11:44 pm

Muso wrote: Example, mistyping su, hitting enter, then typing the root password and hitting enter gets your root password stored in your ~/.zsh_history file. That sort of information should not be shared online.

Why would anyone include such a file in a repo? There is nothing requiring everything under ~/.* to be included. Only files like .bashrc and .vimrc would go to the repo. Naturally if .bashrc (or any other run control script really) that still contains something sensitive like a password, it's the owner's own damn fault for making it public.

Lastly, even if there is such an error such as in the example you provided, I would suggest promptly editing the history file and eliminating the corresponding entry to destroy the record of a password in plain text.

Post by **pjp** » Fri Oct 05, 2018 12:33 am

kitsunenokenja wrote:Why would anyone ...?

Isn't that asked of most security missteps? Maybe they didn't think of it, made a mistake, didn't know better.

Post by Hu » Fri Oct 05, 2018 1:43 am

When I read "zsh/bash dotfiles", I think exclusively of the files that the user maintains: .bashrc, .bash_profile, .bash_logout, and the corresponding zsh files. Generated files, such as .bash_history, may start with a dot, but I don't think of them as dotfiles because I don't directly read or customize them.

Post by **pjp** » Fri Oct 05, 2018 2:21 am

.bash*

Muso · Post by **Muso** » Fri Oct 05, 2018 2:32 am

kitsunenokenja wrote:
Muso wrote: Example, mistyping su, hitting enter, then typing the root password and hitting enter gets your root password stored in your ~/.zsh_history file. That sort of information should not be shared online.
Why would anyone include such a file in a repo? There is nothing requiring everything under ~/.* to be included.

I'm just being thorough. People do all sorts of weird things.

khayyam · Post by **khayyam** » Fri Oct 05, 2018 8:40 am

khayyam wrote:Muso ... that explains nothing, so again, what sort of exposure exists from "put[ing] zsh/bash dot files online"?

Muso wrote:Specifically, sharing them online. As I said in my initial post, every sliver of data you share helps in the enumeration of your system. The history of commands entered is not something one should share.

Muso ... "specifically, sharing them online" is not an answer, it's stated in the question. You shouldn't share them online, because that would be sharing them online? As for "every sliver of data", what kind of data (excluding history, because these are are not considered dotfiles)? Are you saying I shouldn't include my social security number, DoB, and such, in my .zshrc? There is nothing to be gleaned from zsh/bash dotfiles under every normal circumstance, unless your saying that some alias, or function, exposes something of the host system. So, saying "never put your zsh/bash dot files online" is just nonsense, you might as well say "don't put your SSN, DoB, etc, in your dotfiles and then post them online" ... which might be considered in some far off circumstance "good advice", but it's no reason for thinking that the content of zsh/bash dotfiles are exposing anything.

best ... khay

zamlz · Post by **zamlz** » Mon Oct 08, 2018 10:29 pm

I would never add history files to my repo lol. I'm pretty particular about what I put in my dotfiles repo. You made it seem like sharing a zshrc file would be the end of the world, but as long as there isn't anything controversial on it, it should be fine lol.

On the matter of dotfiles

On the matter of dotfiles

Re: On the matter of dotfiles

Re: On the matter of dotfiles

Re: On the matter of dotfiles

Re: On the matter of dotfiles

Re: On the matter of dotfiles

Re: On the matter of dotfiles

Re: On the matter of dotfiles

Re: On the matter of dotfiles

Re: On the matter of dotfiles

Re: On the matter of dotfiles

Re: On the matter of dotfiles