Re: [Full-disclosure] encrypt the bash history

Fri, 04 Feb 2011 11:37:15 -0800 

On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 02/04/11 16:13, valdis.kletni...@vt.edu wrote:
> > On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
> >> what is the best way to encrypt the bash_history file?
> >> I try using crypt/decrypt with GPG when login/logout. It works, but not
> >> safe enough.
> > 
> > Explain what the threat model is, and why GPG isn't safe enough?  It's kind 
> > of
> > hard to recommend "best" when we don't understand what the criteria are...
> > 
> 
> The "way" is not safe enough. root can login as me (su - user) and
> bash_history will be decrypted. I try to find any better way to crypt
> and make unreadable the bash_history file from any other users,
> including root.

Not to mention the fact that your .bash_history file is unencrypted
the entire time you're logged in.  A better alternative, if you're
that anxious about your shell history falling into the wrong hands, is
to disable it entirely:

unset HISTFILE
HISTSIZE=0

You can also tell bash to not record commands that begin with a space:
HISTCONTROL=ignorespace

More fine-grained control can be achieved with the HISTIGNORE
variable.  See the 'Shell Variables' section of the bash(1) manpage.

Finally, I wrote these functions to toggle history recording on/off
in a shell.  I like how this works, when I remember to run it beforehand:

# turn off history recording
function offtherecord()
{
    if [[ -n "$HISTFILE" ]]; then
        OLDHISTFILE=$HISTFILE
        unset HISTFILE
    fi
    if [[ -n "$HISTSIZE" ]]; then
        OLDHISTSIZE=$HISTSIZE
        HISTSIZE=0
    fi
}

# turn on history recording
function ontherecord()
{
    if [[ -n "$OLDHISTFILE" ]]; then
        HISTFILE=$OLDHISTFILE
        unset OLDHISTFILE
    fi
    if [[ -n "$HISTSIZE" ]]; then
        HISTSIZE=$OLDHISTSIZE
        unset OLDHISTSIZE
    fi
}

Once you've run offtherecord, you lose all of your history for that shell until
you log back in.

-- 
Erik Falor
Registered Linux User #445632 http://counter.li.org

Attachment: pgpaXXrudODij.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to