bash history default setting is crazy insecure in Ubuntu - Ubuntu

This is a discussion on bash history default setting is crazy insecure in Ubuntu - Ubuntu ; Being a newbie I've just found that bash keeps my root password in PLAIN TEXT in /root/.bash_history file. :-( It just does it by default! And I've never logged in as root BTW. Thus it looks that it does it ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 28

Thread: bash history default setting is crazy insecure in Ubuntu

  1. bash history default setting is crazy insecure in Ubuntu

    Being a newbie I've just found that bash keeps my root password in PLAIN
    TEXT in /root/.bash_history file. :-(

    It just does it by default! And I've never logged in as root BTW. Thus it
    looks that it does it whenever I execute "sudo -s"? Otherwise I cannot
    understand how it happened to save it. I cannot believe it would do it
    just on sudo. This would make it even crazier.

    IMHO it is just crazy insecure, considering any new to Linux user finds
    it out only after considerable amount of time spent wondering around and
    learning.

    How to turn this off? I do not want to keep running "history -
    c .bash_history" all the time. Creating a cron job for it does not look
    to me any better either.

    Any suggestions, please?

  2. Re: bash history default setting is crazy insecure in Ubuntu

    Vitorio Okio wrote:

    > Being a newbie I've just found that bash keeps my root password in PLAIN
    > TEXT in /root/.bash_history file. :-(
    >
    > It just does it by default! And I've never logged in as root BTW. Thus it
    > looks that it does it whenever I execute "sudo -s"? Otherwise I cannot
    > understand how it happened to save it. I cannot believe it would do it
    > just on sudo. This would make it even crazier.
    >
    > IMHO it is just crazy insecure, considering any new to Linux user finds
    > it out only after considerable amount of time spent wondering around and
    > learning.
    >
    > How to turn this off? I do not want to keep running "history -
    > c .bash_history" all the time. Creating a cron job for it does not look
    > to me any better either.
    >
    > Any suggestions, please?


    No password recorded here in my .bash_history file. No idea how that can
    happen? That file should only contain commands you've entered on the
    commandline.

    Cheers.

    --
    The world can't afford the rich.


  3. Re: bash history default setting is crazy insecure in Ubuntu

    On Wed, 30 Jan 2008 03:55:04 +0100, Vitorio Okio wrote:

    > Being a newbie I've just found that bash keeps my root password in PLAIN
    > TEXT in /root/.bash_history file. :-(
    >
    > It just does it by default! And I've never logged in as root BTW. Thus
    > it looks that it does it whenever I execute "sudo -s"? Otherwise I
    > cannot understand how it happened to save it. I cannot believe it would
    > do it just on sudo. This would make it even crazier.


    I'm really puzzled by what you're saying. In my /root directory, there is
    no .bash_history. And I haven't done anything strange installation- wise.
    So how come *you* have a /root/.bash_history by default and I have *no*
    /root/.bash_history by default?

    I checked /root/.bashrc and /root/.profile, and neither contains a
    password.

    Hmmm...

    > IMHO it is just crazy insecure, considering any new to Linux user finds
    > it out only after considerable amount of time spent wondering around and
    > learning.
    >
    > How to turn this off? I do not want to keep running "history - c
    > .bash_history" all the time. Creating a cron job for it does not look
    > to me any better either.
    >
    > Any suggestions, please?


    Since my system seems to get on okay without a /root/.bash_history, how
    about you rm it? Then you won't have to worry about the password showing
    up in it. After all, what do you need /root/.bash_history for? Just rm
    the thing.



    --

    "Community within our Nation, chaos in theirs" - Abbie Hoffman


  4. Re: bash history default setting is crazy insecure in Ubuntu

    On Wed, 30 Jan 2008, in the Usenet newsgroup alt.os.linux.ubuntu, in article
    , Vitorio Okio wrote:

    >Being a newbie I've just found that bash keeps my root password in PLAIN
    >TEXT in /root/.bash_history file. :-(


    Can you show an example of this? Obviously replace the password with
    an XXXXXXXXXX string, but none of my systems have this.

    >It just does it by default! And I've never logged in as root BTW. Thus it
    >looks that it does it whenever I execute "sudo -s"? Otherwise I cannot
    >understand how it happened to save it. I cannot believe it would do it
    >just on sudo. This would make it even crazier.


    Doesn't happen here.

    >IMHO it is just crazy insecure, considering any new to Linux user finds
    >it out only after considerable amount of time spent wondering around and
    >learning.


    Well, the /root/ directory shouldn't be viewable by others, so that's a
    minor good point, but I can't see why you are having the problem in the
    first place.

    >How to turn this off? I do not want to keep running "history -
    >c .bash_history" all the time. Creating a cron job for it does not look
    >to me any better either.


    You could disable the history function (man bash), but the password
    simply should not be there at all. What are you doing?

    Old guy

  5. Re: bash history default setting is crazy insecure in Ubuntu

    On Wed, 30 Jan 2008 03:55:04 +0100, Vitorio Okio wrote:

    > Being a newbie I've just found that bash keeps my root password in PLAIN
    > TEXT in /root/.bash_history file. :-(



    Can you show us the offending lines. **munge the password** maybe you
    typed the password once by mistake as a command instead of responding to
    the sudo prompt?

    stonerfish

  6. Re: bash history default setting is crazy insecure in Ubuntu

    jellybean stonerfish wrote:

    > On Wed, 30 Jan 2008 03:55:04 +0100, Vitorio Okio wrote:
    >
    >> Being a newbie I've just found that bash keeps my root password in PLAIN
    >> TEXT in /root/.bash_history file. :-(

    >
    >
    > Can you show us the offending lines. **munge the password** maybe you
    > typed the password once by mistake as a command instead of responding to
    > the sudo prompt?
    >

    Nope, only valid commands are recorded in the .bash_history file. Type a
    command where it doesn't exist and the program can't be found and will not
    be recorded. :-)

    > stonerfish


    Cheers.

    --
    The world can't afford the rich.


  7. Re: bash history default setting is crazy insecure in Ubuntu

    It is exactly as I stated. There is a file in /root directory named
    ".bash_history", likewise there is another one my home directory. I
    did not do anything funsy with my install either. This is a default
    installation of Feisty Fawn that was upgrated to Gutsy Gibbon upon its
    release using a standard procedure.

    So, I even do not really now when this file was created and when and
    under what circumstances it was filled in. The only thing I can say
    for sure - I've never logged in as root but used console after
    "sudo -s" a couple of times.

    The offending file had a long list of commands entered in bash. The
    very first 2 lines at the top of the file where exactly as follows:

    password
    MY_ROOT_PASSWORD_IN_PLAIN_TEXT
    ....

    Then all bash history followed as normal.

    I simpy could not type it in by mistake :-) since till today I never
    opened the file. Even today I opened it only by a pure chance, since
    I started learning how to harden my system security, etc. and was
    wondering arround following some reading.

    I certainly dumped the contents of the file by running "sudo
    history -c /root/.bash_history". But the question was how possibly it
    could happen?

    In a certain sence it looks quite fanny. Bash is smart enough not to
    display my password while I'm typing it in a console, when requested
    after sudo. But then it gets dumb enough to store it in a plain text
    in history file? I just cannot believe it.

    Well, since the majority states it is impossible to be truth, could it
    be an indication of my system gotten somehow compromized? Or I'm
    getting paranoid here?








  8. Re: bash history default setting is crazy insecure in Ubuntu

    On Wed, 30 Jan 2008 05:23:45 +0000, Vitorio Okio wrote:

    > The offending file had a long list of commands entered in bash. The very
    > first 2 lines at the top of the file where exactly as follows:
    >
    > password
    > MY_ROOT_PASSWORD_IN_PLAIN_TEXT


    Exactly as I thought. I can replicate it on my system....

    In the past you did a
    sudo -i

    Then in sudo, you wanted to create a password for root. You did
    passwd

    Then do to some typo you entered you password as a command instead of the
    input to the passwd program.

    The following snip from my terminal shall illustrate.


    bossman@blackbox:/home/js$ sudo rm /root/.bash_history
    Password:
    bossman@blackbox:/home/js$ sudo -i
    root@blackbox:~# passwd
    Enter new UNIX password:
    Retype new UNIX password:
    No password supplied
    Enter new UNIX password:
    Retype new UNIX password:
    No password supplied
    Enter new UNIX password:
    Retype new UNIX password:
    No password supplied
    passwd: Authentication token manipulation error
    passwd: password unchanged
    root@blackbox:~#
    root@blackbox:~# fornicate
    -bash: fornicate: command not found
    root@blackbox:~# exit
    logout
    bossman@blackbox:/home/js$ sudo cat /root/.bash_history
    passwd
    fornicate
    exit


    Maybe it was early in your install that you did this? Sometimes after
    doing an install and all the configuring we forget a step of two.

    stonerfish

  9. Re: bash history default setting is crazy insecure in Ubuntu

    On Wed, 30 Jan 2008 05:05:08 +0000, NoStop wrote:

    >> Can you show us the offending lines. **munge the password** maybe you
    >> typed the password once by mistake as a command instead of responding to
    >> the sudo prompt?
    >>

    > Nope, only valid commands are recorded in the .bash_history file. Type a
    > command where it doesn't exist and the program can't be found and will not
    > be recorded. :-)
    >
    >> stonerfish

    >
    > Cheers.


    In another post on this subject I demonstrate how my ubuntu does do what
    you say it won't do.

    stonerfish

  10. Re: bash history default setting is crazy insecure in Ubuntu

    On Wed, 30 Jan 2008 05:38:14 +0000, jellybean stonerfish wrote:

    A neater example with the password entered correctly to the passwd
    program twice, but then typed a third time for some unknown reason. Maybe
    using the mouse to type? (gpm)
    It seems pretty sure you did something like this.
    Delete the /root/.bash_history file and move on.

    bossman@blackbox:/home/js$ sudo rm /root/.bash_history
    bossman@blackbox:/home/js$ sudo -i
    root@blackbox:~# passwd
    Enter new UNIX password:
    Retype new UNIX password:
    passwd: password updated successfully
    root@blackbox:~# newpas
    -bash: newpas: command not found
    root@blackbox:~# exit
    logout
    bossman@blackbox:/home/js$ sudo cat /root/.bash_history
    passwd
    newpas
    exit
    bossman@blackbox:/home/js$

  11. Re: bash history default setting is crazy insecure in Ubuntu

    jellybean stonerfish wrote:

    > On Wed, 30 Jan 2008 05:05:08 +0000, NoStop wrote:
    >
    >>> Can you show us the offending lines. **munge the password** maybe you
    >>> typed the password once by mistake as a command instead of responding to
    >>> the sudo prompt?
    >>>

    >> Nope, only valid commands are recorded in the .bash_history file. Type a
    >> command where it doesn't exist and the program can't be found and will
    >> not be recorded. :-)
    >>
    >>> stonerfish

    >>
    >> Cheers.

    >
    > In another post on this subject I demonstrate how my ubuntu does do what
    > you say it won't do.
    >
    > stonerfish


    Doesn't do it here. Sorry. Don't know why it does on your system? If a
    command is not found, it isn't recorded in my .bash_history file.

    Cheers.

    --
    The world can't afford the rich.


  12. Re: bash history default setting is crazy insecure in Ubuntu

    > passwd
    > fornicate


    1. The first line in my /root/.bash_history was "password" (in full
    spelling) not "passwd".
    2. At the time I set up my root password I knew nothing about either
    Linux or Ubuntu. So, I just used GUI User and Groups applet to create
    my root password.

    Sorry. :-)

    And thanks for the effort..



  13. Re: bash history default setting is crazy insecure in Ubuntu

    On Wed, 30 Jan 2008 05:52:48 +0000, NoStop wrote:

    >> In another post on this subject I demonstrate how my ubuntu does do what
    >> you say it won't do.
    >>
    >> stonerfish

    >
    > Doesn't do it here. Sorry. Don't know why it does on your system? If a
    > command is not found, it isn't recorded in my .bash_history file.
    >
    > Cheers.


    Hmmmm that is strange. I am on 7.04 My .bashrc and .profile files match
    the defaults in /etc/skell.

    In the bash manpage, HISTIGNORE and HISTCMD do not appear to care about if
    a command works or not.

  14. Re: bash history default setting is crazy insecure in Ubuntu

    * Vitorio Okio :
    [ Re: '/root/.bash_history' ]
    > So, I even do not really now when this file was created and when and
    > under what circumstances it was filled in. The only thing I can say
    > for sure - I've never logged in as root but used console after
    > "sudo -s" a couple of times.
    >
    > The offending file had a long list of commands entered in bash. The
    > very first 2 lines at the top of the file where exactly as follows:
    >
    > password
    > MY_ROOT_PASSWORD_IN_PLAIN_TEXT
    > ...


    jellybean stonerfish seems already to be on the trail... Mostly agree
    with their analysis except that I think that "password" was mistakenly
    typed instead of "passwd" at the outset. You were immediately returned
    to the shell prompt upon failure to invoke a non-existent "password"
    command then proceeded to enter your password assuming that the passwd
    command had been invoked.

    > Then all bash history followed as normal.
    >
    > I simpy could not type it in by mistake :-) since till today I never
    > opened the file. Even today I opened it only by a pure chance, since
    > I started learning how to harden my system security, etc. and was
    > wondering arround following some reading.


    Likely happened upon your initial "sudo -s" session. Do you recall
    attempting to set root's password during one such session?

    > I certainly dumped the contents of the file by running "sudo
    > history -c /root/.bash_history". But the question was how possibly it
    > could happen?


    sudo cannot invoke a shell builtin command like history... I just tried
    it myself with the following result:

    $ sudo history -c /root/.bash_history
    sudo: history: command not found

    > In a certain sence it looks quite fanny. Bash is smart enough not to
    > display my password while I'm typing it in a console, when requested
    > after sudo. But then it gets dumb enough to store it in a plain text
    > in history file? I just cannot believe it.


    Worth noting that it is sudo, not bash, that is prompting for a
    password.

    > Well, since the majority states it is impossible to be truth, could it
    > be an indication of my system gotten somehow compromized? Or I'm
    > getting paranoid here?


    Probably the latter. :-) Hope to have cleared any confusion and allayed
    any fears.

    --
    James Michael Fultz
    Remove this part when replying ^^^^^^^^

  15. Re: bash history default setting is crazy insecure in Ubuntu

    In <2rWdnXOmcp86iz3anZ2dnUVZ_vmlnZ2d@neonova.net> James Michael Fultz:

    [Snip..]

    > then proceeded to enter your password assuming that the passwd command
    > had been invoked.


    This is a gotcha I face whenever a command line script timesout, waiting
    for a password entry.

    If I get distracted, the command timesout so there is a prompt for me to
    enter the password as a (bogus) command. Whatever "command" entered then
    is as usual saved in the history file.

    At that point, "history -c" (bash) is about the easiest fix (for me).

    --
    Regards, Weird (Harold Stevens) * IMPORTANT EMAIL INFO FOLLOWS *
    Pardon any bogus email addresses (wookie) in place for spambots.
    Really, it's (wyrd) at airmail, dotted with net. DO NOT SPAM IT.
    Kids jumping ship? Looking to hire an old-school type? Email me.

  16. Re: bash history default setting is crazy insecure in Ubuntu

    jellybean stonerfish writes:

    > On Wed, 30 Jan 2008 05:52:48 +0000, NoStop wrote:
    >
    >>> In another post on this subject I demonstrate how my ubuntu does do what
    >>> you say it won't do.
    >>>
    >>> stonerfish

    >>
    >> Doesn't do it here. Sorry. Don't know why it does on your system? If a
    >> command is not found, it isn't recorded in my .bash_history file.
    >>
    >> Cheers.

    >
    > Hmmmm that is strange. I am on 7.04 My .bashrc and .profile files match
    > the defaults in /etc/skell.
    >
    > In the bash manpage, HISTIGNORE and HISTCMD do not appear to care about if
    > a command works or not.


    Cut and paste from "history" command output on Debian

    ,----
    | 499 exit
    | 500 history
    | 501 hjk
    | 502 history
    `----

    History does indeed store a bad program name is indeed it SHOULD. If I
    typed some long name I would not be happy if I could not get it back to
    correct.

    NOTE : the history file is not written until you leave the shell. This
    could be why NoStop does not see it in his .bash_history. I have no idea
    if this behaviour can be changed and haven't looked into it.

    So when I reopened my shell

    ,----
    | hadron@debian:~$ cat .bash_history | grep -i hjk
    | hjk
    | cat .bash_history | grep -i hjk
    `----



  17. Re: bash history default setting is crazy insecure in Ubuntu

    Vitorio Okio wrote:
    > Being a newbie I've just found that bash keeps my root password in PLAIN
    > TEXT in /root/.bash_history file. :-(
    >
    > It just does it by default! And I've never logged in as root BTW. Thus it
    > looks that it does it whenever I execute "sudo -s"? Otherwise I cannot
    > understand how it happened to save it. I cannot believe it would do it
    > just on sudo. This would make it even crazier.
    >
    > IMHO it is just crazy insecure, considering any new to Linux user finds
    > it out only after considerable amount of time spent wondering around and
    > learning.
    >
    > How to turn this off? I do not want to keep running "history -
    > c .bash_history" all the time. Creating a cron job for it does not look
    > to me any better either.
    >
    > Any suggestions, please?


    Jsut an assumption based on actual experience:

    I'm not a "blind typer", so I need to look at the keyboard to type, e.g.
    a command or my password. Obviously I cannot look at the screen at the
    same time.

    So, when I type in "sudo -i" within the grace period after a previous
    "sudo", I wouldn't need to type in my password. However, if I *think* I
    need to type in my password, I type "sudo -imypassword" "-bash:
    mypassword: command not found... bingo: my password shows up in root's
    ..bash_history.

    Josef, having also just found his password in root's .bash:history.
    --
    These are my personal views and not those of Fujitsu Siemens Computers!
    Josef Möllers (Pinguinpfleger bei FSC)
    If failure had no penalty success would not be a prize (T. Pratchett)
    Company Details: http://www.fujitsu-siemens.com/imprint.html

  18. Re: bash history default setting is crazy insecure in Ubuntu

    I'm with everyone else. Those files were not in my /root/ folder, but
    they were in my /home folder. They did not, however, even after
    searching for my password, contain the phrase. I'm not honestly sure
    what happened with yours. Perhaps it's a bug, perhaps it's not. Either
    way, it wouldn't hurt to submit it to Launchpad if you feel like it is
    and you can replicate it on your system with steps how to do it.

    Vitorio Okio wrote:
    > Being a newbie I've just found that bash keeps my root password in PLAIN
    > TEXT in /root/.bash_history file. :-(
    >
    > It just does it by default! And I've never logged in as root BTW. Thus it
    > looks that it does it whenever I execute "sudo -s"? Otherwise I cannot
    > understand how it happened to save it. I cannot believe it would do it
    > just on sudo. This would make it even crazier.
    >
    > IMHO it is just crazy insecure, considering any new to Linux user finds
    > it out only after considerable amount of time spent wondering around and
    > learning.
    >
    > How to turn this off? I do not want to keep running "history -
    > c .bash_history" all the time. Creating a cron job for it does not look
    > to me any better either.
    >
    > Any suggestions, please?


  19. Re: bash history default setting is crazy insecure in Ubuntu

    On Wed, 30 Jan 2008 03:55:04 +0100, Vitorio Okio wrote:

    > Being a newbie I've just found that bash keeps my root password in PLAIN
    > TEXT in /root/.bash_history file. :-(


    It's not a default setting. If you have passwords show up then something
    was done to make that happen.


  20. Re: bash history default setting is crazy insecure in Ubuntu

    Hadron wrote:

    > jellybean stonerfish writes:
    >
    >> On Wed, 30 Jan 2008 05:52:48 +0000, NoStop wrote:
    >>
    >>>> In another post on this subject I demonstrate how my ubuntu does do
    >>>> what you say it won't do.
    >>>>
    >>>> stonerfish
    >>>
    >>> Doesn't do it here. Sorry. Don't know why it does on your system? If a
    >>> command is not found, it isn't recorded in my .bash_history file.
    >>>
    >>> Cheers.

    >>
    >> Hmmmm that is strange. I am on 7.04 My .bashrc and .profile files
    >> match the defaults in /etc/skell.
    >>
    >> In the bash manpage, HISTIGNORE and HISTCMD do not appear to care about
    >> if a command works or not.

    >
    > Cut and paste from "history" command output on Debian
    >
    > ,----
    > | 499 exit
    > | 500 history
    > | 501 hjk
    > | 502 history
    > `----
    >
    > History does indeed store a bad program name is indeed it SHOULD. If I
    > typed some long name I would not be happy if I could not get it back to
    > correct.
    >
    > NOTE : the history file is not written until you leave the shell. This
    > could be why NoStop does not see it in his .bash_history. I have no idea
    > if this behaviour can be changed and haven't looked into it.
    >
    > So when I reopened my shell
    >

    After reading your post, you're absolutely correct. I hadn't closed the
    terminal when I checked the file. Indeed incorrect commands are stored in
    that file. Found them after reopening the terminal.

    Cheers.


    --
    The world can't afford the rich.


+ Reply to Thread
Page 1 of 2 1 2 LastLast