Despites most programs avoid showing sensitive information like passwords, it's a bad idea in general to leave your session output on the screen after logging out. Therefore the syscons driver should clear the corresponding history buffer when a vty device is being closed, but it fails to. There is some code addressing the problem in the scclose() function, but it's ifndef'ed out, and its status is rather unclear. How-To-Repeat: Log off a FreeBSD vty, hit ScrollLock, scroll to the terminated session contents using Up or PageUp and see your decrypted love-letters, private talks etc.
> >How-To-Repeat: > > Log off a FreeBSD vty, hit ScrollLock, scroll to the > terminated session contents using Up or PageUp and see your > decrypted love-letters, private talks etc. Couldn't you set the size of the scroll-back buffer to zero if this upsets you or your users? (kbdcontrol -h 1 will effectively do this). Alot of terminal emulators would have this problem. (Loosing the scroll back buffer on logout would be likely to upset some people 'cos it means that console log messages would be erased.) David.
On Thu, May 24, 2001 at 03:33:59PM +0100, David Malone wrote: > > >How-To-Repeat: > > > > Log off a FreeBSD vty, hit ScrollLock, scroll to the > > terminated session contents using Up or PageUp and see your > > decrypted love-letters, private talks etc. > > Couldn't you set the size of the scroll-back buffer to zero if this > upsets you or your users? (kbdcontrol -h 1 will effectively do this). First, one wouldn't like to lose the history buffer at all. Second, it's neither me nor my users who is upset by the issue. It's a general security problem, though. > Alot of terminal emulators would have this problem. A lot of operating systems are buggy crap. FreeBSD is not ;-) > (Loosing the scroll back buffer on logout would be likely to upset > some people 'cos it means that console log messages would be erased.) Let it be a per-vty configurable option. -- Yar
Yar Tikhiy <yar@freebsd.org> writes: > On Thu, May 24, 2001 at 03:33:59PM +0100, David Malone wrote: > > > >How-To-Repeat: > > > > > > Log off a FreeBSD vty, hit ScrollLock, scroll to the > > > terminated session contents using Up or PageUp and see your > > > decrypted love-letters, private talks etc. > > > > Couldn't you set the size of the scroll-back buffer to zero if this > > upsets you or your users? (kbdcontrol -h 1 will effectively do this). > > First, one wouldn't like to lose the history buffer at all. > Second, it's neither me nor my users who is upset by the issue. > It's a general security problem, though. > > > Alot of terminal emulators would have this problem. > > A lot of operating systems are buggy crap. FreeBSD is not ;-) > > > (Loosing the scroll back buffer on logout would be likely to upset > > some people 'cos it means that console log messages would be erased.) > > Let it be a per-vty configurable option. How about adding an option to kbdcontrol(1) to clear the buffer? If the user knows they've been reading love letters, they can clear it manually. Or if they're always reading love letters, they can stick `kbdcontrol -c' in .logout and forget about it. This has the fortunate sideaffects of giving the user an option of *when* to clear it and *if* to clear it. Trivial patch attached. Thoughts?
Dima Dorfman <dima@unixfreak.org> writes: > The following reply was made to PR kern/27616; it has been noted by GNATS. > > From: Dima Dorfman <dima@unixfreak.org> > To: Yar Tikhiy <yar@freebsd.org> > Cc: freebsd-gnats-submit@FreeBSD.org > Subject: Re: kern/27616: Syscons history permits peeking in the previous sess > ion output > Date: Thu, 24 May 2001 16:54:13 -0700 > > Yar Tikhiy <yar@freebsd.org> writes: > > On Thu, May 24, 2001 at 03:33:59PM +0100, David Malone wrote: > > > > >How-To-Repeat: > > > > > > > > Log off a FreeBSD vty, hit ScrollLock, scroll to the > > > > terminated session contents using Up or PageUp and see your > > > > decrypted love-letters, private talks etc. > > > > > > Couldn't you set the size of the scroll-back buffer to zero if this > > > upsets you or your users? (kbdcontrol -h 1 will effectively do this). > > > > First, one wouldn't like to lose the history buffer at all. > > Second, it's neither me nor my users who is upset by the issue. > > It's a general security problem, though. > > > > > Alot of terminal emulators would have this problem. > > > > A lot of operating systems are buggy crap. FreeBSD is not ;-) > > > > > (Loosing the scroll back buffer on logout would be likely to upset > > > some people 'cos it means that console log messages would be erased.) > > > > Let it be a per-vty configurable option. > > How about adding an option to kbdcontrol(1) to clear the buffer? If > the user knows they've been reading love letters, they can clear it > manually. Or if they're always reading love letters, they can stick > `kbdcontrol -c' in .logout and forget about it. This has the > fortunate sideaffects of giving the user an option of *when* to clear > it and *if* to clear it. > > Trivial patch attached. > > Thoughts? Okay, I goofed. I hit 'sent' instead of 'sign' :-/. Here's the patch as mentioned above. Dima Dorfman dima@unixfreak.org Index: sys/sys/consio.h =================================================================== RCS file: /stl/src/FreeBSD/src/sys/sys/consio.h,v retrieving revision 1.8 diff -u -r1.8 consio.h --- sys/sys/consio.h 2001/05/18 09:01:53 1.8 +++ sys/sys/consio.h 2001/05/24 23:50:42 @@ -116,6 +116,9 @@ /* set the history (scroll back) buffer size (in lines) */ #define CONS_HISTORY _IOW('c', 9, int) +/* clear the history (scroll back) buffer */ +#define CONS_CLRHIST _IO('c', 10) + /* mouse cursor ioctl */ struct mouse_data { int x; Index: sys/dev/syscons/schistory.c =================================================================== RCS file: /stl/src/FreeBSD/src/sys/dev/syscons/schistory.c,v retrieving revision 1.11 diff -u -r1.11 schistory.c --- sys/dev/syscons/schistory.c 2000/10/08 21:33:54 1.11 +++ sys/dev/syscons/schistory.c 2001/05/24 23:50:42 @@ -299,6 +299,12 @@ DPRINTF(5, ("error:%d, rows:%d, pool:%d\n", error, sc_vtb_rows(scp->history), extra_history_size)); return error; + + case CONS_CLRHIST: + scp = SC_STAT(tp->t_dev); + sc_vtb_clear(scp->history, scp->sc->scr_map[0x20], + SC_NORM_ATTR << 8); + return 0; } return ENOIOCTL; Index: usr.sbin/kbdcontrol/kbdcontrol.1 =================================================================== RCS file: /stl/src/FreeBSD/src/usr.sbin/kbdcontrol/kbdcontrol.1,v retrieving revision 1.28 diff -u -r1.28 kbdcontrol.1 --- usr.sbin/kbdcontrol/kbdcontrol.1 2001/05/16 09:40:12 1.28 +++ usr.sbin/kbdcontrol/kbdcontrol.1 2001/05/24 23:50:42 @@ -13,7 +13,7 @@ .\" @(#)kbdcontrol.1 .\" $FreeBSD: src/usr.sbin/kbdcontrol/kbdcontrol.1,v 1.28 2001/05/16 09:40:12 ru Exp $ .\" -.Dd June 30, 1999 +.Dd May 24, 2001 .Dt KBDCONTROL 1 .Os FreeBSD .Sh NAME @@ -21,7 +21,7 @@ .Nd a utility for manipulating the syscons console driver .Sh SYNOPSIS .Nm -.Op Fl dFKix +.Op Fl cdFKix .Oo .Fl b .Ar duration . Ns Ar pitch | Ar belltype @@ -97,6 +97,8 @@ .Ar keymap_file . You may load the keyboard map file from a menu-driven command, .Xr kbdmap 1 . +.It Fl c +Clear the history buffer. .It Fl d Dump the current keyboard map onto stdout. The output may be redirected to a file and can be loaded Index: usr.sbin/kbdcontrol/kbdcontrol.c =================================================================== RCS file: /stl/src/FreeBSD/src/usr.sbin/kbdcontrol/kbdcontrol.c,v retrieving revision 1.36 diff -u -r1.36 kbdcontrol.c --- usr.sbin/kbdcontrol/kbdcontrol.c 2001/05/15 22:53:05 1.36 +++ usr.sbin/kbdcontrol/kbdcontrol.c 2001/05/24 23:50:42 @@ -980,6 +980,14 @@ warn("setting history buffer size"); } +void +clear_history() +{ + + if (ioctl(0, CONS_CLRHIST) == -1) + warn("clear history buffer"); +} + static char *get_kbd_type_name(int type) { @@ -1079,7 +1087,7 @@ usage() { fprintf(stderr, "%s\n%s\n%s\n", -"usage: kbdcontrol [-dFKix] [-b duration.pitch | [quiet.]belltype]", +"usage: kbdcontrol [-cdFKix] [-b duration.pitch | [quiet.]belltype]", " [-r delay.repeat | speed] [-l mapfile] [-f # string]", " [-h size] [-k device] [-L mapfile]"); exit(1); @@ -1091,10 +1099,13 @@ { int opt; - while((opt = getopt(argc, argv, "b:df:h:iKk:Fl:L:r:x")) != -1) + while((opt = getopt(argc, argv, "b:cdf:h:iKk:Fl:L:r:x")) != -1) switch(opt) { case 'b': set_bell_values(optarg); + break; + case 'c': + clear_history(); break; case 'd': print_keymap();
.@babolo.ru writes: > Dima Dorfman writes: > > Yar Tikhiy <yar@freebsd.org> writes: > > > Let it be a per-vty configurable option. > > > > How about adding an option to kbdcontrol(1) to clear the buffer? If > > the user knows they've been reading love letters, they can clear it > > manually. Or if they're always reading love letters, they can stick > > `kbdcontrol -c' in .logout and forget about it. This has the > > fortunate sideaffects of giving the user an option of *when* to clear > > it and *if* to clear it. > > > > Trivial patch attached. > > > > Thoughts? > why kbdcontrol, not vidcontrol? Because the option to change the history size (-h) is in kbdcontrol, not vidcontrol. Whether it should be in vidcontrol is a subject for another thread; personally, I don't care as long as it's consistent. Putting -c, the option to clear history, in the same program as -h, the option to change history size, is consistent. > > -- > @BABOLO http://links.ru/ >
State Changed From-To: open->analyzed A CONS_CLRHIST ioctl, which allows one to selectively clear the history, had been added.
Responsible Changed From-To: freebsd-bugs->dd My MFC reminder.
State Changed From-To: analyzed->closed