History Buffer Security…
One security issue that might not be obvious to the casual Linux user is the history buffer.
Why can history be a security issue?
When you type anything into the console or terminal window, it is being recorded into a history buffer. Anyone logged in to the system can view this buffer by simply typing “history” into the console window, or by using the cursor up and down keys to review the history buffer, line by line.
Passwords that are typed into the buffer are *not* recorded, as long as the system knows it is a password. But what if it doesn’t?
For instance: If I need a mysqldump, and I am using a password, I can specify that password in the command line. For example:
mysqldump -u user -p password --all-databases
The “password” is the actual password to access the mysql database, and it is now recorded in the history buffer for all to see.
This is only one example of quite a few programs that accept (or sometimes even require) command-line passwords.
Luckly, the solution is extremely simple.
After using any command line that includes sensitive information, just execute the “clear history” command by entering:
In the command line, and the history buffer for the user account you are logged in as will be deleted.
When using the BASH shell, it actually empties the file .bash_history file for the logged-in user.
NOTE: Another way to avoid having unwanted information in the history buffer is to put a space in front of your ‘sensitive’ commands. Any command entered with a space as the first character, is not added to the history buffer.
No comments yet