On 1/30/15 3:50 PM, Jonathan Hankins wrote:
> I agree about being able to use named pipes, etc. as HISTFILE. My concern
> is that I think there may be a code path that leads to rename() and
> open(O_TRUNC...) being called on something that isn't a regular file.
OK, say the history file is not a regular file. What negative scenarios
are possible if the history library opens that file with O_TRUNC?
> Furthermore, I think that if someone can manipulate a user's HISTFILE
> setting maliciously, there may be a code path to cause an unwitting
> overwrite of a file whose name ends in hyphen.
If someone can manipulate a user's $HISTFILE setting, they can overwrite
any file the user has permission to write. It's always been thus.
>
> Specifically, if lib/readline/histfile.c:{append,write}_history() get
> called, in turn history_do_write() is called, which results in an open with
> append or a trunc, and when overwrite is set, a rename to HISTFILE + "-".
> It doesn't look like the return value from rename(output, bakname) is
> tested, and if the open() on HISTFILE fails, it does a rename(bakname,
> output) to "restore" the backup, also not checking the return value from
> rename().
I wrote in the message you quoted that I agreed with you that the history
code shouldn't try to back up non-regular files:
> I don't think that readline should be attempting to do backups of non-
> regular files, though. The history file truncation code, which is called
> when HISTFILESIZE is changed, already rejects attempts to use non-regular
> files.
And I agree that the history code should check the value of the first
rename(2) and set the backup file name to NULL if it fails. That will
prevent any attempts to use it to restore a previously-backed-up file.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
