Hello, For some reason, I thought little about the "clear" command today.. Let's say a privileged user (root) logs on, edit a sensitive file (e.g, a file containing a password, running vipw, etc) .. then runs clear and logout. Then anyone can press the scroll-lock command, scroll back up and read the sensitive information.. Isn't "clear" ment to clear the backbuffer instead of printing a full screen of returns? If it does, I'm not sure how that would effect a user running "clear" on a pty (telnet, sshd, screen, etc) .. Best regards, Jesper Wallin
No, it's not meant to clear the buffer. If you need to clear the buffer, just cat a really, really long file. On 4/21/05, Jesper Wallin <jesper@hackunite.net> wrote:> Hello, > > For some reason, I thought little about the "clear" command today.. > Let's say a privileged user (root) logs on, edit a sensitive file (e.g, > a file containing a password, running vipw, etc) .. then runs clear and > logout. Then anyone can press the scroll-lock command, scroll back up > and read the sensitive information.. Isn't "clear" ment to clear the > backbuffer instead of printing a full screen of returns? If it does, I'm > not sure how that would effect a user running "clear" on a pty (telnet, > sshd, screen, etc) .. > > Best regards, > Jesper Wallin > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
On Fri, 22 Apr 2005, Jesper Wallin wrote:> Hello, > > For some reason, I thought little about the "clear" command today.. Let's say > a privileged user (root) logs on, edit a sensitive file (e.g, a file > containing a password, running vipw, etc) .. then runs clear and logout. Then > anyone can press the scroll-lock command, scroll back up and read the > sensitive information.. Isn't "clear" ment to clear the backbuffer instead of > printing a full screen of returns? If it does, I'm not sure how that would > effect a user running "clear" on a pty (telnet, sshd, screen, etc) .. > > > Best regards, > Jesper WallinI've often wondered the same thing when connected in via a ssh session. If there was a way to implement this functionality without uglifying the code too much, I don't see why anyone would object to it. But I don't think you're going to get someone else to code it for you. :) Mike "Silby" Silbersack
i had the same thing, although i wanted it for all logouts, my hack works
fairly well unless you use telnet or serial consoles, but works fine for
the normal console and ssh :)
edit /etc/gettytab and there should be a line that looks like this:
default:\
:cb:ce:ck:lc:fd#1000:im=<snip>\
:if=/etc/issue:
pretty much, change it to look like this
default:\
:cb:ce:ck:lc:fd#1000:im=\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n<snip>\f\r\n%s/%m
(%h) (%t)\r\n\r\n:sp#1200:\
:if=/etc/issue:
(sorry if it looks ugly on some systems :P)
but yeah, just fill it up with \r\n - if you use telnet or a serial
console, when it shows the logon screen you have a long wait... but for
the console its fine :) clears when you logout (i think you have to send
signal 1 to init) or just reboot
also, clear just sends a \f - or was it \l, i forgot wich clears it, it
dosent send a screenful of new lines :)
~Neo-Vortex
On Fri, 22 Apr 2005, Jesper Wallin wrote:
> Hello,
>
> For some reason, I thought little about the "clear" command
today..
> Let's say a privileged user (root) logs on, edit a sensitive file (e.g,
> a file containing a password, running vipw, etc) .. then runs clear and
> logout. Then anyone can press the scroll-lock command, scroll back up
> and read the sensitive information.. Isn't "clear" ment to
clear the
> backbuffer instead of printing a full screen of returns? If it does,
I'm
> not sure how that would effect a user running "clear" on a pty
(telnet,
> sshd, screen, etc) ..
>
>
> Best regards,
> Jesper Wallin
>
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
>
Jesper Wallin <jesper@hackunite.net> writes:> For some reason, I thought little about the "clear" command > today.. Let's say a privileged user (root) logs on, edit a sensitive > file (e.g, a file containing a password, running vipw, etc) .. then > runs clear and logout. Then anyone can press the scroll-lock command, > scroll back up and read the sensitive information.. Isn't "clear" ment > to clear the backbuffer instead of printing a full screen of returns?That might have made sense, but it's never been the case. clear(1) is meant and documented to execute the "clear_screen" termcap sequence. If you want to clear the history buffer, just use vidcontrol(1). It has options to clear or change the size of the history buffer, and it is already specific to syscons(4), so it doesn't need to be as general as termcap(5).
Jesper Wallin wrote:> For some reason, I thought little about the "clear" command today.. > Let's say a privileged user (root) logs on, edit a sensitive file (e.g, > a file containing a password, running vipw, etc) .. then runs clear and > logout. Then anyone can press the scroll-lock command, scroll back up > and read the sensitive information.. Isn't "clear" ment to clear the > backbuffer instead of printing a full screen of returns? If it does, I'm > not sure how that would effect a user running "clear" on a pty (telnet, > sshd, screen, etc) ..vidcontrol -C ; clear -- Dean C. Strik Eindhoven University of Technology dean@stack.nl | dean@ipnet6.org | http://www.ipnet6.org/ "This isn't right. This isn't even wrong." -- Wolfgang Pauli