Eliminate Command Line Histories with chattr (change attribute)...

Fri, 03/10/2006 - 10:26 — sandip

If you use bash as the default shell, it keeps a history of commands accessed via the `history` command for convenience. This could end up being a security problem if someone were able to compromise a users' home directory. In some cases, this could expose improperly used passwords or special privileges available to the user such as sudo.

Consider disabling this by changing the attribute of the file to lock out the ability to update the file. As root:

# cat /dev/null > ~user/.bash_history
# chattr +i ~user/.bash_history

The user will still have a command line history, but it will only apply to the current session. When the user logs out, the information will not be saved. To have this apply to all future users, make the changes in the "/etc/skel" directory.

Bookmark/Search this post with

Security

sandip's blog
Login or register to post comments

Comments

Wed, 02/13/2013 - 11:43 — sandip delete bash history

I've seen some shells do not add commands to history if they begin with a space.

So if you need to delete a line in history you could use the below:

history -d <offset>

Here is the snippet from `help -m history`:

SYNOPSIS
    history [-c] [-d offset] [n] or history -anrw [filename] or history -ps arg [arg...]

DESCRIPTION
    Display or manipulate the history list.
    
    Display the history list with line numbers, prefixing each modified
    entry with a `*'.  An argument of N lists only the last N entries.
    
    Options:
    &nbsp; -c	clear the history list by deleting all of the entries
    &nbsp; -d offset	delete the history entry at offset OFFSET.
    
    &nbsp; -a	append history lines from this session to the history file
    &nbsp; -n	read all history lines not already read from the history file
    &nbsp; -r	read the history file and append the contents to the historylist
    &nbsp; -w	write the current history to the history file and append them to the history list
    &nbsp; -p	perform history expansion on each ARG and display the result without storing it in the history list
    &nbsp; -s	append the ARGs to the history list as a single entry
    
    If FILENAME is given, it is used as the history file.  Otherwise,
    if $HISTFILE has a value, that is used, else ~/.bash_history.
    
    If the $HISTTIMEFORMAT variable is set and not null, its value is used
    as a format string for strftime(3) to print the time stamp associated
    with each displayed history entry.  No time stamps are printed otherwise.
    
    Exit Status:
    Returns success unless an invalid option is given or an error occurs.

Login or register to post comments

Sat, 04/10/2010 - 16:25 — sandip HISTFILE as /dev/null

This will redefine HISTFILE as /dev/null, telling the shell to write it's
history to this file. Therefore, all data passed to null device is thrown away.

export HISTFILE=/dev/null

Login or register to post comments

Fri, 03/31/2006 - 09:30 — sandip Auto clear history on logout

Additionally, you can clear out the history by including the below line in the ".bash_logout" file.

export HISTSIZE=0

Login or register to post comments

Navigation

Home | Forum | Recent Posts | News | Archives | Contact
This site houses a collection of Tips, Tricks, Resources and Guides of Individuals, put together and edited for personal reference into a daily web journal...
Content may not be reproduced without permission from the Individuals.
Copyright © post 2003 L I N U X w e B l o g . C O M

LinuxWebLog.com