Re: Security hole in history handling for root

[Peter Stephenson <pws@xxxxxxx>]

Richard Hartmann wrote:
> Bump.
> 
> This is a potential security issue.
>
>> zsh does not complain when loading from or writing
>> to a history file which is not owned by root or 600.

Is it?  zsh doesn't look at initialisation files, either.  That's surely
much more significant because they will be executed without any
indication.  In the case of history, you get to see it unless you use !.
If you can overwrite someone's history, you can overwrite their .zshrc.
Are you worried about an imported HISTFILE variable?  There are lots of
potentially dangerous environment variables we don't sanitize (PATH,
ZDOTDIR, ...).

Or is this only a problem with shared history?  I think Wayne added some
arrangements to make history from elsewhere appear different which could
presumably be extended.

If I can be convinced there is something specific in this case, as
opposed to a general security hole that needs much more thinking about,
it can be dealt with, but I haven't seen why yet.

(By the way, I realise Bart suggested you repost things, but the net
effect is likely to be that I increase my threshold below which I ignore
things even further.  If all these sorts of things are to be tackled we
NEED repeat NEED repeat NEED more people to work on bug fixes.)

-- 
Peter Stephenson <pws@xxxxxxx>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070