Information disclosure?
Lowell Gilbert
freebsd-security-local at be-well.ilk.org
Fri Apr 22 05:37:23 PDT 2005
Jesper Wallin <jesper at hackunite.net> writes:
> For some reason, I thought little about the "clear" command
> today.. Let's say a privileged user (root) logs on, edit a sensitive
> file (e.g, a file containing a password, running vipw, etc) .. then
> runs clear and logout. Then anyone can press the scroll-lock command,
> scroll back up and read the sensitive information.. Isn't "clear" ment
> to clear the backbuffer instead of printing a full screen of returns?
That might have made sense, but it's never been the case. clear(1) is
meant and documented to execute the "clear_screen" termcap sequence.
If you want to clear the history buffer, just use vidcontrol(1). It
has options to clear or change the size of the history buffer, and it
is already specific to syscons(4), so it doesn't need to be as general
as termcap(5).
More information about the freebsd-security
mailing list