[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: system/3128: Session scrollback security exposure
- To: bugs_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org
- Subject: Re: system/3128: Session scrollback security exposure
- From: Charlie ROOT <root_(_at_)_shopip_(_dot_)_com>
- Date: Mon, 3 Mar 2003 09:53:45 -0700 (MST)
- Reply-to: Charlie ROOT <root_(_at_)_shopip_(_dot_)_com>
The following reply was made to PR system/3128; it has been noted by GNATS.
From: Charlie ROOT <root_(_at_)_shopip_(_dot_)_com>
To: David Krause <openbsd_(_at_)_davidkrause_(_dot_)_com>
Subject: Re: system/3128: Session scrollback security exposure
Date: Mon, 3 Mar 2003 05:54:24 -0800 (PST)
Thanks for the reply, BUT... I am well aware of the FAQ item. My first
sentence states this report is not about clearing the screen, it is about
clearing the scrollback buffer. FAQ 7.3 deals with clearing the screen
ONLY, which is the point of my bug/feature report. One can place 24*8 \n's
in gettytab but this doesn't really clear the scrollback buffer, it just
fills it with blank lines. This "hack" only works for the default
scrollback size (how to change this?) anyway. Perhaps you can suggest an
escape sequence to clear the scrollback buffer. I feel the console screen
and scrollback buffer should clear by default upon logout.
On Sun, 2 Mar 2003, David Krause wrote:
> > >Description:
> > When logging out the console screen is cleared, however the scrollback
> > buffer is not. Someone not even logged in can view 7 (?) pages of
> > output from the previous session. A security exposure.
> > >How-To-Repeat:
> > Log in, log out, then use shift-scrollup/down to view the scrollback
> > buffer output.
> > >Fix:
> > Workaround: Right after logout, use ctrl-alt Fn to switch console, then
> > switch back. This erases scrollback buffer (unfortunately, but
> > it's useful here).
> > Fix: Clear the scrollback buffer at console logout time.
> The FAQ explains how to clear the console automatically after logout:
Visit your host, monkey.org