[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: system/3128: Session scrollback security exposure

The following reply was made to PR system/3128; it has been noted by GNATS.

From: Charlie ROOT <root_(_at_)_shopip_(_dot_)_com>
To: David Krause <openbsd_(_at_)_davidkrause_(_dot_)_com>
Cc: gnats_(_at_)_openbsd_(_dot_)_org
Subject: Re: system/3128: Session scrollback security exposure
Date: Mon, 3 Mar 2003 05:54:24 -0800 (PST)

 Thanks for the reply, BUT... I am well aware of the FAQ item. My first
 sentence states this report is not about clearing the screen, it is about
 clearing the scrollback buffer. FAQ 7.3 deals with clearing the screen
 ONLY, which is the point of my bug/feature report. One can place 24*8 \n's
 in gettytab but this doesn't really clear the scrollback buffer, it just
 fills it with blank lines. This "hack" only works for the default
 scrollback size (how to change this?) anyway. Perhaps you can suggest an
 escape sequence to clear the scrollback buffer. I feel the console screen
 and scrollback buffer should clear by default upon logout.
 On Sun, 2 Mar 2003, David Krause wrote:
 > > >Description:
 > > 	When logging out the console screen is cleared, however the scrollback
 > > 	buffer is not. Someone not even logged in can view 7 (?) pages of
 > > 	output from the previous session. A security exposure.
 > > >How-To-Repeat:
 > > 	Log in, log out, then use shift-scrollup/down to view the scrollback
 > > 	buffer output.
 > > >Fix:
 > > 	Workaround: Right after logout, use ctrl-alt Fn to switch console, then
 > > 	switch back. This erases scrollback buffer (unfortunately, but
 > > 	it's useful here).
 > > 	Fix: Clear the scrollback buffer at console logout time.
 > The FAQ explains how to clear the console automatically after logout:
 > http://www.openbsd.org/faq/faq7.html#ConsoleClear
 > David