New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Function to save history as private file by default #121
Comments
That's quite POSIX specific. |
That is POSIX. I don't understand why there is a restriction on setting the permissions of the file in your .profile or other shell configuration? There is supposed to be a umask for file creation in your shell setup... umask 077 blocks user and group access to all of your new files. Fixing this leaves everything else the user is doing exposed since they did not fix the real problem: an incorrect umask. |
@Sonophoto actually it's a helper function to make sure that only the history file is created following only the user part of the creation mode mask. The idea is to not affect the files for the whole application of user. As they history files may contain sensitive information, it is a good practice to make sure that only the user will have access to it. And, yet, if the user wants, he could change it afterwards. That's the reason for not putting it in a global umask. |
Maybe it should be Redis that does this? I could also understand that this could apply in general to CLIs, but I think it applies to everything in general that is creating any kind of configuration file or history file of any sort in the users space. umask in the .profile guards all configuration and history files from being created g+rwx, o+rwx |
@Sonophoto I've already submitted the patch for Redis anyways, didn't realize before that linenoise was from the same author. |
I think you are absolutely correct that redis should be security conscious, and I agree that the command history should never be world readable. Very important! and Thank You for your efforts :-) |
I don't like the idea of sacrificing portability just for this feature, at least it should be behind a #define. I'm pretty sure there is a lot of linenoise users who are not using a POSIX compatible libc. |
Hello @OlliV, I've added some validation to publish that function only on POSIX systems, so won't break other systems for now. Thanks :) |
Hello, I applied a patch to resolve this bug, it uses POSIX system calls, but all linenoise assumes there is a POSIX environment, so... we are not decreasing portability AFAIK. |
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460. This patch was kindly contributed by Chris Lamb (@lamby).
Add a function that guarantees no group nor world access when creating a new history file, but do not change the current file permission.
The text was updated successfully, but these errors were encountered: