Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Breach Flaw Found In Gnome-terminal, Xfce Terminal and Terminator

Posted by timothy on from the so-it-can-be-fixed-now dept.

suso writes "A design flaw in the VTE library was published this week. The VTE library provides the terminal widget and manages the scrollback buffer in many popular terminal emulators including gnome-terminal, xfce4-terminal, terminator and guake. Due to this flaw, your scrollback buffer ends up on your /tmp filesystem over time and can be viewed by anyone who gets ahold of your hard drive. Including data passed back through an SSH connection. A demonstration video was also made to make the problem more obvious. Anyone using these terminals or others based on libVTE should be aware of this issue as it even writes data passed back through an SSH connection to your local disk. Instructions are also included for how to properly deal with the leaked data on your hard drive. You are either encouraged to switch terminals and/or start using tmpfs for your /tmp partition until the library is fixed."

21 of 184 comments (clear)

  1. Skynet by Talderas · · Score: 5, Funny

    We have a means to strike back at Skynet using this breach in the Terminator systems!

    --
    "Lack of speed can be overcome. In the worst case by patience." --Znork
  2. tmpfs by Sloppy · · Score: 4, Insightful

    You are either encouraged to switch terminals and/or start using tmpfs for your /tmp partition until the library is fixed.

    Once you go tmpfs, why would you ever go back, VTE flaws or not? tmpfs kicks ass.

    Then encrypt your swap (random key every boot; you don't even need to know a key to be coerced from you) and you have a safe /tmp.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    1. Re:tmpfs by Ceriel+Nosforit · · Score: 4, Informative

      In some countries, it is illegal for you not to divulge the key to properly warranted authorities - even if you don't know what it is.

      So what? In my country blasphemy is illegal. I'm not from the Middle East either, I'm a Finn. - Sometimes you just have to, grow a backbone, fuck Jesus in the ass and break the law.

      --
      All rites reversed 2010
  3. Not a bug by Anonymous Coward · · Score: 5, Insightful

    This is not a bug. This is exactly how /tmp is meant to be used. It is no different from sensitive data from your internet cache being stored on the hard drive.

    If your garbage data is sensitive, you should encrypt /tmp, or mount a tmpfs there.

  4. Re:How is this *really* a problem? by jesseck · · Score: 4, Informative

    While the system is running, yes, you either need to be root or run an exploit which escalates your privileges so you can see the temp file. When the disk is removed from the system you don't need to be root to read the files. Nor would you need to be root if you booted from a LiveCD.

  5. hello, this occurs with swap too by WatchMaster · · Score: 3, Informative

    This is true of vi and many other programs. The exact same issue occurs with the swap partition.

    Anyone can solve this problem, just mount /tmp and swap using dm-crypt with a new random password every reboot. The partitions are perfectly good while the computer is booted, but are inintelligible afterwards.

  6. Re:How is this *really* a problem? by fuzzyfuzzyfungus · · Score: 5, Informative

    If you are using a persistent /tmp, 'root' is anybody who mounts the HDD...

    Now, if you want scrollback data to be persistent across reboots, you have to suck it up and dump it to disk somewhere(user home might be a slightly better idea, since support for encrypting your home directory is slightly easier than for encrypting the entire disk); but if that isn't a requirement you probably don't want it touching the disk at all(unless you are in a very memory constrained and swapless environment where getting OOM killed every time something unexpectedly verbose happens would be really annoying).

  7. Re:How is this *really* a problem? by skids · · Score: 4, Informative

    It's a particular problem if you A) don't run on entirely encrypted partitions, and B) have your kit stolen or get rooted. Your biggest problem is that you had your kit stolen or got rooted, however, this problem effects the damage control process.

    Usually when you have a compromise you assume that only data that is "on the host" is compromised, and any data from other hosts is only compromised if it happened to be viewed after you got rooted (because the attacker could have been keylogging.) With cleartext from encrypted sessions hitting disk, this means that data could be sitting around in unused block in /tmp for years, so once you get rooted you have to assume everything ever done on other machines using a terminal on that machine has been exposed. So if you edited your corporate HQ's VPN PSK 2 years ago, that may still be on your disk.

    tmp is less likely to be on an encrypted media than other filesystems, because it is usually expected to be a performance bottleneck.

    The good news is that in many cases the data never got flushed back to disk and stayed in the filesystem buffers, but for high security concerns this is little consolation.

    --
    Someone had to do it.
  8. Re:Doesn't sound like a flaw to me by skids · · Score: 3, Insightful

    People in the know know about cli history files. They don't necessarily expect data viewed in a terminal window to hit disk. It may or may not be a "flaw" depending on your opinion as to what appropriate security measures amount to, but it's worth an awareness campaign.

    --
    Someone had to do it.
  9. Who doesn't have /tmp as a tmpfs at this point? by Mysticalfruit · · Score: 3, Interesting

    considering how much /tmp gets used, having it in memory is one of the quickest ways to boost the performance of your system...

    --
    Yes Francis, the world has gone crazy.
  10. Umm by Viol8 · · Score: 3, Interesting

    If someone has physically stolen your computer then the thief being able to read old terminal sessions is the least of your worries.

    1. Re:Umm by gzipped_tar · · Score: 4, Insightful

      The problem is your terminal history may include data from other hosts, decrypted. Therefore it's not just "your" worries.

      --
      Colorless green Cthulhu waits dreaming furiously.
    2. Re:Umm by behdad · · Score: 5, Informative

      You have to read the bugzilla report carefully to see what this story is about. I'm the developer being [bf]lamed. I offered to find time on a weekend and fix the issue. But the reporter ignored my offer and went ahead to post this on as many places as it could. In the report, he masks that, and instead says I don't consider it a bug. The report is intentionally written misinformed IMO. Which makes me think the true story is that he wanted to get some publicity...

    3. Re:Umm by Shark · · Score: 3, Interesting

      Bug aside, from reading the rest of these threads, it seems to me like GNOME devs are getting quite a bad reputation these days. Sure, there's no way to make everyone happy and I wouldn't expect anyone to undertake this sort of impossible challenge. This being said, all the scorn must come from somewhere. My humble opinion is that once you reach a critical mass of users, enforcing a new grand-vision that the majority of those users (the ones who acutally chose to use GNOME, not those who don't know what a DE is) do not agree with is very likely to cause quite a bit of backlash... Case in point, GNOME developers as a whole being bashed for what essentially is one bug in one lib by one person.

      Sure, there's a large portion of users who aren't technical whom one might think they are catering to when they remove features considered 'too complex'. The fact is though that these are the people who don't even care what DE they're using, they're not loyal customers, they're just not interested in what you've done so long as it works for them. The only base GNOME has truly alienated is the base that had made a very conscious and educated choice to use that DE on its technical merits, the ones who felt that the DE allowed them to work the way they want to work. Sure you can change all that but only at the cost of those users. They don't take kindly to what pretty much amounts to: Look, the way you used your computer is stupid, we'll force our alternative on you.

      So, as the flames rage on and you feel the burn, remember that the GNOME team doused itself in gasoline prior to this.

      --
      Mind the frickin' laser...
    4. Re:Umm by Whitemice · · Score: 3, Interesting

      I'm a long time GNOME user, not a GNOME developer.

      Bug aside, from reading the rest of these threads, it seems to me like GNOME devs are getting quite a bad reputation these days

      Nope, they rock. When KDE did there big roll-out of KDE4 the lists *EXPLODED* with the wailing and gnashing of teeth. KDE4 arrived stable and that loud minority either adapted or went on the something else. Much the same thing happened with GNOME3 - although less than I expected. I moved to GNOME3 from GNOME2 and within a week it was clear that it was a superior system. But some adaptation was required.

      And this particular bug is nonsense. Basically: if someone steals your harddrive they can read your data! Really? Wow, that's a surprise. This has always been true, is true of /home, /var. and everything else unless you encrypt everything.

      This being said, all the scorn must come from somewhere.

      Yes, it comes from a vocal minority who don't realize all these changes where discussed and made out-in-the-open. Now they enjoy pitching a fit and claiming the design changes are somehow being forced upon them.

      My humble opinion is that once you reach a critical mass of users, enforcing a new grand-vision that the majority of those users (the ones who acutally chose to use GNOME,

      Well, I'm one that uses GNOME ~9 hours a day. For work.

      GNOME developers as a whole being bashed for what essentially is one bug in one lib by one person.

      Eh. Spend time producing ANY kind of content and you'll eventually get someone who thinks they can get themselves some BLOG karma by bashing you.

      The only base GNOME has truly alienated is the base that had made a very conscious and educated choice to use that DE on its technical merits, the ones who felt that the DE allowed them to work the way they want to work.

      I want to work efficiently. GNOME3 lets me do that... more than GNOME2 did. This is an important distinction from, based on mail list traffic, people who apparently *NEED* to see the real-time weather report for three cities in the panel clock in order to be productive. I think the group primarily 'alienated' by GNOME3 are the "tweakers". They have a computer almost for the sole purpose of tweaking the appearance of the user-interface. One reads much of those posts and says "eh? really? don't you have something to *do*.".

      we'll force our alternative on you.

      The use of the term "force" in this context is bogus.

      remember that the GNOME team doused itself in gasoline prior to this

      Nah, they doused themselves with awesome.

      --
      Using "Common Sense" is being either to arrogant or to ignorant to ask people who know more about something than you.
  11. Re:Is konsole affected? by suso · · Score: 3, Informative

    I haven't had time to look into it completely, but when you have konsole set to unlimited scrollback mode, it will create files in /tmp/kde-username/konsole*.tmp that have your scrollback buffer. It is encoded somehow, but its there. I'm not sure if its encrypted or not. I found out about it because when I talked with the libvte developer (Behdad), he said that he looked at the code in Konsole to see how they did it before writing the implementation in libvte.

  12. How is this is this different to shell history? by Viol8 · · Score: 3, Insightful

    Various shells store command history as a .[shell name]_history file in the users home directory which can be left between sessions. Thats happened for years and root can view that too.

    Sure, this may be a bug but frankly its a non issue.

  13. Overblown by AliasMarlowe · · Score: 4, Insightful

    ...to have my command history stolen!

    That would be in your .bash_history file (or whatever you name it locally).

    Really, this is way overblown by calling it a "data breach": it's not as if your data is compromised to a remote attacker. It requires that somebody else has your disk. As we all know, if your hardware is stolen/confiscated/impounded/seized/whatever, only encryption can keep your data safe. Apparently, even that can be circumvented by legal compulsion.

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    1. Re:Overblown by behdad · · Score: 5, Informative

      That's misinformed. Vte creates files in /tmp, and immediately delete them. So, the space will be reclaimed as soon as the terminal tab in question is closed. I know this is how it works, because that's how I wrote it.

  14. I'd be a little miffed by DarkOx · · Score: 5, Insightful

    If I were the author of this library I'd be a little annoyed. The article is written as if the library does something wrong. It does not. It stores data on /tmp, which is there to be used as scratch space. To read the file you have to be the owner or root, which has been true of every process that has written there since before my years. This is perfect correct.

    Okay some uses might not expected their terminal emulator to keep temporary files. Yes if your disk is appropriated someone not root in your environment might be able to read it. Which is true of basically any process that writes anything to disk anywhere; even ones that don't. Suppose my system is under enough VM pressure that my good old fashion xterm gets paged out? Why scroll back buffer data, which might even have come from SSH would be right there on my disk! OH! NOS!

    If you are dealing with a system that is physically insecure, like a laptop, or machine in a public spot, or information that is so sensitive you'd be more concerned about it being out there than the fact that your hard disk or entire system has gone missing; there is a solution for that. Its called disk encryption! If you use Linux it won't even cost you anything!

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  15. Re:Yet another reason to switch to KDE permanently by behdad · · Score: 4, Informative

    Anonymous Coward,

    You may want to read the end of this comment before jumping to conclusions:

        https://bugzilla.gnome.org/show_bug.cgi?id=664611#c10

    Ie. I offered to fix it, before the report was published. And the report is deliberately misinformed to make it look like I said I don't have any intention to fix it. And the report author tweetted [1] "Apparently not a lot of people read Slashdot anymore or RTFA. I've only had 971 hits to the article so far. :-(", which makes me believe that his true intention was to get Slashdot / Reddit / Hacker News bragging rights. Comes handy if you are a sysadmin I guess...

    behdad

    [1] https://twitter.com/#!/climagic/status/177796284755873793