When you log in directly into text console of Gentoo (without running X) and then log off, the last almost page of information remains on the screen. When the machine is used by more people, or the user relies on the fact that after logging off he can safely leave the machine running and go e. g. to a toilet, this poses a security problem. I suggest an escape sequence to be added to /etc/motd or whatever file controls this, to clear the screen before login prompt. Reproducible: Always Steps to Reproduce: 1.login into login prompt in text mode, no xdm/kdm installed 2.type sensitive information 3.logout 4.leave the computer 5.ask adversary to walk by your computer Actual Results: Sensitive information leaked to adversary Expected Results: Adversary sees just an empty screen with login prompt and no information is leaked. Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11-gentoo-r5 i686) ================================================================= System uname: 2.6.11-gentoo-r5 i686 Intel(R) Pentium(R) M processor 1.50GHz Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.4-r1 [2.3.4 (#1, Mar 11 2005, 15:25:47)] dev-lang/python: 2.3.4-r1 sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.4 sys-devel/binutils: 2.15.92.0.2-r7 sys-devel/libtool: 1.5.10-r4 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X alsa apm arts avi berkdb bitmap-fonts cdr crypt cups curl emboss encode esd fam foomaticdb fortran gdbm gif gpm gtk gtk2 guile imagemagick imap imlib ipv6 java jpeg kde ldap libg++ libwww mad mikmod motif mozilla mp3 mpeg mysql ncurses nls ogg oggvorbis opengl oss pam pdflib perl png python qt quicktime readline ruby samba sdl slang spell ssl svga tcltk tcpd tetex tiff tls truetype truetype-fonts type1-fonts vorbis xml2 xmms xv zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
Doesn't putting "clear" in ~/.bash_logout work?
The file you mean is /etc/issue. The file you mean is /etc/motd gets output *after* login. The escape sequence is: ^[[H^[[J and should be put at the first line of /etc/issue, for example like this: cp /etc/issue /etc/issue.bak clear > /etc/issue cat /etc/issue.bak >> /etc/issue There are also alternative methods of doing this, listed for example in the Gentoo Wiki here: http://gentoo-wiki.com/SECURITY_Clear_screen_on_logout I like the /etc/issue most because it's portable and unintrusive (compared with mucking with inittab) and a quick fix for this bug.
Every program that doesn't clear the console on exiting is a security risk in his regard. The shell will show the commands you typed last. Does this mean, we should start patching all programs? I say no.
*** This bug has been marked as a duplicate of 32330 ***
