While talking about the uses of the lsof command on @climagic, I discovered a major security flaw in the VTE library, on which popular terminal emulators such as gnome-terminal, xfce4-terminal and guake are based. Filing bug reports now. If you use any of these terminals, I'd recommend switching to Eterm, Konsole, xterm, rxvt, aterm or some other one that is not VTE based for now until these bugs are fixed. I tested the aformentioned non-VTE terminals and they didn't seem to exhibit this same issue. Also, you should probably scrub your /tmp filesystem pretty good. At least write over it with 0s, use shred, etc.

Basically, the problem is that the terminal buffers are stored within filehandles on the tmp filesystem. If you run strings on your /tmp filesystem as root you should see quite a bit of your previous terminal buffer history, including that of old closed terminals. I consider terminal buffer history to be a sacred thing, so I was quite surprised to find out about this behavior.

On Linux, if you want to check if your terminal is exhibiting this behavior, run some commands that produce some terminal output (ls ~/, find /, etc). Then find the process id for your terminal process (pgrep gnome-terminal), cd /proc/<pid>/fd. Then run ls -l | grep deleted, you will see the file handles that are still open for deleted inodes. Some of these will contain the contents of existing and closed terminal windows. You can just view them with cat, less, etc.

Bug report status:

VTE library/Gnome-terminal: https://bugzilla.gnome.org/show_bug.cgi?id=664611

xfce4-terminal: https://bugzilla.xfce.org/show_bug.cgi?id=8183

guake: some kind of website error right now

bugtraq@securityfocus.com: Working on a report

UPDATE: Its starting to look like this is caused by the vte library, one which the above and several other terminals are based. I found the code in VTE that creates and unlinks the vte* tmp file.

Other terminals that use the VTE library

UPDATE: (2011-11-29) Did more investigating into the issues. The code in the VTE library has been there since September 15th, 2009 when Behdad Esfahbod committed several changes to the history streaming system (http://ftp.gnome.org/pub/GNOME/sources/vte/0.21/vte-0.21.6.changes). I've written to Behdad to see why this was done and get more information. Since its only been this way for 2 years, this at least limits the exposure to just a handful of versions of distributions that update frequently. So Ubuntu and Fedora are the most likely ones to have this flaw. Upon reporting the bug to the VTE team, one of the developers (Christian Persch) responded saying it wasn't a bug. Well, he's right in that its not a bug, it does exactly what they want it to do. Its actually a design flaw. I also did some testing in a VM to determine which shells allow themselves to be swapped out of main memory. So far, xterm, Konsole and Gnome-terminal all do. There is a system function mlockall on Linux that allows you to force programs to keep their pages in resident memory. Not sure if this would be a problem to use.

Other links:
If you're not already following and are interested in the shell (obviously), I'd recommend it.

And the webhosting company that I run with the same diligence for security (and also one of the few left to offer shell accounts)
Shared publiclyView activity