tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: less's .lesshst misfeature



Am 15.02.10 21:44, schrieb David Holland:
> With the last update to less it (and more along with it) grew a
> misfeature where it saves all the patterns you search for within files
> to ~/.lesshst for future retrieval.
> 
> This is a security/privacy hazard; search strings are expected to be
> transient and process-private, and writing them to disk creates the
> potential for unwanted disclosures. Writing them to a network-mounted
> home directory, meanwhile, can disclose everything the user is doing
> to anyone who happens to be listening; this is highly undesirable.
> 
> This misfeature can only be disabled by setting an environment
> variable, which is a poor method of configuration under the best of
> circumstances and fails rather drastically for e.g. running
> single-user.
> 
> I already patched the code a while back so that attempting to defeat
> the feature by e.g. linking /root/.lesshst -> /dev/null no longer
> trashes the system.
> 
> However, it's been suggested, and several people have concurred, that
> it ought to be disabled by default. This is easy to do.
> 
> The cost of disabling it by default, however, is that the behavior
> diverges from upstream. Are we willing to buy into this? I think we
> should, at least for more if not for less.

I am all for your proposal.  Disable it.


Home | Main Index | Thread Index | Old Index