# chflags on .history



## icecoke (Dec 11, 2012)

Hello,

I'm running jails in FreeBSD 9.1 and tried to `chflags sappnd /jailed/path/root/.history` of the jailed system (seclevel 1) from out of the host (seclevel 0)

The problem is I can see the correct flag with 'ls -lo', but nothing is appended to the .history file on logoff from the jail as root.

Did I missed something here?

Best regards,
Jimmy


----------



## SirDice (Dec 12, 2012)

The jail can't have a different securitylevel than the host. There's only one kernel running and it's the kernel that sets the securitylevel.


----------



## icecoke (Dec 12, 2012)

SirDice said:
			
		

> The jail can't have a different securitylevel than the host. There's only one kernel running and it's the kernel that sets the securitylevel.



Really? Did I missed a change of the man jail(8) or did you missed to read the manpage?

```
[root@testvs ~]# sysctl kern.securelevel
kern.securelevel: 1
[root@testvs ~]# exit
logout
[root@freebsd ~]# sysctl kern.securelevel
kern.securelevel: 0
```
But aside that it does not answer nor explain my initial question about .history and a '*chflags sappnd*'. Do you have any idea about this?


----------



## SirDice (Dec 12, 2012)

Nope, it was just a relatively new feature of jail(8) I wasn't aware off.

Not sure why it's not working, I'm also not entirely sure about the differences between sappnd and uappnd (besides the obvious root vs. user). You might want to try the latter, root inside the jail is treated as a 'normal' user on the host. It would be somewhat inconsistent though as I would expect sappnd to work for root inside the jail too. You might want to try it with a regular file first. History seems to get screwed if you happen to be logged in more than once.


----------



## icecoke (Dec 12, 2012)

SirDice said:
			
		

> Nope, it was just a relatively new feature of jail(8) I wasn't aware off.



Surprising how time passes, isn't it  The different securelevel was introduced in FBSD 6.2, so about May 2006.

But I guess you'r absolutely right, for me it seems that history does not just append to the .history file. I havn't looked in the csh code, but I would guess fopen is not just used with 'a' but any different mode.

It would be still a nice way to have some idea over what was done in a compromised jail, if done by shell, so I wonder if I will change the code. On the other hand, I learned from you to NOT touch the things under /bin etc  So I will probably contact the csh maintainer.


----------



## SirDice (Dec 12, 2012)

icecoke said:
			
		

> But I guess you'r absolutely right, for me it seems that history does not just append to the .history file. I havn't looked in the csh code, but I would guess fopen is not just used with 'a' but any different mode.


Didn't think about that but I guess that's also a possibility. Maybe it has something to with the 'merge' option of the history. I suppose that means the file isn't really appended but it's a new file that gets created each time and it just looks like the data is appended.


----------



## icecoke (Dec 12, 2012)

See sh.hist.c, *rechist()*

It's even done with *creat()* instead of *open()*, so sappnd would complain even without -m (merge) settings. And the logic does not allow just an append. I wonder why there are some 'tips' around to sappnd on .history, when it can't work by code design....hmm... Can't believe it was with *open()* and then changed to *creat()* - so maybe some people did not checked their own advises 

I guess someone mixed bash with csh, because I just tried around with bash and there it works to put an sappnd on .bash_history to achieve this. But I just don't want to move to bash 

Anyway, thanks for thinking about it with me.


----------

