zsh (better) privacy setup

the problem#

Exposing the history of commandline inputs can expose sensitive informations to all programms which have access to it.

clean the history on the begining of workday (6:00) each day#

I like this approach because I use mutliple sessions over the day and dont want to lose commands I working with all the day. On linux you can use crontab but MacOS I will use launchd deamon.

first step: create sheduled job

Create sheduled job with the following snippet and place it ~/Library/LaunchAgents/com.example.job.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>com.example.job</string>
        <key>Program</key>
        <string>/Users/{{username}}/scripts/clearhistory</string>
        <key>EnvironmentVariables</key>
        <dict>
            <key>PATH</key>
            <string>/bin:/usr/bin:/usr/local/bin</string>
        </dict>
        <key>StandardInPath</key>
        <string>/tmp/clearhistory.stdin</string>
        <key>StandardOutPath</key>
        <string>/tmp/clearhistory.stdout</string>
        <key>StandardErrorPath</key>
        <string>/tmp/clearhistory.stdout</string>
        <key>StartCalendarInterval</key>
        <dict>
            <key>Hour</key>
            <integer>6</integer>
            <key>Minute</key>
            <integer>0</integer>
        </dict>
    </dict>
</plist>

second step: create executable

Create a bash script /Users/{{username}}/scripts/clearhistory

rm ~/.zsh_history

third step: load job in daemon

launchctl load ~/Library/LaunchAgents/com.example.job.plist

This step has to be repeated each time you modified the file. To reload the file:

launchctl unload ~/Library/LaunchAgents/com.example.job.plist
launchctl load ~/Library/LaunchAgents/com.example.job.plist

manually start the job

launchctl start com.example.job

more informations

• APPLE Developer: Scheduled Jobs

cleaning history session based#

We have two options to avoid history being saved after zsh session ends:

clear history after this session#

To disable history logging only for the current active session, execute this command at the beginning of the session:

unset HISTFILE SAVEHIST

clean history after all sessions#

In the ~/.zshrc change add this line:

# do not keep history after session ends
unset HISTFILE SAVEHIST

This will preserve the history while you stay in session, but delete it afterwards.

do not add commands to the history when prefixed#

We can simple activate this behavior by adding a line in: /etc/zshrc

# leading space commands will be ignored in history
setopt histignorespace

• ZSH Docuementation
• stefanjudis.com - prevent commands going to history
• journaldev - clear-bash-history-linux-mac