FS#20682 - [screen] screen runs setuid root!
Attached to Project:
Arch Linux
Opened by Moritz Wilhelmy (wzff) - Tuesday, 31 August 2010, 10:59 GMT
Last edited by Allan McRae (Allan) - Saturday, 11 September 2010, 04:18 GMT
Opened by Moritz Wilhelmy (wzff) - Tuesday, 31 August 2010, 10:59 GMT
Last edited by Allan McRae (Allan) - Saturday, 11 September 2010, 04:18 GMT
|
Details
Description: GNU screen is installed to be setuid root and
thus runs as root
Debian solves this by installing screen setgid utmp. setuid root should be avoided since screen is possibly insecure and might allow command execution as root. Steps to reproduce: niflheimr ~ # ls -l /usr/bin/screen-4.0.3 -rwsr-xr-x 1 root root 354264 May 30 2009 /usr/bin/screen-4.0.3 |
This task depends upon
Closed by Allan McRae (Allan)
Saturday, 11 September 2010, 04:18 GMT
Reason for closing: Upstream
Additional comments about closing: Upstream default
Saturday, 11 September 2010, 04:18 GMT
Reason for closing: Upstream
Additional comments about closing: Upstream default
Comment by Allan McRae (Allan) -
Tuesday, 31 August 2010, 11:50 GMT
Does that allow multi-attached sessions?
Comment by Moritz Wilhelmy (wzff) -
Tuesday, 31 August 2010, 12:31 GMT
what's multiattached? I'm able to attach to user's screen sessions
as root. If you think about the -X switch, I actually don't
understand what it does.
Comment by Allan McRae (Allan) -
Tuesday, 31 August 2010, 13:22 GMT
I mean to enable sharing a screen session between multiple users.
Read the INSTALL file in the screen source for a list of reasons
why it is installed setuid root and what you lose if it is not.