FS#22686 - [screen] Remove suid bit from /usr/bin/screen-4.0.3

Attached to Project: Arch Linux
Opened by Leonid Isaev (lisaev) - Monday, 31 January 2011, 18:20 GMT
Last edited by Allan McRae (Allan) - Friday, 22 April 2011, 05:36 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The package "screen-4.0.3" ships with the suid binary /usr/bin/screen-4.0.3. This might be a security hole, which has beed avoided in, for instance RHEL by making it sgid: -rwxr-sr-x 1 root screen 360952 Dec 4 2006 /usr/bin/screen

Alternatively, one can remove suid bit altogether. The tradeoff here is the crippled remote assistance functionality, because suid bit is necessary for different users to share a session. While screen is used by ~43% of arch users (according to pkgstats), I doubt that a lot of people rely on it for presentation/sharing purposes...

Thanks.
This task depends upon

Closed by  Allan McRae (Allan)
Friday, 22 April 2011, 05:36 GMT
Reason for closing:  Won't implement
Additional comments about closing:  Should be done upstream.
Comment by Gerardo Exequiel Pozzi (djgera) - Monday, 31 January 2011, 18:52 GMT
 FS#20682  - [screen] screen runs setuid root!
Comment by Leonid Isaev (lisaev) - Monday, 31 January 2011, 21:31 GMT
Yeah, I am aware of this "bug". Personally, I removed suid by hand since 2009, and genuinely believed that screen was used by only a handful of users, so I didn't bother reporting. This belief turned out to be wrong...
Comment by Gaetan Bisson (vesath) - Saturday, 19 February 2011, 17:57 GMT
Although I am somewhat in favor of this, it should be noted that if the sticky bit is removed from /usr/bin/screen-4.0.3 while (non-root) users have screens detached, they will not be able to attach them afterwards. How could we make this change smooth for our users?
Comment by Leonid Isaev (lisaev) - Monday, 21 February 2011, 23:51 GMT
Good point. Screen is capable of logging a session, but I don't think it can save it, as if the machine would go into suspend-to-disk, for instance. Besides, pacman shouldn't touch users' data, should it? Seems that an announcement is the only way...
Comment by Allan McRae (Allan) - Friday, 22 April 2011, 05:36 GMT
This is a fix upstream should implement. If we package it as suggested, then the man page becomes wrong.

Loading...