Most active commenters
  • kstrauser(5)
  • JdeBP(4)
  • fullstop(4)
  • DrillShopper(3)
  • wkat4242(3)

←back to thread

Multiple security issues in GNU Screen

(www.openwall.com)
414 points st_goliath | 69 comments | 13 May 25 11:28 UTC | HN request time: 0.003s | source | bottom
Show context
RMPR ◴[13 May 25 11:51 UTC] No.43971862[source]
Nice write-up.

> Screen offers a multi-user mode which allows to attach to Screen sessions owned by other users in the system (given the proper credentials). These multi-user features are only available when Screen is installed with the setuid-root bit set. This configuration of Screen results in highly increased attack surface, because of the complex Screen code that runs with root privileges in this case

I wasn't aware of such a feature but I guess it's what makes stuff like tmate possible. Speaking of which, I wonder if tmux is affected by the same kind of vulnerability.

replies(4): >>43971918 #>>43971987 #>>43973735 #>>43977030 #
dooglius ◴[13 May 25 12:08 UTC] No.43971987[source]
No, tmux uses unix domain sockets. I have no idea why screen chose to take the setuid approach instead here; it seems totally unnecessary to have root privileges.

EDIT: Further down, TFA gives a plausible explanation: the current screen devs are not fully familiar with the code base. If so, the setuid-root approach was probably the easiest way to make the feature work in lieu of such familiarity.

replies(5): >>43972036 #>>43972445 #>>43972504 #>>43973108 #>>43975717 #
1. JdeBP ◴[13 May 25 12:14 UTC] No.43972036[source]
screen has a lot of architectural baggage that can be traced back to its initial 1987 comp.sources.unix/mod.sources versions in some cases. Being set-UID to the superuser is one of them. See the doco for screen as it was posted in volume 10:

https://sources.vsta.org/comp.sources.unix/volume10/screen/

replies(2): >>43972131 #>>43979137 #
2. 90s_dev ◴[13 May 25 12:31 UTC] No.43972178[source]
Nostalgia and novelty are powerful narcotics.
3. entropie ◴[13 May 25 13:14 UTC] No.43972586[source]
For me it felt (!) like screen is pretty much obsolute since 10+ years. When tmux came I switched and never looked back and I know a few that handled it the same.
replies(4): >>43972845 #>>43973094 #>>43973786 #>>43979384 #
4. noosphr ◴[13 May 25 13:38 UTC] No.43972845{3}[source]
Screens main use case is to open an emacs session remotely.

Tmux's main use case is to be glue for a unix IDE.

The two use cases are rather different and the tools are very specialized for them.

replies(5): >>43972976 #>>43973052 #>>43973268 #>>43973704 #>>43973888 #
5. guappa ◴[13 May 25 13:43 UTC] No.43972913[source]
On my sistems screen doesn't have setuid.
replies(2): >>43973929 #>>43975081 #
6. skydhash ◴[13 May 25 13:48 UTC] No.43972976{4}[source]
I switched to dtach for the first case.
replies(1): >>43973266 #
7. JdeBP ◴[13 May 25 13:51 UTC] No.43973002[source]
It's a combination of factors:

* The original author of the project has not been involved in it since 1990. The people who took it over and made it a GNU project then largely stopped working on it in 2004. The people who are now working on it are something like its 3rd or 4th wave of developers.

* Learning the internals of screen now from scratch is a lot harder than when I did it in 1987. There's an awful lot more operating system historical and portability factors, now. In 1987, it was works-on-4.3BSD-might-not-on-your-Unix.

* If you deal with pseudo-terminals cross-platform, there are still huge variations on how pseudo-terminals work and how the long-standing security issues of pseudo-terminals, identified in the 1990s, have been addressed in operating systems.

* screen is encumbered by a lot of 1980s Think. It still today diligently manages, and puts quite a lot of effort into constructing, a generated-on-the-fly TERMCAP environment variable, for example.

* Attitudes to security have changed. At least one security hole in the headlined report was actually a neat-o feature of terminals in Unix in the 1970s and 1980s.

replies(1): >>43973310 #
8. anthk ◴[13 May 25 13:57 UTC] No.43973052{4}[source]
Emacs can work as a daemon.
replies(1): >>43973119 #
9. DrillShopper ◴[13 May 25 14:02 UTC] No.43973094{3}[source]
Try as I might I cannot get my fingers to re-learn the tmux keybindings. The GNU Screen keybindings are that burned into my brain.
replies(4): >>43973184 #>>43973925 #>>43977007 #>>43980903 #
10. noosphr ◴[13 May 25 14:04 UTC] No.43973119{5}[source]
It also has tramp mode which means you can use all your local packages remotely.
replies(1): >>43973771 #
11. SSLy ◴[13 May 25 14:10 UTC] No.43973184{4}[source]
SvP https://github.com/grml/grml-etc-core/blob/master/etc/tmux.c...
replies(1): >>43978247 #
12. ◴[13 May 25 14:15 UTC] No.43973235[source]
13. kps ◴[13 May 25 14:18 UTC] No.43973266{5}[source]
dtach for session persistence. “Do one thing well.”
14. penguin_booze ◴[13 May 25 14:18 UTC] No.43973268{4}[source]
> Screens main use case is to open an emacs session remotely.

Not an emacs user, but for this, what does screen do that tmux can't?

replies(2): >>43973891 #>>43976520 #
15. JdeBP ◴[13 May 25 14:46 UTC] No.43973564{4}[source]
Port something like this to OpenBSD and then say that this sort of thing is not hard work. (-:

It's very hard work, especially nowadays. The sweet spot was probably in the 1990s, when novices were still likely to know that prime sources of knowledge about this stuff were posts on Usenet, or shell archives of text files written by Daniel J. Bernstein.

https://jdebp.uk/FGA/bernstein-on-ttys/

I speak from experience of being someone who did my own tweaks to screen in the 1980s, and who has written other similar programs from scratch.

replies(3): >>43973959 #>>43974087 #>>43975877 #
16. johnmaguire ◴[13 May 25 14:59 UTC] No.43973704{4}[source]
I'm confused by this statement. Are you claiming this is the projects' stated goal? Their primary use in the wild?
17. taeric ◴[13 May 25 15:06 UTC] No.43973771{6}[source]
When I realized how powerful TRAMP was, I don't think I ever used screen/tmux again. I'm sure there are uses, mind. Just TRAMP fully hit all of my needs.
replies(1): >>43973913 #
18. dbdoskey ◴[13 May 25 15:07 UTC] No.43973786{3}[source]
A similar process is happening with zellij and tmux. Since I switched over I feel that tmux is obsolete.
replies(3): >>43973811 #>>43974148 #>>43974216 #
19. lxgr ◴[13 May 25 15:10 UTC] No.43973811{4}[source]
What does it do better than tmux?

Or is it more of a fish vs. zsh type of situation, where neither is obsolete, but the target audience is just very different?

replies(4): >>43973878 #>>43973946 #>>43974925 #>>43976331 #
20. cedilla ◴[13 May 25 15:16 UTC] No.43973876{4}[source]
What's your point besides whining about the general state of "delevopers", whoever that is? Are you volunteering to take over maintenance of GNU Screen?

Really, the gall to complain about "laziness" when all you're doing is spreading negativity on a forum.

replies(1): >>43974076 #
21. kstrauser ◴[13 May 25 15:16 UTC] No.43973878{5}[source]
A quick example is that mouse scrolling works by default. I see it more like ripgrep vs grep. Either can do almost anything the other can, but one has much more modern, ergonomic defaults.
22. jstanley ◴[13 May 25 15:17 UTC] No.43973888{4}[source]
Nah, screen's main use case is as an ad-hoc method to daemonise random scripts.
replies(2): >>43974505 #>>43978168 #
23. kstrauser ◴[13 May 25 15:17 UTC] No.43973891{5}[source]
Nothing at all. I’ve used emacs over tmux (and now zellij) for many years. Emacsserver can replace both of them, but that’s a different story.
24. kstrauser ◴[13 May 25 15:19 UTC] No.43973913{7}[source]
It really is magical, isn’t it? And although I rarely need to use it, I love the multihop setups where you can ssh to this system, then ssh again to this other, then mount an SMB filesystem using these credentials, and start editing.
25. Cerium ◴[13 May 25 15:21 UTC] No.43973925{4}[source]
Thankfully you can configure it. I had the same initial difficulty.
replies(1): >>43976109 #
26. rixed ◴[13 May 25 15:21 UTC] No.43973929{3}[source]
Same here (speaking more specifically about debian)
27. eblume ◴[13 May 25 15:22 UTC] No.43973946{5}[source]
Definitely more of a fish vs zsh situation, in my opinion.

tmux, to me, feels like "modern screen". It has some cool features, but at the end of the day, it just wants to be a terminal multiplexer. Great!

Zellij on the other hand seems to offer terminal multiplexing as an obvious first-class use case but "not the whole point". At the surface, Zellij is an opinionated terminal multiplexer that uses a nice TUI to give discoverability which you can turn off when you're ready to gain screen real estate. It's easy to make Zellij behave exactly like tmux/screen, and it's easy to configure via a single config file.

Where Zellij takes a turn in to a different direction, however, is that the workspaces you can configure with it can do all sorts of interesting things. For instance I once built[0] a python cli app which had a command that would launch a zellij workspace with various tabs plugged in to other entrypoints of that same python cli, basically allowing me to develop a multi-pane TUI as a single python Typer app. In one pane I had the main ui, and then in another stacked pane I had some diagnostic info as well as a chat session with an llm that can do tool-calling back out to the python cli again to update the session's state.

I think wrapping up a project's dev environment as a combination of mise (mise.jdx.dev) and zellij or nix+zellij to quickly onboard devs to, say, a containerized development environment, seems like a really neat idea.

0: https://github.com/eblume/mole/blob/main/src/mole/zonein.py -- but this is mostly derelict code now, I've moved on and don't use zellij much currently.

replies(1): >>43976560 #
28. ◴[13 May 25 15:24 UTC] No.43973959{5}[source]
29. okbitbuddy ◴[13 May 25 15:33 UTC] No.43974076{5}[source]
[flagged]
30. fullstop ◴[13 May 25 15:39 UTC] No.43974148{4}[source]
I hadn't used Zellij before, but I tried it out. Visually it works better than tmux and it shares enough key bindings with tmux to make it a pretty seamless transition.

With that being said, the binary is huge. I get that zellij is statically linked, but tmux is about 900KiB and has minimal dependencies. I'm flabbergasted that a terminal multiplexer, stripped, is 38MiB.

replies(2): >>43974914 #>>43974987 #
31. pabs3 ◴[13 May 25 15:45 UTC] No.43974216{4}[source]
Terminals are obsoleted by Arcan:

https://arcan-fe.com/2025/01/27/sunsetting-cursed-terminal-e...

replies(2): >>43975004 #>>43975185 #
32. UI_at_80x24 ◴[13 May 25 15:51 UTC] No.43974276[source]
We usually wait for a version written in Rust for this kind of cruft removal.
replies(1): >>43974449 #
33. 1vuio0pswjnm7 ◴[13 May 25 15:53 UTC] No.43974295[source]
Engineers are rational people. Software developers calling themselves "engineers" are not.
34. nine_k ◴[13 May 25 16:07 UTC] No.43974449{3}[source]
The problems here are more about the architecture. You can write 100% memory-safe but completely insecure code in Rust, Java. Haskell, Erlang, Smalltalk, bash, you name it. For instance, running a setuid binary may add problems to code written in any language.
35. fnordpiglet ◴[13 May 25 16:11 UTC] No.43974505{5}[source]
Yeah this is 100% of when I reach for screen. “I’m not willing/ready to make this a service, screen detach here I come”
36. spookie ◴[13 May 25 16:46 UTC] No.43974914{5}[source]
Looking at the source code I assume it's just the amount of cargo deps. Some of which I'm not sure what place they have on a tmux at a first glance.
replies(1): >>43976361 #
37. psychoslave ◴[13 May 25 16:47 UTC] No.43974925{5}[source]
I used to used zsh, like I still have have karma moving up on stackoverflow as I answered my own questions on some obscure configuration fine tuning. But currently I'm more in a "give me the thing that work off the shelf" moment, so I take fish and don't plan to either look back.

Byobu with tmux as backend is my go to solution if I want a multiplexer, for what it worths.

38. kstrauser ◴[13 May 25 16:51 UTC] No.43974987{5}[source]
True, but zellij also does more. I'd also give it more of a stink eye if it were something I were running many times inside the inner loop of a script, but as something you generally launch once and leave running forever, eh.

I occasionally have to recalibrate my units. I just launched Emacs on my Mac and it's using 350MB of RAM. That's astonishing when I think about Amiga programs I wrote, but it's also just 0.53% of the RAM in this particularly machine. It's probably larger than it could be if someone ruthlessly trimmed it back, but I'd rather spend that time using the other 99.4% of my machine to do more fun stuff.

replies(1): >>43976310 #
39. skydhash ◴[13 May 25 16:53 UTC] No.43975004{5}[source]
From a quick read, all I can see is a manifesto for emacs.
40. mardifoufs ◴[13 May 25 16:56 UTC] No.43975059[source]
Is it actually in common usage? I'm sure it's used by a lot of people, but it seems quite niche still.
replies(2): >>43976501 #>>43979388 #
41. bombcar ◴[13 May 25 16:58 UTC] No.43975081{3}[source]
On my gentoo box it's setgid hmmm.

Ubuntu it's not set.

42. procaryote ◴[13 May 25 17:05 UTC] No.43975185{5}[source]
How though? Genuine question; x11 didn't obsolete terminals. Does Arcan do something X11 couldn't?
43. masfuerte ◴[13 May 25 18:07 UTC] No.43975877{5}[source]
Cheers, that's interesting. There are a few instances of ([]) which look like broken links in:

https://jdebp.uk/FGA/bernstein-on-ttys/cttys.html

Tbf, they are probably all dead now anyway.

replies(1): >>43976548 #
44. imoverclocked ◴[13 May 25 18:29 UTC] No.43976109{5}[source]
That’s great for your own machine or even common home directory scenarios. The issue is when you have a bunch of machines to manage without chef/puppet/etc or hop onto a random machine or a machine you don’t own etc… defaults are what you get to work with.

If screen is there and I need to do something that lasts longer than my ssh session, screen is what I reach for. If it’s non-interactive, I reach for nohup next.

replies(1): >>43980013 #
45. fullstop ◴[13 May 25 18:51 UTC] No.43976310{6}[source]
I have a few embedded devices which have just 128MiB of flash, and they can run tmux just fine. I wouldn't even consider zellij for this purpose, of course, and having tmux down there is more of a "this is a nice thing for development purposes" thing.

Regarding memory usage, Zellij appears to take up 63 MiB versus tmux's 3.8MiB. It's nice and all, but quite a pig. This is on Linux, maybe Mac is different.

replies(1): >>43976476 #
46. thesuitonym ◴[13 May 25 18:53 UTC] No.43976331{5}[source]
Among a certain subset of linux users, new is always better.
47. fullstop ◴[13 May 25 18:56 UTC] No.43976361{6}[source]
Hopefully some effort is eventually put into slimming things down.
48. kstrauser ◴[13 May 25 19:09 UTC] No.43976476{7}[source]
Embedded is a lot different, to be sure. I'm surprised there's room for tmux on something that tiny.

But on desktop systems, on my Mac, Zellij takes 28MB of disk and 40MB of RAM. That's 1/37,000th of my available disk and 1/1,600th of my RAM. I'm all for optimized, tiny apps, but those are below my attention threshold.

replies(3): >>43977274 #>>43977421 #>>43978594 #
49. wkat4242 ◴[13 May 25 19:09 UTC] No.43976482[source]
True, it's not really as if it's a massive codebase
50. wkat4242 ◴[13 May 25 19:11 UTC] No.43976501{3}[source]
It's used a lot for legacy reasons I think. People didn't move to something newer like tmux because why would they? It's super handy to keep stuff running on a console while disconnected from it. In that sense it (or at least, tools like it) are indispensable.
51. wkat4242 ◴[13 May 25 19:13 UTC] No.43976520{5}[source]
Nothing but replacing it with something newer invalidates decades of muscle memory.

I switched to tmux eventually though.

52. JdeBP ◴[13 May 25 19:16 UTC] No.43976548{6}[source]
If I recall correctly (I transcribed that years ago.) they were lost in the original. They wouldn't have been links. It was written in 1991.
53. hnlmorg ◴[13 May 25 19:18 UTC] No.43976560{6}[source]
> Where Zellij takes a turn in to a different direction, however, is that the workspaces you can configure with it can do all sorts of interesting things.

That’s been a pretty standard feature of tmux since forever.

In fact the reason I first discovered tmux was because some Irssi (terminal IRC client) plugins used tmux to create additional panes for Irssi.

tmux is one of those tools that does a lot more than most people realise but the learning curve is steep and features aren’t easy to discover.

Zellij looks interesting but these days I mostly use tmux as a control plane rather than a terminal UI. So the enhancements of Zellij are wasted on me.

54. cheema33 ◴[13 May 25 19:56 UTC] No.43977007{4}[source]
> Try as I might I cannot get my fingers to re-learn the tmux keybindings. The GNU Screen keybindings are that burned into my brain.

This. I have tried switching away from screen a few times. But failed because the keybindings are burned into my brain as well.

I will try harder.

replies(1): >>43978262 #
55. int_19h ◴[13 May 25 20:22 UTC] No.43977274{8}[source]
Note that "embedded" like this includes e.g. many modern routers.

Also note that computers with much less disk space than 128 Mb could and did run full-fledged GUI apps in the past. For example, the entirety of Windows 95 is ~100 Mb when installed.

56. fullstop ◴[13 May 25 20:36 UTC] No.43977421{8}[source]
The product uses libevent and libc already, so adding tmux only consumes a few hundred KiB in the image. The root filesystem is squashfs, so it's even less in practice.
57. senderista ◴[13 May 25 21:51 UTC] No.43978168{5}[source]
Let's see, we have at least daemonize[0], nohup[1], and disown[2] for that. Some discussion of the differences: https://unix.stackexchange.com/questions/3886/difference-bet...

[0] https://github.com/bmc/daemonize

[1] https://linux.die.net/man/1/nohup

[2] https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash....

replies(1): >>43984769 #
58. DrillShopper ◴[13 May 25 22:00 UTC] No.43978247{5}[source]
If the keys and functionality don't work exactly as GNU Screen does then this won't help me. The behavior and keystrokes are so far burned into my brain that it doesn't make sense at this point to learn a new tool unless/until every system I use under the sun doesn't support GNU Screen anymore.
59. hsbauauvhabzb ◴[13 May 25 22:03 UTC] No.43978262{5}[source]
I’m not sure what the screen keybindings are anymore but you could always rebind the tmux key so.
60. fc417fc802 ◴[13 May 25 22:43 UTC] No.43978594{8}[source]
> I'm surprised there's room for tmux on something that tiny.

A question that comes to mind is, under what circumstances would you expect a TUI based program that processes streaming text not to fit on a system that is otherwise capable of user interaction? It seems vaguely in the vicinity of the simplest possible interactive task you could come up with.

Certainly it generally isn't worth hyper-optimizing mainstream desktop applications to wring out the last few MB, let alone KB, of RAM in this day and age. However that doesn't answer the question - why would more than 1 MB of program binary be required for multiplexing text in a terminal? At least at first glance it honestly seems a bit outlandish.

61. esseph ◴[13 May 25 23:06 UTC] No.43978809[source]
IDK Man the hammer I use today looks a hell of a lot like the hammer used by engineers throughout human history.
62. Henchman21 ◴[13 May 25 23:45 UTC] No.43979137[source]
I guessed something similar. Screen is from an era where setuid was pretty common!
63. cozzyd ◴[14 May 25 00:20 UTC] No.43979384{3}[source]
Screen is useful when you need to a nest multiplexing inside tmux.

And for serial ports

64. esseph ◴[14 May 25 00:20 UTC] No.43979388{3}[source]
Sysadmin types, often daily
65. SEJeff ◴[14 May 25 02:11 UTC] No.43980013{6}[source]
If you don’t care about the output or handle it manually, use detail over nohup, it’s a bit nicer.
66. jethro_tell ◴[14 May 25 04:43 UTC] No.43980903{4}[source]
They re-keyed it specifically so it could be nested, however, they mention the prefix key is intentionally dumb and ment to be remapped, probably to ^a like screen.
replies(1): >>43986160 #
67. teddyh ◴[14 May 25 14:11 UTC] No.43984769{6}[source]
A more modern alternative is systemd-run: <https://www.freedesktop.org/software/systemd/man/latest/syst...>
68. entropie ◴[14 May 25 16:05 UTC] No.43986160{5}[source]
^a is the worst for emacs users since ^a is begging-of-line which we use a ton.

When I first started using screen some years ago the emacswiki (I think) even mentioned it and recommended to remap it to ^p which it is for me for screen and tmux since then.

(I could remember something wrong here)

replies(1): >>43988721 #
69. DrillShopper ◴[14 May 25 20:16 UTC] No.43988721{6}[source]
I've just worked '^a a' into my terminal emacs muscle memory.