Most active commenters
  • DrillShopper(3)

←back to thread

Multiple security issues in GNU Screen

(www.openwall.com)
414 points st_goliath | 11 comments | 13 May 25 11:28 UTC | HN request time: 1.026s | source | bottom
Show context
RMPR ◴[13 May 25 11:51 UTC] No.43971862[source]
Nice write-up.

> Screen offers a multi-user mode which allows to attach to Screen sessions owned by other users in the system (given the proper credentials). These multi-user features are only available when Screen is installed with the setuid-root bit set. This configuration of Screen results in highly increased attack surface, because of the complex Screen code that runs with root privileges in this case

I wasn't aware of such a feature but I guess it's what makes stuff like tmate possible. Speaking of which, I wonder if tmux is affected by the same kind of vulnerability.

replies(4): >>43971918 #>>43971987 #>>43973735 #>>43977030 #
dooglius ◴[13 May 25 12:08 UTC] No.43971987[source]
No, tmux uses unix domain sockets. I have no idea why screen chose to take the setuid approach instead here; it seems totally unnecessary to have root privileges.

EDIT: Further down, TFA gives a plausible explanation: the current screen devs are not fully familiar with the code base. If so, the setuid-root approach was probably the easiest way to make the feature work in lieu of such familiarity.

replies(5): >>43972036 #>>43972445 #>>43972504 #>>43973108 #>>43975717 #
JdeBP ◴[13 May 25 12:14 UTC] No.43972036[source]
screen has a lot of architectural baggage that can be traced back to its initial 1987 comp.sources.unix/mod.sources versions in some cases. Being set-UID to the superuser is one of them. See the doco for screen as it was posted in volume 10:

https://sources.vsta.org/comp.sources.unix/volume10/screen/

replies(2): >>43972131 #>>43979137 #
ngangaga[dead post] ◴[13 May 25 12:26 UTC] No.43972131[source]
[flagged]
entropie ◴[13 May 25 13:14 UTC] No.43972586[source]
For me it felt (!) like screen is pretty much obsolute since 10+ years. When tmux came I switched and never looked back and I know a few that handled it the same.
replies(4): >>43972845 #>>43973094 #>>43973786 #>>43979384 #
1. DrillShopper ◴[13 May 25 14:02 UTC] No.43973094[source]
Try as I might I cannot get my fingers to re-learn the tmux keybindings. The GNU Screen keybindings are that burned into my brain.
replies(4): >>43973184 #>>43973925 #>>43977007 #>>43980903 #
2. SSLy ◴[13 May 25 14:10 UTC] No.43973184[source]
SvP https://github.com/grml/grml-etc-core/blob/master/etc/tmux.c...
replies(1): >>43978247 #
3. Cerium ◴[13 May 25 15:21 UTC] No.43973925[source]
Thankfully you can configure it. I had the same initial difficulty.
replies(1): >>43976109 #
4. imoverclocked ◴[13 May 25 18:29 UTC] No.43976109[source]
That’s great for your own machine or even common home directory scenarios. The issue is when you have a bunch of machines to manage without chef/puppet/etc or hop onto a random machine or a machine you don’t own etc… defaults are what you get to work with.

If screen is there and I need to do something that lasts longer than my ssh session, screen is what I reach for. If it’s non-interactive, I reach for nohup next.

replies(1): >>43980013 #
5. cheema33 ◴[13 May 25 19:56 UTC] No.43977007[source]
> Try as I might I cannot get my fingers to re-learn the tmux keybindings. The GNU Screen keybindings are that burned into my brain.

This. I have tried switching away from screen a few times. But failed because the keybindings are burned into my brain as well.

I will try harder.

replies(1): >>43978262 #
6. DrillShopper ◴[13 May 25 22:00 UTC] No.43978247[source]
If the keys and functionality don't work exactly as GNU Screen does then this won't help me. The behavior and keystrokes are so far burned into my brain that it doesn't make sense at this point to learn a new tool unless/until every system I use under the sun doesn't support GNU Screen anymore.
7. hsbauauvhabzb ◴[13 May 25 22:03 UTC] No.43978262[source]
I’m not sure what the screen keybindings are anymore but you could always rebind the tmux key so.
8. SEJeff ◴[14 May 25 02:11 UTC] No.43980013{3}[source]
If you don’t care about the output or handle it manually, use detail over nohup, it’s a bit nicer.
9. jethro_tell ◴[14 May 25 04:43 UTC] No.43980903[source]
They re-keyed it specifically so it could be nested, however, they mention the prefix key is intentionally dumb and ment to be remapped, probably to ^a like screen.
replies(1): >>43986160 #
10. entropie ◴[14 May 25 16:05 UTC] No.43986160[source]
^a is the worst for emacs users since ^a is begging-of-line which we use a ton.

When I first started using screen some years ago the emacswiki (I think) even mentioned it and recommended to remap it to ^p which it is for me for screen and tmux since then.

(I could remember something wrong here)

replies(1): >>43988721 #
11. DrillShopper ◴[14 May 25 20:16 UTC] No.43988721{3}[source]
I've just worked '^a a' into my terminal emacs muscle memory.