Most active commenters
  • fullstop(4)
  • kstrauser(3)

←back to thread

Multiple security issues in GNU Screen

(www.openwall.com)
414 points st_goliath | 19 comments | 13 May 25 11:28 UTC | HN request time: 0.625s | source | bottom
Show context
RMPR ◴[13 May 25 11:51 UTC] No.43971862[source]
Nice write-up.

> Screen offers a multi-user mode which allows to attach to Screen sessions owned by other users in the system (given the proper credentials). These multi-user features are only available when Screen is installed with the setuid-root bit set. This configuration of Screen results in highly increased attack surface, because of the complex Screen code that runs with root privileges in this case

I wasn't aware of such a feature but I guess it's what makes stuff like tmate possible. Speaking of which, I wonder if tmux is affected by the same kind of vulnerability.

replies(4): >>43971918 #>>43971987 #>>43973735 #>>43977030 #
dooglius ◴[13 May 25 12:08 UTC] No.43971987[source]
No, tmux uses unix domain sockets. I have no idea why screen chose to take the setuid approach instead here; it seems totally unnecessary to have root privileges.

EDIT: Further down, TFA gives a plausible explanation: the current screen devs are not fully familiar with the code base. If so, the setuid-root approach was probably the easiest way to make the feature work in lieu of such familiarity.

replies(5): >>43972036 #>>43972445 #>>43972504 #>>43973108 #>>43975717 #
JdeBP ◴[13 May 25 12:14 UTC] No.43972036[source]
screen has a lot of architectural baggage that can be traced back to its initial 1987 comp.sources.unix/mod.sources versions in some cases. Being set-UID to the superuser is one of them. See the doco for screen as it was posted in volume 10:

https://sources.vsta.org/comp.sources.unix/volume10/screen/

replies(2): >>43972131 #>>43979137 #
ngangaga[dead post] ◴[13 May 25 12:26 UTC] No.43972131[source]
[flagged]
entropie ◴[13 May 25 13:14 UTC] No.43972586[source]
For me it felt (!) like screen is pretty much obsolute since 10+ years. When tmux came I switched and never looked back and I know a few that handled it the same.
replies(4): >>43972845 #>>43973094 #>>43973786 #>>43979384 #
1. dbdoskey ◴[13 May 25 15:07 UTC] No.43973786[source]
A similar process is happening with zellij and tmux. Since I switched over I feel that tmux is obsolete.
replies(3): >>43973811 #>>43974148 #>>43974216 #
2. lxgr ◴[13 May 25 15:10 UTC] No.43973811[source]
What does it do better than tmux?

Or is it more of a fish vs. zsh type of situation, where neither is obsolete, but the target audience is just very different?

replies(4): >>43973878 #>>43973946 #>>43974925 #>>43976331 #
3. kstrauser ◴[13 May 25 15:16 UTC] No.43973878[source]
A quick example is that mouse scrolling works by default. I see it more like ripgrep vs grep. Either can do almost anything the other can, but one has much more modern, ergonomic defaults.
4. eblume ◴[13 May 25 15:22 UTC] No.43973946[source]
Definitely more of a fish vs zsh situation, in my opinion.

tmux, to me, feels like "modern screen". It has some cool features, but at the end of the day, it just wants to be a terminal multiplexer. Great!

Zellij on the other hand seems to offer terminal multiplexing as an obvious first-class use case but "not the whole point". At the surface, Zellij is an opinionated terminal multiplexer that uses a nice TUI to give discoverability which you can turn off when you're ready to gain screen real estate. It's easy to make Zellij behave exactly like tmux/screen, and it's easy to configure via a single config file.

Where Zellij takes a turn in to a different direction, however, is that the workspaces you can configure with it can do all sorts of interesting things. For instance I once built[0] a python cli app which had a command that would launch a zellij workspace with various tabs plugged in to other entrypoints of that same python cli, basically allowing me to develop a multi-pane TUI as a single python Typer app. In one pane I had the main ui, and then in another stacked pane I had some diagnostic info as well as a chat session with an llm that can do tool-calling back out to the python cli again to update the session's state.

I think wrapping up a project's dev environment as a combination of mise (mise.jdx.dev) and zellij or nix+zellij to quickly onboard devs to, say, a containerized development environment, seems like a really neat idea.

0: https://github.com/eblume/mole/blob/main/src/mole/zonein.py -- but this is mostly derelict code now, I've moved on and don't use zellij much currently.

replies(1): >>43976560 #
5. fullstop ◴[13 May 25 15:39 UTC] No.43974148[source]
I hadn't used Zellij before, but I tried it out. Visually it works better than tmux and it shares enough key bindings with tmux to make it a pretty seamless transition.

With that being said, the binary is huge. I get that zellij is statically linked, but tmux is about 900KiB and has minimal dependencies. I'm flabbergasted that a terminal multiplexer, stripped, is 38MiB.

replies(2): >>43974914 #>>43974987 #
6. pabs3 ◴[13 May 25 15:45 UTC] No.43974216[source]
Terminals are obsoleted by Arcan:

https://arcan-fe.com/2025/01/27/sunsetting-cursed-terminal-e...

replies(2): >>43975004 #>>43975185 #
7. spookie ◴[13 May 25 16:46 UTC] No.43974914[source]
Looking at the source code I assume it's just the amount of cargo deps. Some of which I'm not sure what place they have on a tmux at a first glance.
replies(1): >>43976361 #
8. psychoslave ◴[13 May 25 16:47 UTC] No.43974925[source]
I used to used zsh, like I still have have karma moving up on stackoverflow as I answered my own questions on some obscure configuration fine tuning. But currently I'm more in a "give me the thing that work off the shelf" moment, so I take fish and don't plan to either look back.

Byobu with tmux as backend is my go to solution if I want a multiplexer, for what it worths.

9. kstrauser ◴[13 May 25 16:51 UTC] No.43974987[source]
True, but zellij also does more. I'd also give it more of a stink eye if it were something I were running many times inside the inner loop of a script, but as something you generally launch once and leave running forever, eh.

I occasionally have to recalibrate my units. I just launched Emacs on my Mac and it's using 350MB of RAM. That's astonishing when I think about Amiga programs I wrote, but it's also just 0.53% of the RAM in this particularly machine. It's probably larger than it could be if someone ruthlessly trimmed it back, but I'd rather spend that time using the other 99.4% of my machine to do more fun stuff.

replies(1): >>43976310 #
10. skydhash ◴[13 May 25 16:53 UTC] No.43975004[source]
From a quick read, all I can see is a manifesto for emacs.
11. procaryote ◴[13 May 25 17:05 UTC] No.43975185[source]
How though? Genuine question; x11 didn't obsolete terminals. Does Arcan do something X11 couldn't?
12. fullstop ◴[13 May 25 18:51 UTC] No.43976310{3}[source]
I have a few embedded devices which have just 128MiB of flash, and they can run tmux just fine. I wouldn't even consider zellij for this purpose, of course, and having tmux down there is more of a "this is a nice thing for development purposes" thing.

Regarding memory usage, Zellij appears to take up 63 MiB versus tmux's 3.8MiB. It's nice and all, but quite a pig. This is on Linux, maybe Mac is different.

replies(1): >>43976476 #
13. thesuitonym ◴[13 May 25 18:53 UTC] No.43976331[source]
Among a certain subset of linux users, new is always better.
14. fullstop ◴[13 May 25 18:56 UTC] No.43976361{3}[source]
Hopefully some effort is eventually put into slimming things down.
15. kstrauser ◴[13 May 25 19:09 UTC] No.43976476{4}[source]
Embedded is a lot different, to be sure. I'm surprised there's room for tmux on something that tiny.

But on desktop systems, on my Mac, Zellij takes 28MB of disk and 40MB of RAM. That's 1/37,000th of my available disk and 1/1,600th of my RAM. I'm all for optimized, tiny apps, but those are below my attention threshold.

replies(3): >>43977274 #>>43977421 #>>43978594 #
16. hnlmorg ◴[13 May 25 19:18 UTC] No.43976560{3}[source]
> Where Zellij takes a turn in to a different direction, however, is that the workspaces you can configure with it can do all sorts of interesting things.

That’s been a pretty standard feature of tmux since forever.

In fact the reason I first discovered tmux was because some Irssi (terminal IRC client) plugins used tmux to create additional panes for Irssi.

tmux is one of those tools that does a lot more than most people realise but the learning curve is steep and features aren’t easy to discover.

Zellij looks interesting but these days I mostly use tmux as a control plane rather than a terminal UI. So the enhancements of Zellij are wasted on me.

17. int_19h ◴[13 May 25 20:22 UTC] No.43977274{5}[source]
Note that "embedded" like this includes e.g. many modern routers.

Also note that computers with much less disk space than 128 Mb could and did run full-fledged GUI apps in the past. For example, the entirety of Windows 95 is ~100 Mb when installed.

18. fullstop ◴[13 May 25 20:36 UTC] No.43977421{5}[source]
The product uses libevent and libc already, so adding tmux only consumes a few hundred KiB in the image. The root filesystem is squashfs, so it's even less in practice.
19. fc417fc802 ◴[13 May 25 22:43 UTC] No.43978594{5}[source]
> I'm surprised there's room for tmux on something that tiny.

A question that comes to mind is, under what circumstances would you expect a TUI based program that processes streaming text not to fit on a system that is otherwise capable of user interaction? It seems vaguely in the vicinity of the simplest possible interactive task you could come up with.

Certainly it generally isn't worth hyper-optimizing mainstream desktop applications to wring out the last few MB, let alone KB, of RAM in this day and age. However that doesn't answer the question - why would more than 1 MB of program binary be required for multiplexing text in a terminal? At least at first glance it honestly seems a bit outlandish.