Multiple security issues in GNU Screen

(www.openwall.com)

414 points st_goliath | 1 comments | 13 May 25 11:28 UTC | HN request time: 0s | source

Show context

RMPR ◴[13 May 25 11:51 UTC] No.43971862[source]▶

Nice write-up.

> Screen offers a multi-user mode which allows to attach to Screen sessions owned by other users in the system (given the proper credentials). These multi-user features are only available when Screen is installed with the setuid-root bit set. This configuration of Screen results in highly increased attack surface, because of the complex Screen code that runs with root privileges in this case

I wasn't aware of such a feature but I guess it's what makes stuff like tmate possible. Speaking of which, I wonder if tmux is affected by the same kind of vulnerability.

replies(4): >>43971918 #>>43971987 #>>43973735 #>>43977030 #

dooglius ◴[13 May 25 12:08 UTC] No.43971987[source]▶

>>43971862 #

No, tmux uses unix domain sockets. I have no idea why screen chose to take the setuid approach instead here; it seems totally unnecessary to have root privileges.

EDIT: Further down, TFA gives a plausible explanation: the current screen devs are not fully familiar with the code base. If so, the setuid-root approach was probably the easiest way to make the feature work in lieu of such familiarity.

replies(5): >>43972036 #>>43972445 #>>43972504 #>>43973108 #>>43975717 #

fzzzy ◴[13 May 25 13:05 UTC] No.43972504[source]▶

>>43971987 #

screen has used setuid root for multiuser for at least 20 years. Used to use it in multiuser for remote pair programming.

replies(1): >>43977165 #

1. icedchai ◴[13 May 25 20:11 UTC] No.43977165{3}[source]▶

>>43972504 #

I remember installing screen on a SunOS box back in the early 90's. It's been around a longggg time.

↑