possible security flaw in screen 3.9.5-9

To: debian-security@lists.debian.org
Subject: possible security flaw in screen 3.9.5-9
From: CaT <cat@zip.com.au>
Date: Sat, 9 Sep 2000 00:00:19 +1100
Message-id: <[🔎] 20000909000019.N4385@zip.com.au>

After installing this utility (which has to be amongst my very
favourite) I noticed something interesting int he way it behaves.
Basically, screen does what I first thought of when compiling it
for myself, which is to put its pipes in /var/run/screen.

What screen does there is to create subdirs which are then used
to hold a users pipes. Now these subdirs are owned by the user
that runs screen. The hassle with this is that it gives the user
a. a possible way around quotas set on /home b. a method of fully
filling up /var, thereby potentially causing log entries to be
lost which, in turn, gives the user anice, untracable way of then
doing naughty things without those naughty things getting logged.
Said user can then rm the large file they created and noone would
be any the wiser.

As such I reckon it's best if the screen directory is left in
/tmp where the authors initially put it. It's inconvenient but
doesn't cause the problems above.

-- 
CaT (cat@zip.com.au)

	'He had position, but I was determined to score.'
		-- Worf, DS9, Season 5: 'Let He Who Is Without Sin...'

Reply to:

Follow-Ups:
- Re: possible security flaw in screen 3.9.5-9
  - From: piglet@glutinous.custard.org (Tim Haynes)
- Re: possible security flaw in screen 3.9.5-9
  - From: Michael Stone <mstone@debian.org>
- Re: possible security flaw in screen 3.9.5-9
  - From: Herbert Xu <herbert@gondor.apana.org.au>
- Re: possible security flaw in screen 3.9.5-9
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: RE: libc6 for woody?
Next by Date: Re: possible security flaw in screen 3.9.5-9
Previous by thread: Re: libc6 for woody?
Next by thread: Re: possible security flaw in screen 3.9.5-9
Index(es):
- Date
- Thread