Re: screen

To: debian-user <debian-user@lists.debian.org>
Cc: staff@sccs.swarthmore.edu
Subject: Re: screen
From: bob@proulx.com (Bob Proulx)
Date: Mon, 5 May 2003 00:04:03 -0600
Message-id: <[🔎] 20030505060403.GA20991@misery.proulx.com>
Mail-followup-to: debian-user <debian-user@lists.debian.org>, staff@sccs.swarthmore.edu
In-reply-to: <[🔎] 20030505032623.GB16630@merlin.sccs.swarthmore.edu>
References: <[🔎] 20030505011118.GA15278@merlin.sccs.swarthmore.edu> <[🔎] 20030505020140.GB20462@misery.proulx.com> <[🔎] 20030505032623.GB16630@merlin.sccs.swarthmore.edu>

Nori Heikkinen wrote:
> i've heard it bruited about that there's some security hole therein,
> that it runs setuid and therefore is for some reason bad.  one of our
> sysadmins administers many servers at a college nearby, and his
> manager has outright forbidden screen on them.  i don't know exactly
> what risk this would be, and that's why i'm asking -- to me it's just
> a harmless terminal manager, too, but i hear tell that it's not as
> simple as that.

It needs to be setuid only to be able to write to the utmp file the
current login of the user.  That is why people can compile it as a
normal user and it works for them.  They can't escalate their
privilege to root.  But it still works.  But then no logging to utmp.
I personally would prefer to have the logging than not having it.

I have not heard of any security vulnerability in screen.  However, if
there is concern then the program should be audited.

> but we're not sure how we feel about (a) some users compiling screen
> in their homedirs and using it to run chatbots, and (b) potential
> security holes, as mentioned above.

But there is nothing special about screen for that purpose.  It would
not be my choice for running a chatbot.  I would use a perl script for
that.  Something like this.

  use POSIX;
  chroot("/");
  $pid = fork;
  exit if $pid;
  POSIX::setsid();
  ...do that voodoo that you do...

The perl is representative of the C code it would take to do the
same operation.  So anyone with perl, ruby, python, or a C compiler
can easily detach from the terminal and leave a daemon running after
loggin out.

> the user who contacted us about screen wanted to use it to not have
> 50 instances of PuTTy running at once -- i'm not sure how the
> functionality of screen would allow that, but i'm not familiar with
> the command past its nohup-like abilities.

Have you use KDE and Konsoles?  Or Gnome-multi-term?  Those have a
built in terminal session managers.  Click on the "New" button and
there is now a new session which can be switched between.  That is the
same functionality that screen provides to terminal sessions.

Without this capability, one who is coming from a MS machine using
putty needs several terminals, would need to putty in once per window
needed.  Need a window?  Putty in.  But if screen were available one
can login in once with a putty window, start screen, and switch
between several terminals in one window.

Bob

Attachment: pgpYPKxu7Jfid.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: screen
  - From: Colin Watson <cjwatson@debian.org>

References:
- screen
  - From: Nori Heikkinen <nori@sccs.swarthmore.edu>
- Re: screen
  - From: bob@proulx.com (Bob Proulx)
- Re: screen
  - From: Nori Heikkinen <nori@sccs.swarthmore.edu>

Prev by Date: Re: penguin-command randomly dying after todays dist-upgarde
Next by Date: exim config rewrite problems
Previous by thread: Re: screen
Next by thread: Re: screen
Index(es):
- Date
- Thread