[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: screen

On Mon, May 05, 2003 at 12:04:03AM -0600, Bob Proulx wrote:
> Nori Heikkinen wrote:
> > i've heard it bruited about that there's some security hole therein,
> > that it runs setuid and therefore is for some reason bad.  one of our
> > sysadmins administers many servers at a college nearby, and his
> > manager has outright forbidden screen on them.  i don't know exactly
> > what risk this would be, and that's why i'm asking -- to me it's just
> > a harmless terminal manager, too, but i hear tell that it's not as
> > simple as that.
> 
> It needs to be setuid only to be able to write to the utmp file the
> current login of the user.  That is why people can compile it as a
> normal user and it works for them.  They can't escalate their
> privilege to root.  But it still works.  But then no logging to utmp.
> I personally would prefer to have the logging than not having it.

It's not even setuid (nowadays?), but setgid utmp. Some people are just
control freaks; screen is a harmless and extremely useful program.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: