on Mon, 05 May 2003 06:01:28PM +0100, Colin Watson insinuated:
> On Mon, May 05, 2003 at 12:04:03AM -0600, Bob Proulx wrote:
> > Nori Heikkinen wrote:
> > > i've heard it bruited about that there's some security hole
> > > therein, that it runs setuid and therefore is for some reason
> > > bad. one of our sysadmins administers many servers at a college
> > > nearby, and his manager has outright forbidden screen on them.
> > > i don't know exactly what risk this would be, and that's why i'm
> > > asking -- to me it's just a harmless terminal manager, too, but
> > > i hear tell that it's not as simple as that.
> >
> > It needs to be setuid only to be able to write to the utmp file
> > the current login of the user. That is why people can compile it
> > as a normal user and it works for them. They can't escalate their
> > privilege to root. But it still works. But then no logging to
> > utmp. I personally would prefer to have the logging than not
> > having it.
>
> It's not even setuid (nowadays?), but setgid utmp. Some people are
> just control freaks; screen is a harmless and extremely useful
> program.
cool -- thanks for your responses, all!
</nori>
--
.~. nori @ sccs.swarthmore.edu
/V\ http://www.sccs.swarthmore.edu/~nori/jnl/
// \\ @ maenad.net
/( )\ www.maenad.net
^`~'^
get my (*new*) key here:
http://www.maenad.net/geek/gpg/7ede5499.asc
(please *remove* old key 11e031f1!)
Attachment:
pgptohKMJQB1n.pgp
Description: PGP signature