on Mon, 05 May 2003 06:01:28PM +0100, Colin Watson insinuated: > On Mon, May 05, 2003 at 12:04:03AM -0600, Bob Proulx wrote: > > Nori Heikkinen wrote: > > > i've heard it bruited about that there's some security hole > > > therein, that it runs setuid and therefore is for some reason > > > bad. one of our sysadmins administers many servers at a college > > > nearby, and his manager has outright forbidden screen on them. > > > i don't know exactly what risk this would be, and that's why i'm > > > asking -- to me it's just a harmless terminal manager, too, but > > > i hear tell that it's not as simple as that. > > > > It needs to be setuid only to be able to write to the utmp file > > the current login of the user. That is why people can compile it > > as a normal user and it works for them. They can't escalate their > > privilege to root. But it still works. But then no logging to > > utmp. I personally would prefer to have the logging than not > > having it. > > It's not even setuid (nowadays?), but setgid utmp. Some people are > just control freaks; screen is a harmless and extremely useful > program. cool -- thanks for your responses, all! </nori> -- .~. nori @ sccs.swarthmore.edu /V\ http://www.sccs.swarthmore.edu/~nori/jnl/ // \\ @ maenad.net /( )\ www.maenad.net ^`~'^ get my (*new*) key here: http://www.maenad.net/geek/gpg/7ede5499.asc (please *remove* old key 11e031f1!)
Attachment:
pgptohKMJQB1n.pgp
Description: PGP signature