Bugtraq mailing list archives
Re: Screen tmp race temp fix
From: guenther () GAC EDU (Philip Guenther)
Date: Thu, 20 Aug 1998 00:42:40 -0500
David Luyer <luyer () UCS UWA EDU AU> writes: ...
Now you've just opened up the nonsuid screen can't set tty permissions problem.
Only on OSes that use BSD ttys. The sysV style pts clone device does not suffer from this as the chowning and chmoding is done for you via a suid helper program called from the grantpt() routine.
A more minor problem is that screen can't read the shadowed password file if there is one and when someone locks the screen and walks away, they might not realise that this copy of screen is non-SUID so it sits there asking them what password to use.
I just checked the source, and if it can't get the password via getpwnam and getspnam fails, then it just asks for one when you lock the screen. The deficiency that you forgot was the inability of screen to update utmp on OSes where utmp isn't world writable (good!) and that don't have some libc routine that calls a setuid root program to do the update for the program. The result is that screen is crippled or insecure when not setuid on BSDish systems, while it gets by pretty well on sysVish ones. I run it here under Solaris 2.5 and 2.6 without it being setuid and without any loss of functionality, except the lock password, and that's what xlock is for. The one other place I can think of in screen which really deserves a going over is the client-server protocol code: if someone can open the screen socket/pipe, can they crash the server or exploit a buffer overflow? Philip Guenther ---------------------------------------------------------------- Philip Guenther UNIX Systems and Network Administrator Internet: guenther () gac edu Voicenet: (507) 933-7596 Gustavus Adolphus College St. Peter, MN 56082-1498
Current thread:
- Re: Screen tmp race temp fix Michal Zalewski (Aug 16)
- Re: Screen tmp race temp fix David Luyer (Aug 19)
- [NTSEC] (It gets worse) NT vulnerable to DOS attack on more than Bob Beck (Jan 25)
- firewall-1: old broadcast address hole? Tom Vandepoel (Apr 24)
- another irix buffer overflow... David Hedley (May 26)
- one last one for this evening... David Hedley (May 26)
- Vulnerability Database Matt Barrie (Jun 22)
- perl version of that tin opener (IOS decrypt.c) Riku Meskanen (Jan 11)
- pnserver exploit.. Aleph One (Jan 15)
- Universal Wrapper Willy TARREAU (Mar 03)
- Re: Screen tmp race temp fix Philip Guenther (Aug 19)
- Retraction and apology route () RESENTMENT INFONEXUS COM (Aug 20)
- <Possible follow-ups>
- Screen tmp race temp fix marcelo () FREAK CONECTIVA COM BR (Aug 18)
- Re: Screen tmp race temp fix David Luyer (Aug 19)