Re: Screen tmp race temp fix

[guenther () GAC EDU (Philip Guenther)]

David Luyer <luyer () UCS UWA EDU AU> writes:
...
> Now you've just opened up the nonsuid screen can't set tty permissions problem.

Only on OSes that use BSD ttys.  The sysV style pts clone device does
not suffer from this as the chowning and chmoding is done for you via a
suid helper program called from the grantpt() routine.


> A more minor problem is that screen can't read the shadowed password file if
> there is one and when someone locks the screen and walks away, they might not
> realise that this copy of screen is non-SUID so it sits there asking them
> what password to use.

I just checked the source, and if it can't get the password via
getpwnam and getspnam fails, then it just asks for one when you lock
the screen.


The deficiency that you forgot was the inability of screen to update
utmp on OSes where utmp isn't world writable (good!) and that don't
have some libc routine that calls a setuid root program to do the
update for the program.

The result is that screen is crippled or insecure when not setuid on
BSDish systems, while it gets by pretty well on sysVish ones.  I run it
here under Solaris 2.5 and 2.6 without it being setuid and without any
loss of functionality, except the lock password, and that's what xlock
is for.

The one other place I can think of in screen which really deserves a
going over is the client-server protocol code: if someone can open the
screen socket/pipe, can they crash the server or exploit a buffer
overflow?


Philip Guenther

----------------------------------------------------------------
Philip Guenther                 UNIX Systems and Network Administrator
Internet: guenther () gac edu      Voicenet: (507) 933-7596
Gustavus Adolphus College       St. Peter, MN 56082-1498