Bug 1976

Summary: /usr/bin/screen gives backdoor to /dev
Product: [Retired] Red Hat Raw Hide Reporter: Jay Freeman <saurik>
Component: screenAssignee: Bill Nottingham <notting>
Severity: medium Docs Contact:
Priority: high    
Version: 1.0CC: rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-04-26 21:28:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jay Freeman 1999-04-04 07:39:29 UTC
The version of screen sent with rawhide seems to have a
security problem and should not be setuid root.  Earlier I
was trying to figure out why I couldn't eject my cd-rom
drive, and found out that when BitchX-75p3-1 (obtained from
contrib.redhat.com) is run under a screen session started
with this version of screen, /dev/hdc's ownership is changed
to that user, and the modification flags are changed to 400
(might have been 600, sorry, forgot), allowing that user to
get access to that drive.
Instead of being setuid root, I can only propose that the
directory /tmp/screens is created when the package is
installed, and is created with root as the owner and group,
and is 777 (which is required of that), however this might
lead to other problems down the road (although I believe
screen is smart enough not to attempt to utilize a directory
under /tmp/screens that isn't owned by the user running the
screen binary).

Comment 1 Bill Nottingham 1999-04-15 16:21:59 UTC
screen is no longer setuid root.

Comment 2 Jay Freeman 1999-04-24 15:52:59 UTC
Ok, finally ran across a slight problem with this.  screen requires
different permissions of /tmp/screens when it runs at different user
levels.  When running as root it requires 755, and as a user it
requires 777.  (Most likely because when running at root it assumes
it is only running as root, and is setuid'd, so it decides to close
a "security hazard" by forcing you to make /tmp/screens 755 in that
case).  screen could be modified to "fix" this, or root could simply
be banned from using screen.

Comment 3 Bill Nottingham 1999-04-26 21:28:59 UTC
fixed in screen-3.7.6-7. (/tmp/screens is 0777 in all cases)