Bug 1976 - /usr/bin/screen gives backdoor to /dev
/usr/bin/screen gives backdoor to /dev
Product: Red Hat Raw Hide
Classification: Retired
Component: screen (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Bill Nottingham
: Security
Depends On:
  Show dependency treegraph
Reported: 1999-04-04 03:39 EDT by Jay Freeman
Modified: 2014-03-16 22:09 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1999-04-26 17:28:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jay Freeman 1999-04-04 03:39:29 EDT
The version of screen sent with rawhide seems to have a
security problem and should not be setuid root.  Earlier I
was trying to figure out why I couldn't eject my cd-rom
drive, and found out that when BitchX-75p3-1 (obtained from
contrib.redhat.com) is run under a screen session started
with this version of screen, /dev/hdc's ownership is changed
to that user, and the modification flags are changed to 400
(might have been 600, sorry, forgot), allowing that user to
get access to that drive.
Instead of being setuid root, I can only propose that the
directory /tmp/screens is created when the package is
installed, and is created with root as the owner and group,
and is 777 (which is required of that), however this might
lead to other problems down the road (although I believe
screen is smart enough not to attempt to utilize a directory
under /tmp/screens that isn't owned by the user running the
screen binary).
Comment 1 Bill Nottingham 1999-04-15 12:21:59 EDT
screen is no longer setuid root.
Comment 2 Jay Freeman 1999-04-24 11:52:59 EDT
Ok, finally ran across a slight problem with this.  screen requires
different permissions of /tmp/screens when it runs at different user
levels.  When running as root it requires 755, and as a user it
requires 777.  (Most likely because when running at root it assumes
it is only running as root, and is setuid'd, so it decides to close
a "security hazard" by forcing you to make /tmp/screens 755 in that
case).  screen could be modified to "fix" this, or root could simply
be banned from using screen.
Comment 3 Bill Nottingham 1999-04-26 17:28:59 EDT
fixed in screen-3.7.6-7. (/tmp/screens is 0777 in all cases)

Note You need to log in before you can comment on or make changes to this bug.