Bug 1976 - /usr/bin/screen gives backdoor to /dev
Summary: /usr/bin/screen gives backdoor to /dev
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: screen
Version: 1.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1999-04-04 07:39 UTC by Jay Freeman
Modified: 2014-03-17 02:09 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-04-26 21:28:25 UTC

Attachments (Terms of Use)

Description Jay Freeman 1999-04-04 07:39:29 UTC
The version of screen sent with rawhide seems to have a
security problem and should not be setuid root.  Earlier I
was trying to figure out why I couldn't eject my cd-rom
drive, and found out that when BitchX-75p3-1 (obtained from
contrib.redhat.com) is run under a screen session started
with this version of screen, /dev/hdc's ownership is changed
to that user, and the modification flags are changed to 400
(might have been 600, sorry, forgot), allowing that user to
get access to that drive.
Instead of being setuid root, I can only propose that the
directory /tmp/screens is created when the package is
installed, and is created with root as the owner and group,
and is 777 (which is required of that), however this might
lead to other problems down the road (although I believe
screen is smart enough not to attempt to utilize a directory
under /tmp/screens that isn't owned by the user running the
screen binary).

Comment 1 Bill Nottingham 1999-04-15 16:21:59 UTC
screen is no longer setuid root.

Comment 2 Jay Freeman 1999-04-24 15:52:59 UTC
Ok, finally ran across a slight problem with this.  screen requires
different permissions of /tmp/screens when it runs at different user
levels.  When running as root it requires 755, and as a user it
requires 777.  (Most likely because when running at root it assumes
it is only running as root, and is setuid'd, so it decides to close
a "security hazard" by forcing you to make /tmp/screens 755 in that
case).  screen could be modified to "fix" this, or root could simply
be banned from using screen.

Comment 3 Bill Nottingham 1999-04-26 21:28:59 UTC
fixed in screen-3.7.6-7. (/tmp/screens is 0777 in all cases)

Note You need to log in before you can comment on or make changes to this bug.