Date: Wed, 3 Apr 2002 16:39:40 -0800 (PST) From: Jason Stone <jason@shalott.net> To: Jesper Wallin <z3l3zt@phucking.kicks-ass.org> Cc: <security@freebsd.org> Subject: Re: Is screen really secure? Message-ID: <20020403163222.I94832-100000@walter> In-Reply-To: <1320.213.112.58.75.1017858077.squirrel@phucking.kicks-ass.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > When I started with Linux/Unix security, the first thing I learned was > "do not run a daemon as root as long isn't really require it".. well, > when I use irssi as my primary irc-client which not has any built-in > detach function i use screen instead. When a run a "ps -aux" it shows > me screen is runned by root!? > > Example: > root 302 0.0 0.5 1800 1164 ?? Is Tue04PM 0:01.85 screen irssi Screen is setuid root by default. As it has a long history of readily segfaulting, you should probablly take the setuid bit off. In general, if a software package is not a critical part of a production system and it installs setuid parts, you should take off the setuid bits and see if it still works acceptably, or try to determine if it can be made to work with a new group and setgid instead. For instance, many ports are setuid root to manipulate peripheral devices in /dev - usually you can work around this by making the /dev/ entry group writable and the binary setgid that group. In this case, screen is setuid so that it can write utmp, (so that when you open another screen window, it can create a login entry for you). You can either just remove the setuid bit and go without that functionality, or you can (probablly) make utmp/wtmp/lastlog group "utmp" (for example), group writable, and make screen setgid utmp. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8q6DQswXMWWtptckRAreRAJoCNLvxqQGT1dLVQ1FfpxAGVM0n2ACeOFwa Qb5roTGWzi/7UjtBzrcee0U= =uOW7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020403163222.I94832-100000>