Re: [plug] screen suid-root for multiuser

Mon, 24 Sep 2007 19:25:43 -0700 

Hi,

In this case you have to trust the setuid binary but take safety
precautions. This is where the built-in security mechanisms of the
distribution comes into play. You could also run it inside a
disposable virtual machine or run it through mandatory access control.

If the machine where the setuid screen is running has multiple shell
users and you didn't opt for a disposable virtual machine beware of
symlink attacks on setuid binaries. Remember to manually remove or
check whether your distribution removes the suid bit before updating.

Regards,
        Ed

On 9/25/07, Gerald Timothy Quimpo <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I've been using screen for a few months now and I'm loving it.  Lately
> I've been using screen for pair-programming,
> remote-discussion-debugging.  To use it this way, what I've been doing
> is ssh to the remote box as the user I'm going to discuss with and then
> we both screen -x.
>
> This, of course, doesn't scale (I need to either know their password
> or set up ssh key auth as them on the remote box so that I can login as
> them).  It's clearly a hack, and the more people discussing, the more
> ugly the hack looks.
>
> I'd like to switch to using multiuser mode
>
> Ctrl-A :multiuser
> acladd [user] [passwd]
>
> etc, so that I can avoid having to login as them.  with multiuser, I
> can create a neutral account, not mine, not theirs.  start the screen
> session, setup the acls, and then everyone can rendezvous.
>
> My question involves paranoia though.  screen needs to be suid-root
> for multiuser to work.  Does anyone have any opinion on how secure
> that is?  I figure it's probably fine, but if someone has actually
> looked into the matter and reviewed the security issues or is on the
> screen mailing list, discussion of that would be great.
>
> tiger
>
> _________________________________________________
> Philippine Linux Users' Group (PLUG) Mailing List
> [email protected] (#PLUG @ irc.free.net.ph)
> Read the Guidelines: http://linux.org.ph/lists
> Searchable Archives: http://archives.free.net.ph
>
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph

Reply via email to