Re: screen-4.6.0 regression: within su: Cannot open your terminal '/dev/pts/14' - please check

Mon, 10 Jul 2017 13:45:27 -0700 

On Fri, 30 Jun 2017 13:25:18 +0200 Axel Beckert wrote:
> Hi,
> 
> On Fri, Jun 30, 2017 at 02:50:48PM +0800, Clark Wang wrote:
> > On Thu, Jun 29, 2017 at 7:52 PM, Axel Beckert <a...@deuxchevaux.org> wrote:
> > > I know that behaviour of screen for ages and even saw people
> > > recommending tmux because it doesn't seem to have this issue.
> > >
> > > > /dev/pts/14 is indeed not owned by user test, but this way screen
> > > > have worked fine for as long as I can remember, so this access
> > > > should not be mandatory.
> > > >
> > > > Any way to return the old behaviour?
> > >
> > > I'd rather be interested in how you got that working all these years.
> > > :-)
> > 
> > Just tried v4.5. /usr/bin/screen (rwxr-sr-x) does not work with su but
> > /usr/local/bin/screen (rwsr-xr-x) I built from source works fine:
> > 
> > # ls -Ll /usr/bin/screen /usr/local/bin/screen
> > -rwxr-sr-x 1 root utmp   457608 2017-05-23 07:57 /usr/bin/screen
> > -rwsr-xr-x 1 root staff 1441416 2017-01-19 13:59 /usr/local/bin/screen
> 
> Thanks for the comparison.
> 
> Ok, so the screen binary which is setuid root works and the one which
> is not, doesn't. Sounds like a reason.

Setuid root is not necessary for this to work. In Gentoo I never
had a problem with screen after su (except for 4.6.0 version).
Looks like it works the following way:

1. screen is configured as follows:
  --with-pty-mode=0620 \
  --with-pty-group=5

2. pty permissions are set to 0620 user:tty (tty gid is 5) using
udev.

screen binary is not SUID root for non-multiuser configurations:
  2755 root:utmp for /usr/bin/screen
  0775 root:utmp for /tmp/screen
for utmp access

If user chooses to enable multiuser support during package
compilation, /usr/bin/screen perms are set to 4755, but I don't use
that.

> But I won't revert to setuid for the Debian package. In contrary,
> Debian's screen package in the next stable release will contain, and also 
> already
> 4.5.1 in the current Debian Testing and Unstable already contains
> libutempter support to avoid issues like the privilege escalation in
> 4.5.0. (While in 4.6.0 this doesn't seem to make a difference
> anymore.)
> 
>               Kind regards, Axel


Best regards,
Andrew Savchenko

Attachment: pgpGZWszpA6i3.pgp
Description: PGP signature

_______________________________________________
screen-users mailing list
screen-users@gnu.org
https://lists.gnu.org/mailman/listinfo/screen-users

Reply via email to