Bug#620304: tmux: Incorrect dropping of privileges allows users to obtain utmp group privileges
Thanks, I'm glad to hear you are reconsidering this. I might put it in the tmux FAQ as well. On Wed, Apr 13, 2011 at 09:51:00AM +0200, Karl Ferdinand Ebert wrote: Hello Nicholas, On Wed, Apr 13, 2011 at 12:31 AM, Nicholas Marriott [1]nicholas.marri...@gmail.com wrote: Hi Not to say I told you so or anything, but this might be a good time to reiterate that doing this is a bad idea: the minor inconvenience it prevents (easily avoided by the user with either tmux -S or by setting TMPDIR) is much less of a potential problem than running with elevated privileges. Romain and I are about to change the behaviour and drop the privileges completely. Maybe at the end it will be only setting a proper TMPDIR or having a note for the users to point out to how to use 'tmux -S'. I should have considered this in the first place. Now I'm going to have to spend at least some of my time saying no, not tmux, Debian security problem... As this is my fault for having introduced the modifcations I apologize deeply for wasting your time. For the record Ubuntu is affected too but not Fedora which has a seperate group 'tmux'. Best regards, Ferdinand References Visible links 1. mailto:nicholas.marri...@gmail.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#620304: tmux: Incorrect dropping of privileges allows users to obtain utmp group privileges
Hello Nicholas, On Wed, Apr 13, 2011 at 12:31 AM, Nicholas Marriott nicholas.marri...@gmail.com wrote: Hi Not to say I told you so or anything, but this might be a good time to reiterate that doing this is a bad idea: the minor inconvenience it prevents (easily avoided by the user with either tmux -S or by setting TMPDIR) is much less of a potential problem than running with elevated privileges. Romain and I are about to change the behaviour and drop the privileges completely. Maybe at the end it will be only setting a proper TMPDIR or having a note for the users to point out to how to use 'tmux -S'. I should have considered this in the first place. Now I'm going to have to spend at least some of my time saying no, not tmux, Debian security problem... As this is my fault for having introduced the modifcations I apologize deeply for wasting your time. For the record Ubuntu is affected too but not Fedora which has a seperate group 'tmux'. Best regards, Ferdinand
Bug#620304: tmux: Incorrect dropping of privileges allows users to obtain utmp group privileges
Hi Not to say I told you so or anything, but this might be a good time to reiterate that doing this is a bad idea: the minor inconvenience it prevents (easily avoided by the user with either tmux -S or by setting TMPDIR) is much less of a potential problem than running with elevated privileges. Now I'm going to have to spend at least some of my time saying no, not tmux, Debian security problem... Nicholas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#620304: tmux: Incorrect dropping of privileges allows users to obtain utmp group privileges
Package: tmux Version: 1.3-2 Severity: important When running tmux with -S (specify custom socket path), the utmp group privileges will not be dropped but inherited to any shells running within tmux. While /bin/bash gets kind of confused, strangely skips loading /etc/profile, ~/.bashrc etc. and also drops the utmp privileges on its own, using /bin/dash, for instance, allows to illustrate the issue: 1. run SHELL=/bin/sh tmux -S whatever 2. run id inside tmux 3. observe egid=43(utmp) The problem is apparently introduced by 03_proper_socket_handling.diff and 04_dropping_unnecessary_privileges.diff. The incorrectly placed call to setresgid() in is not reached when a custom socket path is used. -- System Information: Debian Release: 6.0.1 APT prefers squeeze-updates APT policy: (500, 'squeeze-updates'), (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages tmux depends on: ii libc62.11.2-10 Embedded GNU C Library: Shared lib ii libevent-1.4-2 1.4.13-stable-1 An asynchronous event notification ii libncurses5 5.7+20100313-5 shared libraries for terminal hand tmux recommends no packages. tmux suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
