hello,
i am trying to use GNU 'screen' with role accounts. the problem i have is
that when a user switches to a role account with su (or su -), the
permissions on the tty are not changed, and its owner is left as the original
user. screen then fails to open the terminal.
as a workaround, i can do this before su'ing:
$ setfacl -m "mask:rw-,user:$user:rw-" $tty
where $user is the role account, but this isn't ideal from a security
perspective, as it gives the role read access to the user's tty.
i'm not sure whose fault this is, but it would be nice if screen worked
properly with roles. is there any Solaris feature screen could use to work
around this?
(another workaround is to su inside screen, but that's not very helpful in our
environment, as other users need to access the screen session.)
- river.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20071108/3a270adc/attachment.bin>
