[Buildroot] [PATCH] screen: bump to version 4.2.1
thomas.petazzoni at free-electrons.com
Mon Sep 15 12:01:24 UTC 2014
Dear Maarten ter Huurne,
On Mon, 15 Sep 2014 13:54:05 +0200, Maarten ter Huurne wrote:
> The Buildroot package of GNU Screen installs the binary as setuid root; both
> the old (4.0.3) and the new (4.2.1) version do. After having spent some time
> reading the Screen source code, I wouldn't trust it with root privileges on
> any system where security is relevant.
> I haven't seen (or looked for) any actual code that could be exploited, just
> a code base that is really old, under-maintained and quite complex from all
> the workarounds it contains. So it resembles the OpenSSL situation, although
> it is not quite that bad.
> It seems multiuser mode is the feature that requires Screen to be setuid
> root. Which means that without setuid root, Screen works fine but users can
> only connect to their own sessions.
> I would like some guidance on how to proceed here:
> - leave the setuid flag on
> - always clear the setuid flag post-install
> - make it a configuration option
> - ...?
I would go for clearing the setuid flag. Interested users can always
re-enable it in a post-build script if they really need it.
Thanks for looking into this!
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
More information about the buildroot