[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: misc/screen local root compromise

John Wright (john_(_at_)_dryfish_(_dot_)_org) wrote:
> On Thu, Sep 06, 2001 at 04:23:07AM +0200, Han wrote:
> > David Krause (openbsd_(_at_)_davidkrause_(_dot_)_com) wrote:
> > > http://www.linuxsecurity.com/advisories/suse_advisory-1594.html

> > > [...]

> > http://www.acm.uiuc.edu/workshops/security/setuid.html

> > Any good reason for screen to be suid?

> Writing to utmp.
> chown `tty`

> Last one being the most concerning because, otherwise, everyone has access
> to your tty.

Right. Lets update that port. 

Marc accidentaly replied my other question to the misc.
>> I noticed that Brad has updated the port. Good Job but this port is
>> not available for TRACKING_SWITCH. Eh would that be possible?

> No, just grab the port from the OPENBSD_2_9 branch. 

So I changed the portstag and did:
cvsup -g -L 2 -i ports/misc/screen /etc/cvs-supfile 

Cya, Han.