Validate suid-bit removal from /bin/screen #5

Closed
arlimus opened this Issue May 6, 2014 · 1 comment

Comments

Projects
None yet
1 participant
@arlimus
Member

arlimus commented May 6, 2014

For multi-user sessions this doesn't work without SUID-bit. Either create an explicit list for these kinds of situations with suid/sgid bits in the readme, or determine if this SUID-bit is an issue or not.

@arlimus

This comment has been minimized.

Show comment
Hide comment
@arlimus

arlimus May 13, 2014

Member

Actually screen is using an SGID bit, at least in recent ubuntu versions by default. As it stands, it is owned by root:utmp, so with -rwxr-sr-x that means that exploits hit the group, i.e. utmp.

Since the whole screen case only happens when the user actually has it installed on his system, we should whitelist SGID bits to allow for multi-user-mode as designed. Screen has been know to have security issues in the past, so installing it will remain a questionable choice. But the impact is reduced considerably from the SUID-root case I feared.

Make adjustments to hardening.

Member

arlimus commented May 13, 2014

Actually screen is using an SGID bit, at least in recent ubuntu versions by default. As it stands, it is owned by root:utmp, so with -rwxr-sr-x that means that exploits hit the group, i.e. utmp.

Since the whole screen case only happens when the user actually has it installed on his system, we should whitelist SGID bits to allow for multi-user-mode as designed. Screen has been know to have security issues in the past, so installing it will remain a questionable choice. But the impact is reduced considerably from the SUID-root case I feared.

Make adjustments to hardening.

arlimus added a commit that referenced this issue May 13, 2014

improvement: move /usr/bin/screen to SGID whitelisting
see investigation here: #5

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>

@arlimus arlimus closed this May 14, 2014

rollbrettler pushed a commit to rollbrettler/chef-os-hardening that referenced this issue Sep 16, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment