ncurses with root environment restriction breaks SSH kitten

[Saduff]

Describe the bug

If you use the SSH kitten to log in as root, kitty terminfo will be copied to /root/.terminfo. This used to work, but breaks if ncurses is compiled with root environment restriction:

    --disable-root-access
	Compile with environment restriction, so most file-access is limited
	when running as root, or via a setuid/setgid application.

    --disable-root-environ
	Compile with environment restriction, so certain environment variables
	are not available when running as root.  These are (for example
	$TERMINFO) those that allow the search path for the terminfo or termcap
	entry to be customized.

In Arch Linux, both of these options are used in ncurses 6.4_20230520-1. This was done to prevent CVE-2023-29491:
https://gitlab.archlinux.org/archlinux/packaging/packages/ncurses/-/commit/3c2606603aa4a5a3b2d29e560a1bc14986153f49

Installing kitty-terminfo on the remote system fixes the issue since it will make the terminfo available under /usr/share/terminfo/

I'm not sure if anything can be done in this case with the SSH kitten or if the only option is to install kitty-terminfo on the remote system.

To Reproduce

Steps to reproduce the behavior:

1. Install ncurses which was compiled with --disable-root-access and --disable-root-environ on the remote system
2. Make sure kitty-terminfo is not installed on the remote system
3. kitten ssh root@remote
4. Observe breakage (terminfo missing)

Environment details

kitty 0.31.0 created by Kovid Goyal
Linux x 6.6.2-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 20 Nov 2023 23:18:21 +0000 x86_64
Arch Linux 6.6.2-arch1-1 (/dev/tty)

Running under: X11
Frozen: False
Paths:
  kitty: /usr/bin/kitty
  base dir: /usr/lib/kitty
  extensions dir: /usr/lib/kitty/kitty
  system shell: /usr/bin/zsh
Loaded config files:
  /home/x/.config/kitty/kitty.conf

Config options different from defaults:
background_opacity         0.8
dynamic_background_opacity True
font_family                MesloLGS NF
Added shortcuts:
	alt+1 →  goto_tab 1
	alt+2 →  goto_tab 2
	alt+3 →  goto_tab 3
	alt+4 →  goto_tab 4
	alt+5 →  goto_tab 5
	alt+6 →  goto_tab 6
	alt+7 →  goto_tab 7
	alt+8 →  goto_tab 8
	alt+9 →  goto_tab 9
	shift+down →  neighboring_window down
	shift+left →  neighboring_window left
	shift+right →  neighboring_window right
	shift+up →  neighboring_window up
Changed shortcuts:
	kitty_mod+alt+t →  new_tab
	kitty_mod+t →  new_tab_with_cwd
Colors:
	color0                     #4f4f4f   
	color1                     #fa6c5f   
	color10                    #ceffab   
	color11                    #fffecc   
	color12                    #b5dcfe   
	color13                    #fb9bfe   
	color14                    #dfdffd   
	color15                    #fefffe   
	color2                     #a8fe60   
	color3                     #fffeb6   
	color4                     #96cafd   
	color5                     #fa72fc   
	color6                     #c6c4fd   
	color7                     #eeedee   
	color8                     #7b7b7b   
	color9                     #fcb6af   
	cursor                     #7f7f7f   
	foreground                 #f1f1f1   
	selection_background       #b4d5ff   

Important environment variables seen by the kitty process:
	PATH                                /opt/jython/bin/:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/home/x/.dotnet/tools:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/lib/rustup/bin
	LANG                                en_US.utf8
	EDITOR                              /usr/bin/vim
	SHELL                               /usr/bin/zsh
	DISPLAY                             :0.0
	USER                                x
	XDG_CONFIG_DIRS                     /etc/xdg
	XDG_SESSION_PATH                    /org/freedesktop/DisplayManager/Session0
	XDG_MENU_PREFIX                     xfce-
	XDG_SEAT                            seat0
	XDG_SESSION_DESKTOP                 xfce
	XDG_SESSION_TYPE                    x11
	XDG_GREETER_DATA_DIR                /var/lib/lightdm-data/x
	XDG_CURRENT_DESKTOP                 XFCE
	XDG_SEAT_PATH                       /org/freedesktop/DisplayManager/Seat0
	XDG_SESSION_CLASS                   user
	XDG_VTNR                            7
	XDG_SESSION_ID                      2
	XDG_RUNTIME_DIR                     /run/user/1000
	LC_TIME                             en_US.utf8
	XDG_DATA_DIRS                       /usr/local/share:/usr/share

[kovidgoyal]

I dont see what the kitten can do about it if ncurses is compiled to
ignore custom terminfo files. That's a pretty absurd fix for the CVE
anyway. The correct fix is to patch ncurses to not corrupt memory when
reading invalid terminfo data or better to start the long process of
removing ncurses from all applications as it is a truly awful library.

Setting those compile time options basically means you have to have
the terminfo for whatever terminal you are connecting with installed
globally.

[Saduff]

Thanks for the quick response!

The correct fix is to patch ncurses to not corrupt memory when
reading invalid terminfo data or better to start the long process of
removing ncurses from all applications as it is a truly awful library.

I completely agree with both. 🙂

Setting those compile time options basically means you have to have
the terminfo for whatever terminal you are connecting with installed
globally.

Yeah, I figured it was the only way in this case. Perhaps the Arch Linux packagers will remove these options in a future build once ncurses is properly fixed.

If nothing else, I hope this issue can save someone some debugging time as it was not immediately obvious why it broke after upgrading ncurses.