Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

["Dr. Thomas Orgis" <thomas.orgis () uni-hamburg de>]

Correction about the configure call fix.

Am Tue, 13 May 2025 18:21:06 +0200
schrieb "Dr. Thomas Orgis" <thomas.orgis () uni-hamburg de>:

> $ ./configure --with-pty-mode=0620 --with-pty-group=tty
> […]
> $ grep -e PTYMODE -e PTYGROUP config.h
>  * define PTYMODE if you do not like the default of 0622, which allows 
>  * define PTYGROUP to some numerical group-id if you do not want the
> #define PTYMODE 0620
> #define PTYGROUP tty

Of course that doesn't compile. A numeric value is expected.

./configure --with-pty-mode=0620 --with-pty-group=$(getent group tty|cut -f 3 -d :)

is closer to what also the default for screen-5.0.0 configure is.

AC_ARG_WITH(pty-mode, AS_HELP_STRING([--with-pty-mode],
            [set pty mode (default: 0622)]),
            [with_pty_mode=$withval],
            [with_pty_mode=0622])
AC_ARG_WITH(pty-group, AS_HELP_STRING([--with-pty-group],
            [set pty group (default: 5)]),
            [with_pty_group=$withval],
            [with_pty_group=5])


Which brings me to the question if it is really smart to hardcode the
numeric group ID. I observe wildly changing system user/group IDs in
distros that create the accounts on the fly when installing packages.
Maybe tty is always present on install images already … and happens to
always be numeric ID 5, everywhere?


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg