Re: [screen-devel] Screen bug that opens a root terminal

[Axel Beckert]

Hi,

Debian's screen package maintainer writing here.

Thanks for reporting your findings!

On Sun, Oct 09, 2022 at 07:14:17PM +0000, Bobby S wrote:
> Versions 4.09.00, 4.8.0-6
> OS: Ubuntu 20.04 and newer, Raspberry Pi OS, as well as Arch.
> Architecture: x86_64 and ARM (Raspberry Pi 3b+)

4.8.0-6 sounds like Raspberry Pi OS Bullseye (i.e. the Debian 11
Bullseye based release).

> Bug replication: running 'screen /dev/ttyUSB0' to open a serial
> connection and then pressing CTRL+A followed by CTRL+C opens
> immediately into a root terminal. This happened on four separate
> computers with two different architectures. So far I have yet to use
> this process to gain root on anything but a serial connection opened
> using screen.

Hrm, I at least can't reproduce this on Debian Unstable with screen
4.9.0-2 on amd64, neither with /dev/ttyS0 nor with /dev/ttyUSB0.

Can you send us the output of the following commands on the Raspi
where this happened?

$ which screen
$ ls -l /usr/bin/screen /dev/ttyUSB0

At least on a RaspiOS 11 Bullseye (armhf) installation on a Raspi 2B
here (installed about a year ago when the default user "pi" still
existed), the permissions of the screen binary and /dev/ttyUSB0 look
like this:

-rwxr-xr-x 1 root root    389676 Feb 27  2021 /usr/bin/screen*
crw-rw---- 1 root dialout 188, 0 Oct  9 22:20 /dev/ttyUSB0

But I even there on RaspiOS I can't reproduce it there either.

There's though minimal support in Debian's screen binary to install it
setuid via manual call to dpkg-statoverride. But this is never done
automatically, just the permissions of /run/screen and friends are
supported in the package with such a setup. This is IIRC needed if you
want "screen -x" to work for other users than the owner of the screen
session.

The usual way to do this is (don't do it unless you know what you're
doing):

# dpkg-statoverride --update --add root root 4755 /usr/bin/screen
# chmod -c 755 /run/screen

But even with these changes I cannot reproduce the issue you're
describing.

And this setuid thing described above is currently the only case where
I can imagine that such a thing could remotely happen by a bug inside
screen.

So I wonder what is different in your setup than in mine...

Which makes me remember: RaspiOS (and AFAIK Arch as well) has sudo
installed by default and allows by default the first created user (or
the user "pi" on not very recent RaspiOS installations) to call any
command as root with just sudo prepended.

And with the /dev/ttyUSB0 permissions shown above (no access for other
users than root and members of the group "dialout") and if the user
"pi" is _NOT_ in the group "dialout" (in my case it was already in the
group "dialout"), it would be necessary to run screen as root to
access /dev/ttyUSB0 and hence running "sudo screen /dev/ttyUSB0" would
make potentially some sense.

So did you by chance actually enter "sudo screen /dev/ttyUSB0" and not
just "screen /dev/ttyUSB0"?

In that case the outcome that C-a C-c gets you a root terminal is no
bug but what is actually expected: In that case you effectively called
screen as root and C-a C-c gives you a root terminal then.

(If you did not use sudo, we definitely need to dig deeper.)

                Kind regards, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@deuxchevaux.org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@noone.org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/

signature.asc
Description: PGP signature