Alexander E. Patrakov patrakov at
Thu Aug 16 06:59:07 PDT 2007

I wrote:
> Also please discuss the fact that screen is a setuid binary by default.

One more thing. It installs /usr/bin/screen -> screen-[version] symlink, 
and the setuid binary is really /usr/bin/screen-[version]. Now let's 
suppose that a root hole is found in screen, a new version of screen is 
released, and a user updates his screen by following BLFS instructions. 
See the bug? the old buggy setuid binary /usr/bin/screen-[oldversion] is 
still there, ready for exploitation. The book should deal with this 
somehow, e.g., by disabling this stupid symlink.

Alexander E. Patrakov

More information about the blfs-dev mailing list